Apache APISIX Batch-Requests Plugin Authentication Bypass Leading to Remote Code Execution Vulnerability

An authentication bypass vulnerability has been identified in the batch-requests plugin of Apache APISIX, allowing attackers to bypass IP restrictions on the Admin API. This vulnerability is present in versions 1.3 through 2.12.1. In a default configuration with the default API key, this flaw can be exploited to achieve remote code execution. Although changing the admin key or the Admin API port can reduce the impact, there remains a risk of bypassing IP restrictions on the data panel. The vulnerability arises because the batch-requests plugin is supposed to override the client IP with the real remote IP, but a bug allows this check to be bypassed.

Impact

Exploitation of this vulnerability allows for authentication bypass, enabling unauthorized access to the Admin API, which can be abused to execute arbitrary Lua code remotely, due to a feature introduced in Apache APISIX version 2.x that allows code execution via the Admin API.

Reproduction

To reproduce this vulnerability, first ensure that Apache APISIX is running with the default configuration, including the default API key. The batch-requests plugin must be enabled. Once these conditions are met, the vulnerability can be exploited by sending a batch request that includes the 'X-Real-IP' header, bypassing the IP restriction of the Admin API. This can be done using a tool like Metasploit, which has a module specifically for exploiting this vulnerability. The module can be configured with the target URL, the local host, and the local port for the reverse shell payload. After the batch request is sent, the Admin API can be accessed without the usual IP restrictions, and the payload can be executed, resulting in remote code execution on the server.

Remediation

Users are advised to update Apache APISIX to version 2.10.4 or 2.12.1, or to disable the batch-requests plugin in the configuration file.