apache-rocketmq-broker-unauth: Apache Rocketmq Broker - Unauthenticated Access

id: apache-rocketmq-broker-unauth

info:
  name: Apache Rocketmq Broker - Unauthenticated Access
  author: j4vaovo
  severity: high
  description: |
    Apache Rocketmq Unauthenticated Access were detected.
  reference:
    - https://rocketmq.apache.org/docs/bestPractice/03access
  metadata:
    verified: true
    max-request: 1
    shodan-query: title:"RocketMQ"
    fofa-query: protocol="rocketmq"
  tags: network,rocketmq,broker,apache,unauth,misconfig,tcp,vuln
tcp:
  - inputs:
      - data: "000000820000007e7b22636f6465223a3130352c22666c6167223a302c226c616e6775616765223a224a415641222c226f7061717565223a312c2273657269616c697a655479706543757272656e74525043223a224a534f4e222c2276657273696f6e223a3434312c226578744669656c6473223a7b22746f706963223a2254455354227d7d"
        type: hex

    host:
      - "{{Hostname}}"
    port: 10911
    read-size: 2048

    matchers-condition: and
    matchers:
      - type: word
        words:
          - serializeTypeCurrentRPC
          - JAVA
          - opaque
          - version
        condition: and

      - type: word
        words:
          - "HTTP"
          - "FTP"
          - "html"
        negative: true
# digest: 4b0a00483046022100b19a647da88632d81d2a76601b8b88d4638037caee69f096212cbd7fd3a0ced0022100b1ab2536ee2a8db4c5ed2755eff5fa9c9f04abe5043785a252817546abe2f671:922c64590222798bb761d5b6d8e72950