-
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #476 from vulhub/activemq-cve-2022-41678
- Loading branch information
Showing
11 changed files
with
1,290 additions
and
0 deletions.
There are no files selected for viewing
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,83 @@ | ||
| # Apache ActiveMQ Jolokia Authenticated Remote Code Execution (CVE-2022-41678) | ||
|
|
||
| [中文版本(Chinese version)](README.zh-cn.md) | ||
|
|
||
| Apache ActiveMQ is an open source messaging middleware developed by the American Pachitea (Apache) Software Foundation that supports Java messaging services, clustering, Spring framework, and more. | ||
|
|
||
| Apache ActiveMQ prior to 5.16.5, 5.17.3, there is a authenticated RCE exists in the Jolokia `/api/jolokia`. | ||
|
|
||
| References: | ||
|
|
||
| - <https://activemq.apache.org/security-advisories.data/CVE-2022-41678-announcement.txt> | ||
| - <https://l3yx.github.io/2023/11/29/Apache-ActiveMQ-Jolokia-%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E-CVE-2022-41678-%E5%88%86%E6%9E%90/> | ||
|
|
||
| ## Vulnerable Environment | ||
|
|
||
| Execute following command to start a Apache ActiveMQ 5.17.3: | ||
|
|
||
| ``` | ||
| docker compose up -d | ||
| ``` | ||
|
|
||
| After server is started, open the `http://your-ip:8161/` and input username and password with `admin` and `admin`. Then you will see the index page of Apache ActiveMQ. | ||
|
|
||
| ## Exploit | ||
|
|
||
| Firstly, listing all avaiable MBeans in Apache ActiveMQ by `/api/jolokia/list`: | ||
|
|
||
| ``` | ||
| GET /api/jolokia/list HTTP/1.1 | ||
| Host: localhost:8161 | ||
| Accept-Encoding: gzip, deflate, br | ||
| Accept: */* | ||
| Accept-Language: en-US;q=0.9,en;q=0.8 | ||
| User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132 Safari/537.36 | ||
| Connection: close | ||
| Cache-Control: max-age=0 | ||
| Authorization: Basic YWRtaW46YWRtaW4= | ||
| Origin: http://localhost | ||
| ``` | ||
|
|
||
|  | ||
|
|
||
| There are 2 exploitable MBeans that are able to perform RCE in this list. | ||
|
|
||
| ## Method #1 | ||
|
|
||
| The first one is using the `org.apache.logging.log4j.core.jmx.LoggerContextAdminMBean`, a MBean provided by Log4j2. | ||
|
|
||
| Attacker can use this MBean to update the Log4j configuration and write logs to arbitrary directories. | ||
|
|
||
| I prepared a [poc](poc.py) to reproduce the whole process: | ||
|
|
||
| ``` | ||
| python poc.py -u admin -p admin http://your-ip:8161 | ||
| ``` | ||
|
|
||
|  | ||
|
|
||
| Webshell is written to `/admin/shell.jsp` successfully: | ||
|
|
||
|  | ||
|
|
||
| This method is limited by version of ActiveMQ, since Log4j2 was introduced in Apache ActiveMQ 5.17.0. | ||
|
|
||
| ## Method #2 | ||
|
|
||
| The second one is using the `jdk.management.jfr.FlightRecorderMXBean` MBean. | ||
|
|
||
| FlightRecorder was introduced in OpenJDK 11, users are able to use FlightRecorderMXBean to create record and save it to a file. This feature is also can be used to write webshell. | ||
|
|
||
| Use [poc](poc.py) to reproduce the whole process: | ||
|
|
||
| ``` | ||
| python poc.py -u admin -p admin --exploit jfr http://localhost:8161 | ||
| ``` | ||
|
|
||
|  | ||
|
|
||
| Webshell is written to `/admin/shelljfr.jsp` successfully: | ||
|
|
||
|  |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,81 @@ | ||
| # Apache ActiveMQ Jolokia 后台远程代码执行漏洞(CVE-2022-41678) | ||
|
|
||
| Apache ActiveMQ 是美国阿帕奇(Apache)软件基金会所研发的一套开源的消息中间件,它支持Java消息服务、集群、Spring Framework等。 | ||
|
|
||
| Apache ActiveMQ 在5.16.5, 5.17.3版本及以前,后台Jolokia存在一处任意文件写入导致的远程代码执行漏洞。 | ||
|
|
||
| 参考链接: | ||
|
|
||
| - <https://activemq.apache.org/security-advisories.data/CVE-2022-41678-announcement.txt> | ||
| - <https://l3yx.github.io/2023/11/29/Apache-ActiveMQ-Jolokia-%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E-CVE-2022-41678-%E5%88%86%E6%9E%90/> | ||
|
|
||
| ## 漏洞环境 | ||
|
|
||
| 执行如下命令启动一个Apache ActiveMQ 5.17.3服务器: | ||
|
|
||
| ``` | ||
| docker compose up -d | ||
| ``` | ||
|
|
||
| 服务启动后,访问`http://your-ip:8161/`后输入账号密码`admin`和`admin`,即可成功登录后台。 | ||
|
|
||
| ## 漏洞复现 | ||
|
|
||
| 首先,访问`/api/jolokia/list`这个API可以查看当前服务器里所有的MBeans: | ||
|
|
||
| ``` | ||
| GET /api/jolokia/list HTTP/1.1 | ||
| Host: localhost:8161 | ||
| Accept-Encoding: gzip, deflate, br | ||
| Accept: */* | ||
| Accept-Language: en-US;q=0.9,en;q=0.8 | ||
| User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132 Safari/537.36 | ||
| Connection: close | ||
| Cache-Control: max-age=0 | ||
| Authorization: Basic YWRtaW46YWRtaW4= | ||
| Origin: http://localhost | ||
| ``` | ||
|
|
||
|  | ||
|
|
||
| 这其中有两个可以被用来执行任意代码。 | ||
|
|
||
| ## 方法1 | ||
|
|
||
| 第一个方法是使用`org.apache.logging.log4j.core.jmx.LoggerContextAdminMBean`,这是由Log4j2提供的一个MBean。 | ||
|
|
||
| 攻击者使用这个MBean中的`setConfigText`操作可以更改Log4j的配置,进而将日志文件写入任意目录中。 | ||
|
|
||
| 使用[poc](poc.py)脚本来复现完整的过程: | ||
|
|
||
| ``` | ||
| python poc.py -u admin -p admin http://your-ip:8161 | ||
| ``` | ||
|
|
||
|  | ||
|
|
||
| Webshell被写入在`/admin/shell.jsp`文件中: | ||
|
|
||
|  | ||
|
|
||
| 这个方法受到ActiveMQ版本的限制,因为Log4j2是在5.17.0中才引入Apache ActiveMQ。 | ||
|
|
||
| ## 方法2 | ||
|
|
||
| 第二个可利用的Mbean是`jdk.management.jfr.FlightRecorderMXBean`。 | ||
|
|
||
| FlightRecorder是在OpenJDK 11中引入的特性,被用于记录Java虚拟机的运行事件。利用这个功能,攻击者可以将事件日志写入任意文件。 | ||
|
|
||
| 使用[poc](poc.py)脚本来复现完整的过程(使用`--exploit`参数指定使用的方法): | ||
|
|
||
| ``` | ||
| python poc.py -u admin -p admin --exploit jfr http://localhost:8161 | ||
| ``` | ||
|
|
||
|  | ||
|
|
||
| Webshell被写入在`/admin/shelljfr.jsp`文件中: | ||
|
|
||
|  |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,8 @@ | ||
| version: '2' | ||
| services: | ||
| activemq: | ||
| image: vulhub/activemq:5.17.3 | ||
| ports: | ||
| - "61616:61616" | ||
| - "8161:8161" | ||
| - "5005:5005" |
Oops, something went wrong.