id: apache-rocketmq-broker-unauth

info:
  name: Apache Rocketmq Broker - Unauthenticated Access
  author: j4vaovo
  severity: high
  description: |
    Apache Rocketmq Unauthenticated Access were detected.
  reference:
    - https://rocketmq.apache.org/docs/bestPractice/03access
  metadata:
    fofa-query: protocol="rocketmq"
    max-request: 1
    shodan-query: title:"RocketMQ"
    verified: true
  tags: network,rocketmq,broker,apache,unauth,misconfig

tcp:
  - inputs:
      - data: "000000c9000000b17b22636f6465223a32352c226578744669656c6473223a7b224163636573734b6579223a22726f636b65746d7132222c225369676e6174757265223a222b7a6452645575617a6953516b4855557164727477673146386a6b3d227d2c22666c6167223a302c226c616e6775616765223a224a415641222c226f7061717565223a302c2273657269616c697a655479706543757272656e74525043223a224a534f4e222c2276657273696f6e223a3433337d746573745f6b65793d746573745f76616c75650a0a"
        type: hex

    host:
      - "{{Hostname}}"
    port: 10911
    read-size: 2048

    matchers-condition: and
    matchers:
      - type: word
        words:
          - serializeTypeCurrentRPC
          - language
          - opaque
          - version
        condition: and

      - type: word
        words:
          - "HTTP"
          - "FTP"
        negative: true
# digest: 490a00463044022047caf8ef37a3c31f120635dab95c1e57db0a0c80a9f44a563f77e45b5fc9d4670220123bbc8168d521dc2e99cb0d03c60f343b294c98591a3d2b88de4b415479e505:922c64590222798bb761d5b6d8e72950