id: apache-rocketmq-broker-unauth

info:
  name: Apache Rocketmq Broker - Unauthenticated Access
  author: j4vaovo
  severity: high
  description: |
    Apache Rocketmq Unauthenticated Access were detected.
  reference:
    - https://rocketmq.apache.org/docs/bestPractice/03access
  metadata:
    verified: true
    max-request: 1
    shodan-query: title:"RocketMQ"
    fofa-query: protocol="rocketmq"
  tags: network,rocketmq,broker,apache,unauth,misconfig,tcp
tcp:
  - inputs:
      - data: "000000c9000000b17b22636f6465223a32352c226578744669656c6473223a7b224163636573734b6579223a22726f636b65746d7132222c225369676e6174757265223a222b7a6452645575617a6953516b4855557164727477673146386a6b3d227d2c22666c6167223a302c226c616e6775616765223a224a415641222c226f7061717565223a302c2273657269616c697a655479706543757272656e74525043223a224a534f4e222c2276657273696f6e223a3433337d746573745f6b65793d746573745f76616c75650a0a"
        type: hex

    host:
      - "{{Hostname}}"
    port: 10911
    read-size: 2048

    matchers-condition: and
    matchers:
      - type: word
        words:
          - serializeTypeCurrentRPC
          - language
          - opaque
          - version
        condition: and

      - type: word
        words:
          - "HTTP"
          - "FTP"
        negative: true
# digest: 4a0a00473045022019d7526e23850396a8ae5cfdbbee2cc4cdf751218cba3451af4790386ef1c79f022100c8aa9052d552188fb6462a9fd419c149890c8b048108a5f77d05ed42b5d8674d:922c64590222798bb761d5b6d8e72950