New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Apache RocketMQ update config RCE (CVE-2023-33246) #18082
Apache RocketMQ update config RCE (CVE-2023-33246) #18082
Conversation
end | ||
|
||
def check | ||
data = '{"code":105,"extFields":{"Signature":"/u5P/wZUbhjanu4LM/UzEdo2u2I=","topic":"TBW102","AccessKey":"rocketmq2"},"flag":0,"language":"JAVA","opaque":1,"serializeTypeCurrentRPC":"JSON","version":401}' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would be interesting to understand where the Signature
is from.
Per discussion on slack with @jheysel-r7 , I'm a little worried about pulling the broker from the version response. Mainly because it contains an array, and that array may (not sure, didn't check source code, just thinking) contain DNS names, and hosts other than the one we want to target. It returns an array, so no telling how many results you may have. What happens if the host you set in rhost(s) isn't in there? we def don't want to just hit ALL those IPs as they may be out of scope. While we were discussing, I wrote some pseudo code on how I'd go about pulling the port with a backup of the default port for the application. Posting here for posterity.
|
'DisclosureDate' => '2023-05-23', | ||
'Notes' => { | ||
'Stability' => [ CRASH_SAFE, ], | ||
'SideEffects' => [ ARTIFACTS_ON_DISK, ], |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
config_changes
so thats good news :) |
@msjenkins-r7 test this please |
I know this wasn't part of the original exploit, but is there a way to get the rocketmq config? Since we're changing to the RCE, it would be nice if we changed it back after exploitation. or worst case, at least print if for the user to set back. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @jheysel-r7 for this module! I just left a few comments for you to review when you got a chance.
documentation/modules/exploit/multi/http/apache_rocketmq_update_config.md
Show resolved
Hide resolved
Good call @h00die. I've added the |
I think CI test will fail until #18122 gets landed as this PR uses methods only present in #18122 |
cabddde
to
aae8ba3
Compare
aae8ba3
to
f1b5cd4
Compare
Thanks @jheysel-r7 ! Everything looks good for me now. I tested against RocketMQ version V4.9.4 and it works great! I'll go ahead and land it. Example output
|
Release NotesThis adds an exploit module that leverages an RCE in Apache RocketMQ. Due to an access control issue, one can update the Broker's configuration file without authentication and obtain remote code execution in the context of the user running Apache RocketMQ. This vulnerability is identified as CVE-2023-33246. |
This module exploits an RCE in Apache RocketMQ. Vulnerable RocketMQ instances leave a number of different components exposed on the extranet and are accessible without authentication. The components include the NameServer, Broker, and Controller. Using an API request to the Broker, one can update the Broker's configuration file. The request to update the Broker's configuration file is susceptible to command injection which enables a metasploit-framework user to obtain a meterpreter session in the context of the user running Apache RocketMQ.
Verification Steps
use exploit/multi/http/apache_rocketmq_update_config
.RHOST
LHOST
andFETCH_SRVHOST
options.FETCH_FILENAME
as it's length is randomized and can push the payload over the size limitexploit