InfoSec LAB

Broker_CVE-2023-46604

Created: 2 min read

CVE-2023-46604

a vulnerability classified as critical was found in apache activemq and activemq legacy openwire module up to 5.15.15/5.16.6/5.17.5/5.18.2 (Application Server Software). This vulnerability affects an unknown code of the component OpenWire Protocol Handler. The manipulation with an unknown input leads to a deserialization vulnerability. The CWE definition for the vulnerability is CWE-502. The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid. As an impact it is known to affect confidentiality, integrity, and availability. CVE summarizes:

three things are required to exploit this vulnerability:

  1. Network access
  2. A manipulated OpenWire command (used to instantiate an arbitrary class on the classpath with a String parameter)
  3. A class on the classpath which can execute arbitrary code simply by instantiating it with a String parameter The manipulated command (i.e. #2) can be sent by a client to a broker or from a broker to a client so both are vulnerable.

ActiveMQ Classic Details the activemq classic broker ships with a handful of spring dependencies including org.springframework.context.support.classpathxmlapplicationcontext which is used to run Spring applications. This class is not only present on the broker, but it is an extremely common client-side dependency as well. It has a constructor which takes a String which can be an HTTP URL pointing to an XML application configuration file across the network.

The only known exploit of this vulnerability uses this ClassPathXmlApplicationContext to load a malicious XML application configuration file from somewhere on the network via HTTP. This malicious XML specifically defines the arbitrary code to be run on the machine with the vulnerability (i.e. broker or client).

exploit

An exploit is available online

┌──(kali㉿kali)-[~/archive/htb/labs/broker]
└─$ git clone https://github.com/X1r0z/ActiveMQ-RCE.git ; cd ActiveMQ-RCE.git

Downloading the exploit package to Kali

┌──(kali㉿kali)-[~/…/htb/labs/broker/ActiveMQ-RCE]
└─$ go build .

Compiling

┌──(kali㉿kali)-[~/…/htb/labs/broker/ActiveMQ-RCE]
└─$ ll
total 5.3M
4.0K drwxr-xr-x 3 kali kali 4.0K Dec 13 22:05 .
4.0K drwxr-xr-x 4 kali kali 4.0K Dec 13 20:06 ..
5.2M -rwxr-xr-x 1 kali kali 5.2M Dec 13 19:58 ActiveMQ-RCE
4.0K drwxr-xr-x 8 kali kali 4.0K Dec 13 19:58 .git
4.0K -rw-r--r-- 1 kali kali   29 Dec 13 19:58 go.mod
4.0K -rw-r--r-- 1 kali kali 2.0K Dec 13 19:58 main.go
4.0K -rw-r--r-- 1 kali kali  751 Dec 13 19:58 poc.xml
8.0K -rw-r--r-- 1 kali kali 5.4K Dec 13 19:58 README-en.md
8.0K -rw-r--r-- 1 kali kali 5.4K Dec 13 19:58 README.md

The binary is available for use; ActiveMQ-RCE

Interactive Graph View

Backlinks