关联漏洞
Description
CVE-2023-50780: Dangerous MBeans Accessible via Jolokia API in Apache ActiveMQ Artemis
介绍
# CVE-2023-50780: Dangerous MBeans Accessible via Jolokia API in Apache ActiveMQ Artemis
By listing and inspecting the MBeans exposed by the Jolokia API at http://127.0.0.1:8161/console/jolokia the following attack vectors have been identified:
- Arbitrary File Write using Log4J indirectly resulting in Remote Code Execution
- Arbitrary File Read using Log4J
- DoS using Artemis Broker MBeans
This vulnerability can be exploited by a local attacker that knows the basic authentication credentials used by the Artemis web interface.
**Note:** If the server is set with "--allow-anonymous", then any non-null user-password combination can be used to authenticate.
### Vendor Disclosure:
The vendor's disclosure for this vulnerability can be found [here](https://lists.apache.org/thread/63b78shqz312phsx7v1ryr7jv7bprg58).
### Requirements:
This vulnerability requires:
<br/>
- Valid credentials for user with "admin" role (if authentication is required)
### Proof Of Concept:
As multiple attack vectors have been identified, you can find more details and the exploitation processes of interest in one or more of the following PDFs:
- The initial report that was sent to the vendor: [Apache Artemis - CVE-2023-50780 - Initial Report.pdf](https://github.com/mbadanoiu/CVE-2023-50780/blob/main/Apache%20Artemis%20-%20CVE-2023-50780%20-%20Initial%20Report.pdf). The RCE vector requires:
- The ability to overwrite the "broker.xml" file as the user running the web server
- Restarting the entire Artemis application in order for the "broker.xml" changes to take effect (although we can leverage the "forceFailover()" function to close the application, we will still require user interaction from an administrator in order to restart it)
- [Apache Artemis - CVE-2023-50780 - WAR + Restart Vector.pdf](https://github.com/mbadanoiu/CVE-2023-50780/blob/main/Apache%20Artemis%20-%20CVE-2023-50780%20-%20WAR%20%2B%20Restart%20Vector.pdf). The RCE vector requires:
- The ability to overwrite one of the WAR files loaded by Artemis (e.g. "activemq-branding.war", "artemis-plugin.war" or "console.war") as the user running the web server
- Restarting the embedded Jetty Webserver via the "restartEmbeddedWebServer()" function (no user interaction is required as this function can be called by the attacker directly via the Artemis Broker MBean)
- [Apache Artemis - CVE-2023-50780 - JAR + jvmtiAgentLoad.pdf](https://github.com/mbadanoiu/CVE-2023-50780/blob/main/Apache%20Artemis%20-%20CVE-2023-50780%20-%20JAR%20%2B%20jvmtiAgentLoad.pdf). The RCE vector requires:
- The ability to write files somewhere on the file system (e.g. "/tmp", "/dev/shm", "C:\Windows\Public", etc.) and leveraging Log4J to write an arbitrary JAR to that location
- Loading the respective JAR and obtaining RCE via the "jvmtiAgentLoad([Ljava.lang.String;)" function
### Additional Resources:
[Blogpost](https://blog.pyn3rd.com/2022/11/15/A-New-Way-of-Jolokia-Remote-Code-Execution/) by [Xu "pyn3rd "Yuanzhen](https://github.com/pyn3rd) explaining how a JAR arbitrary write + Jolokia can be used to obtain RCE
### Timeline:
- This vulnerability was initially reported to security@apache.org on 14-Feb-2023
- Apache discloses CVE-2023-50780 on 14-Oct-2024
- Publically disclosed the initial report and other vectors on 18-Dec-2024
文件快照
[4.0K] /data/pocs/9bed6af12c603b0a5d441e4329f0de8bb5b1f5ef
├── [1.4M] Apache Artemis - CVE-2023-50780 - Initial Report.pdf
├── [2.0M] Apache Artemis - CVE-2023-50780 - JAR + jvmtiAgentLoad.pdf
├── [1.8M] Apache Artemis - CVE-2023-50780 - WAR + Restart Vector.pdf
└── [3.2K] README.md
0 directories, 4 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。