Shulou(Shulou.com)06/02 Report--

I. description of vulnerabilities

The vulnerability occurs in fileserver applications. The principle of the vulnerability is that the fileserver service in ActiveMQ allows users to upload files to a specified directory through the HTTP PUT method. Fileserver supports writing files (without parsing jsp), but supports moving files (Move). We can PUT the files of jsp to Fileserver, and then move them to the executable directory through the Move instruction.

Second, the vulnerability affects the version

Apache ActiveMQ 5.0.0-5.13.2

Third, the construction of vulnerability environment

1. Download apache-activemq-5.7.0-bin.tar from the official website: http://activemq.apache.org/download-archives.html

2. Decompression

3. Start, enter the bin directory, and run. / activemq start

4. The browser accesses http://192.168.10.149:8161/, and the following figure shows that the environment has been successfully built.

IV. Recurrence of loopholes

1. PUT uploads a webshell of jsp to the fileserver directory. The following figure shows the successful upload of jsp files.

Contents of Jsp file:

2. The browser accesses http://192.168.10.149:8161/fileserver/1.jsp,. The following figure shows that the webshell under the fileserver directory has not been parsed, indicating that the fileserver directory does not have execution permission.

3. Take advantage of the vulnerability of physical path disclosure in this version to explode the absolute path.

4. Use the Move method to move webshell to the admin directory, and successfully move the files to the admin directory as shown in the following figure

5. To take advantage of the unauthorized access vulnerability in this version, you do not need to log in. You can see the successful execution of the command by visiting the http://192.168.10.149:8161/admin/1.jsp?cmd=ls, figure below.

V. loophole defense

1. The functionality of ActiveMQ Fileserver has been removed in 5.14.0 and later versions. It is recommended that users upgrade to version 5.14.0 or later.

Reference: https://www.secpulse.com/archives/60064.html

Summary

The above is a reappearance of the Apache ActiveMQ arbitrary file writing vulnerability (CVE-2016-3088) introduced by the editor. I hope it will be helpful to you. If you have any questions, please leave me a message and the editor will reply to you in time. Thank you very much for your support to the website!

If you think this article is helpful to you, you are welcome to reprint it, please indicate the source, thank you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.