Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RocketMQ CVE-2023-33246 #94

Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open

RocketMQ CVE-2023-33246 #94

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
6be4eeb
CVE-2023-33246
RaulDoyensec Oct 22, 2024
7277521
Merge branch 'google:main' into CVE-2023-33246
lokiuox Oct 23, 2024
64b485a
Moved rocketmq into Apache folder
lokiuox Oct 23, 2024
b6400b7
Better wording in README
lokiuox Oct 23, 2024
dfadcb5
[RocketMQ] Simplified docker compose
lokiuox Oct 23, 2024
ca6ade3
Expose broker port
lokiuox Oct 24, 2024
f862c5f
Some clarifications in the README
lokiuox Oct 24, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 32 additions & 0 deletions apache/rocketmq/CVE-2023-33246/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
# RocketMQ CVE-2023-33246 Testbed

## Start the service
### Vulnerable instance
```bash
docker compose -f docker-compose-vulnerable.yml up
```

### Secure instance
```bash
docker compose -f docker-compose-secure.yml up
```
## Detection
The vulnerability can be verified and exploited by connecting to the broker port, which is `10911` by default. Unfortunately, this port is not included in nmap's top 1000 ports, therefore Tsunami will not detect it during a standard scan, unless you manually specify to scan it in the CLI arguments: `--port-ranges-target=10911`.
## Check if the instance is vulnerable
You can use the scripts from the following repository to check whether a RocketMQ instance is vulnerable: https://github.com/Malayke/CVE-2023-33246_RocketMQ_RCE_EXPLOIT.

Here are some examples.
### Simple version-based check
Note: this needs the nameserver port (9876) to be reachable.
```bash
python3 check.py --ip <IP>
```
The python script will output a message with the detected version and the exploitability.
### Test with out-of-bound callback
This script will exploit the vulnerability with the supplied command. You can use a canary URL to confirm the presence of the vulnerability.
```bash
python3 CVE-2023-33246_RocketMQ_RCE_EXPLOIT.py <IP> <PORT> 'curl <CANARY_URL>'
```

## References:
https://vulncheck.com/blog/rocketmq-exploit-payloads
16 changes: 16 additions & 0 deletions apache/rocketmq/CVE-2023-33246/docker-compose-secure.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
name: rocketmq_secure
services:
namesrv:
image: apache/rocketmq:5.1.1
command: sh mqnamesrv
ports:
- "9876:9876"

broker:
image: apache/rocketmq:5.1.1
command: sh mqbroker -n namesrv:9876
ports:
- "10911:10911"
- "10909:10909"
depends_on:
- namesrv
16 changes: 16 additions & 0 deletions apache/rocketmq/CVE-2023-33246/docker-compose-vulnerable.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
name: rocketmq_vulnerable
services:
namesrv:
image: apache/rocketmq:4.9.4
command: sh mqnamesrv
ports:
- "9876:9876"

broker:
image: apache/rocketmq:4.9.4
command: sh mqbroker -n namesrv:9876
ports:
- "10911:10911"
- "10909:10909"
depends_on:
- namesrv