Wednesday 17 August 2016

CVE-2016-0782 writeup

TL;DR

Administrator's Web Console of Apache ActiveMQ versions 5.0.0 - 5.13.0 were vulnerable to several attacks, exploiting which unauthenticated client (i.e. accessing open STOMP port) could remotely receive Administrator’s password in plaintext and thus access all ActiveMQ data, such as queues, topics and messages.

Typical attack scenario:
a)     Attacker creates a new message queue and drops a message into it, in order to exploit Stored XSS in queue name. It is even possible to email administrator with a fully prepared link with XSS.
b)     When administrator accesses the page, his browser is hooked – it accesses Attacker’s server in order to receive commands in background.
c)     Using XSS, it is possible to download all data from destination server, such as queues, topics, messages, etc.
d)     But what is more interesting – using XSS, we can access Jolokia API. Using this API, it is possible to
(1) Obtain Full Path through accessing /api/jolokia/read/java.lang:type=Runtime/ClassPath page;
(2) Call Java Garbage Collector in order to remove unnecessary objects from memory;
(3) make Heap Dump and put this file into webapps directory so it can be accessed from Web, as far as we know Full Path.
      e) By parsing Heap Dump file with regexp, it is possible to find Authorization: Basic string, which remains in memory as a part of HTTP packet, which contains administrator’s password in base64.


Demo:

Download attacker's server files. <- clickable

Vendor announcement: https://activemq.apache.org/security-advisories.data/CVE-2016-0782-announcement.txt



Description of all XSS issues:

[Unauthenticated User] tag here means that any user can reproduce this bug, using connect to default STOMP port.

1.       Vulnerability: Full Java Memory Dump can be stored to any folder on server.
Script: /api/jolokia/, method: POST 
POST data: { "type":"EXEC", "mbean":"com.sun.management:type=HotSpotDiagnostic", "operation":"dumpHeap", "arguments":["FULL_PATH",0]}

2.       Vulnerability: [Unauthenticated User] Stored XSS.
Vulnerable parameter: Queue name.
Step 1: Add new queue with vector "><svg/onload=alert(1)>
Step 2: Push a new message into this queue.
Step 3: Access this message using ActiveMQ Web Console. Alert will pop up.



3.       Vulnerability: [Unauthenticated User] Stored XML-XSS
It is necessary to create new queue with name:
1"><x:script xmlns:x="http://www.w3.org/1999/xhtml">alert('xss');</x:script>
Vector will be executed on page http://0.0.0.0:8161/admin/xml/queues.jsp


4.       Vulnerability: [Unauthenticated User] Stored XSS
Attacker should launch “consumer” script in order to receive messages from queue/topic with XSS in name:

In administrator panel, a new connection will appear in Connections tab (in case of receiving messages from topic - also in Subscribers tab). After clicking "connection" link (in order to access page with details about the connection), XSS alert will pop up:


5.       Vulnerability: [Unauthenticated User; User Interaction Required] Stored XSS
In this case, I used Demo-Example to emulate connection: /apache-activemq-5.13.0/webapps-demo/demo/mqtt/index.html :


Step 1: Demo-Example connects to server using ws:// protocol. A new connection in Connections tab (Admin Web Console) will appear.
Step 2: By clicking on the connection link, you can see a link to Destination ("Topic" - in my case).
Step 3: Symbol > is filtered, so attacker can only write additional tag attribute such as "onclick". So in my example, XSS will be launched by clicking crafted link.


6.       Vulnerability: [Self-XSS; I did not find a way to insert new subscriber by Unauthenticated user – it may be possible] Stored XML-XSS.
Step 1: Add new subscriber. Vulnerable parameters: Topic Name, Subscriber Name. Vector:
1"><x:script xmlns:x="http://www.w3.org/1999/xhtml">alert('xss');</x:script>
Step 2: XSS will be displayed on page http://0.0.0.0:8161/admin/xml/subscribers.jsp - similar to XSS #2.


No comments:

Post a Comment