RocketMQ Arbitrary File Write Vulnerability – CVE-2023-37582

Posted on

Vulnerable Version

versions RocketMQ 5.x and 4.x

Fixed Version

version to 5.1.2 and 4.9.7

Base Score

9.8 Critical                                                                        

Vendor Description:-

Apache RocketMQ is a messaging and streaming platform that lets users create event-driven applications. It is a distributed middleware service that communicates asynchronously and employs a publish/subscribe approach. RocketMQ is intended to operate in the cloud and is compliant with industry standards.

CVE-2023-37582 Vulnerability Description:-

The vulnerability resides in the NameServer component of RocketMQ, which is responsible for managing broker registration and routing information. The issue arises due to insufficient validation and sanitization of user-supplied input in the configuration update functionality. Specifically, the UPDATE_NAMESRV_CONFIG command allows an attacker to manipulate the configStorePath configuration item, leading to arbitrary file write on the server.

Root Cause

The vulnerability occurs because:

  1. Lack of Input Validation: The NameServer component does not properly validate or sanitize the configStorePath parameter provided in the UPDATE_NAMESRV_CONFIG command.
  2. Insecure File Handling: The configStorePath parameter is used to define the location where configuration files are stored. By manipulating this parameter, an attacker can specify an arbitrary file path on the server.
  3. Unauthorized Configuration Update: The NameServer allows unauthenticated or improperly authenticated users to send the UPDATE_NAMESRV_CONFIG command, enabling attackers to exploit this functionality.

Impact

  • Arbitrary File Write: An attacker can overwrite or create files anywhere on the server filesystem, depending on the permissions of the RocketMQ process.
  • Remote Code Execution (RCE): By writing malicious files (e.g., a web shell or cron job), an attacker can achieve remote code execution.
  • Denial of Service (DoS): Overwriting critical system or application files can lead to a denial of service.
  • Privilege Escalation: If the RocketMQ process runs with elevated privileges, the attacker can escalate privileges by overwriting system files.

Mitigations

Apply the Official Patch

  • Upgrade to the latest version of Apache RocketMQ (if a patch is available).
  • Check the official Apache RocketMQ security advisories or GitHub repository for updates.

2. Restrict Access to the NameServer

  • Ensure the NameServer component is not exposed to untrusted networks.
  • Use firewalls or network access control lists (ACLs) to restrict access to the NameServer port (default: 9876).

3. Implement Input Validation

  • Validate and sanitize all user-supplied input, especially the configStorePath parameter in the UPDATE_NAMESRV_CONFIG command.
  • Example: Reject paths containing ../ (path traversal sequences) or absolute paths.

POC

Exploit:- Click me 

usage: CVE-2023-37582.py [-h] [-ip IP] [-p P]
image

Reference:-

https://github.com/Malayke/CVE-2023-37582_EXPLOIT

https://github.com/vulhub/vulhub/tree/master/rocketmq/CVE-2023-37582

Leave a Reply

Your email address will not be published. Required fields are marked *