Introduction

The lab demonstrates the exploitation of the vulnerability CVE-2023-46604 which is a Remote Code Execution (RCE) vulnerability in the Java OpenWire protocol. The vulnerability allows threat actors to run arbitrary shell commands by manipulating the serialized class types in the OpenWire protocol to make the Java runtime load and instantiate any class in its classpath.

Concepts

• classpath: A parameter that tells the Java Virtual Machine (JVM) where to find user-defined classes, libraries, and other resources during the execution of a Java program.
• serialization and deserialization: Java objects can be serialized into a byte stream and later deserialized back into an object. This process typically occurs when transferring data between systems i.e., over the network.

Vulnerability Overview

The vulnerability in Apache ActiveMQ's OpenWire implementation arises from the marshaller, a component responsible for serialization and deserialization, failing to validate the class type in the provided OpenWire command. As a result, it allows an attacker to instantiate any class they specify, as long as it is present in the runtime's classpath.

For further details, please refer to https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-46604

Lab Walkthrough

Q1. By identifying the C2 IP, we can block traffic to and from this IP, helping to contain the breach and prevent further data exfil