Patched Apache ActiveMQ bug abused to drop Godzilla web shells

A patched critical remote code execution (RCE) vulnerability in Apache ActiveMQ messaging systems is being widely exploited by attackers, according to TrustWave research.

The vulnerability, tracked as CVE-2023-46604, is used by attackers to insert and run malicious Java Server Pages (JSP) web shells, derived from open source Godzilla web shell, on the affected Apache ActiveMQ hosts.

“The web shells are concealed within an unknown binary format and are designed to evade security and signature-based scanners,” Apache said in a blog post. “Notably, despite the binary’s unknown file format, ActiveMQ’s JSP engine continues to compile and execute the web shell.”

The flaw stems from an unsafe deserialization practice within the OpenWire protocol used by the ActiveMQ messaging system, allowing a remote attacker with network access to either a Java-based OpenWire broker (messaging server) or a client (endpoint receiving or sending messages) to run arbitrary shell commands.

Concealed Godzilla runs without detection

Trustwave researchers identified suspicious JSP files dropped in the “admin” folder within the ActiveMQ installation directory of a vulnerable Apache ActiveMQ client. The folder contained the server scripts for the ActiveMQ administrative and web management console, according to TrustWave.

“Upon further analysis, Trustwave SpiderLabs determined that this JSP code came from an open source web shell known as the Godzilla Web shell,” TrustWave said.

Despite being concealed within an unknown type of binary, the JSP code was picked and run by the Java web server as a valid script.

“Interestingly, the Jetty JSP engine, which is the integrated web server in Apache ActiveMQ, actually parsed, compiled and executed the embedded Java code that was encapsulated in the unknown binary,” TrustWave said. “Further examination of the Java code generated by Jetty showed that the web shell code was converted into Java code and therefore was executed.”

This attack method can successfully circumvent security measures, evading detection by security endpoints during scanning.

Godzilla deploys a multi-functional backdoor

Once the JSP code is successfully deployed, threat actors can use the web shell through the Godzilla management user interface to gain complete control over the target system.

The Godzilla web shell features a set of malicious functionalities, including viewing network details, conducting port scans, executing MimiKatz and MeterPeter commands, running shell commands, remotely managing SQL databases, and injecting shellcode into processes.

Dropping Godzilla isn’t the first abuse of the bug as it has been, since its public disclosure in Oct 2023, actively exploited by attackers for crypto mining, remote access trojans and ransomware. Affected versions include Apache ActiveMQ 5.18.0 (before 5.18.3), 5.17.0 (before 5.17.6), 5.16.0 (before 5.16.7), and Apache ActiveMQ before 5.15.16.

TrustWave has recommended that users upgrade brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3, which fixes the vulnerability.


Go to Source