Listen to this Post
The CVE-2024-35201 vulnerability stems from insecure deserialization logic within the Apache NMS AMQP client library. When an AMQP client establishes a connection to a malicious server, the server can send a crafted AMQP message. This message contains a specially formatted .NET object within its ‘Properties’ section or body. Upon receipt, the client automatically deserializes this object using the .NET BinaryFormatter. The deserialization process is unbounded and not properly restricted, allowing the instantiation of any .NET class available to the client application. An attacker can leverage this to construct a serialized chain of gadgets—a combination of classes and properties that, when deserialized, executes arbitrary code in the context of the client application. Although allow/deny lists were introduced in v2.1.0, certain object types or serialization flows could bypass these restrictions, rendering the protection incomplete.
Platform: Apache ActiveMQ NMS
Version: <=2.3.0
Vulnerability : Insecure Deserialization
Severity: Critical
date: 2024
Prediction: Patch available (2.4.0)
What Undercode Say:
git clone https://github.com/apache/activemq-nms-amqp cd activemq-nms-amqp git diff 2.3.0..2.4.0
// Example of a malicious object a server could send
var evilObject = new System.Windows.Markup.XamlReader();
evilObject.Parse(@"
<ResourceDictionary
xmlns='http://schemas.microsoft.com/winfx/2006/xaml/presentation'
xmlns:x='http://schemas.microsoft.com/winfx/2006/xaml'
xmlns:s='clr-namespace:System;assembly=mscorlib'
xmlns:r='clr-namespace:System.Diagnostics;assembly=system'>
<ObjectDataProvider x:Key='launchCalc' ObjectType='{x:Type r:Process}' MethodName='Start'>
<ObjectDataProvider.MethodParameters>
<s:String>cmd.exe</s:String>
<s:String>/c calc</s:String>
</ObjectDataProvider.MethodParameters>
</ObjectDataProvider>
</ResourceDictionary>");
How Exploit:
Malicious AMQP server sends crafted serialized .NET object within message properties. Client’s BinaryFormatter deserializes the object without restriction. Gadget chain in the payload triggers remote code execution.
Protection from this CVE
Upgrade to NMS-AMQP client version 2.4.0. Implement network segmentation to control AMQP server connections. Migrate applications to use non-binary message types (e.g., JSON, XML). Apply the `SerializationBinder` to restrict deserializable types strictly.
Impact:
Arbitrary code execution on the client system. Complete compromise of the client application’s host. Potential lateral movement within the network.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
