WHITE PAPER A Pentesters Guide to Hacking ActiveMQ-Based JMS Applications 1 A Pentesters Guide to Hacking ActiveMQ-Based JMS Applications WHITE PAPER Table of Contents 4 Introduction Author 4 Messaging 101 5 Anatomy of a JMS Message This white paper was written by: Gursev Singh Kalra, Senior Principal 5 Message Broker Consultant,McAfee® Foundstone® 6 Messaging Models Professional Services 7 JMS API 8 Apache ActiveMQ Basics 8 ActiveMQ Authentication Options 10 ActiveMQ Authorization Controls 11 ActiveMQ Administration Console 11 Pentesting JMS Applications 11 Discovery and Configuration 11 Understanding ActiveMQ Configuration File 13 Review for Weak Configuration and Known Vulnerabilities 14 Data Protection in Storage and Transit 14 Insecure Communication 14 Insecure Password Storage 14 Weak Encryption Password 15 Unencrypted KahaDB 15 User Management and Authentication 15 No Authentication 15 Simple Authentication Plug-In 15 JAAS Authentication Plug-In 15 Account Lockout Testing 2 A Pentesters Guide to Hacking ActiveMQ-Based JMS Applications WHITE PAPER Table of Contents, continued 16 Data Validation and Error Handling 16 Injection Attacks 16 Attacking Other Clients 17 Authorization 17 Destination Access 17 Exploitation 17 Reading Queues with QueueBrowser 18 Retrieving Messages from Topics with TopicSubscriber 18 Retrieving Messages from Topics with Durable Subscribers 19 Additional Durable Subscriber Attacks 19 Retrieving Statistics for the Broker and its Destinations 20 Dynamic Destinations 20 JMSDigger―A GUI-Based JMS Assessment Tool 20 Generic JMS Operations 20 ActiveMQ Specific Operations 21 Conclusion 22 Appendix A 22 JMS API-Based Anonymous Authentication Check 23 JMS API-Based Credential Brute Force Code 24 Example Password and Configuration File Decryption Code 27 About The Author 27 About McAfee Foundstone Professional Services 27 About McAfee28 About McAfee 3 A Pentesters Guide to Hacking ActiveMQ-Based JMS Applications WHITE PAPER Sustainable Security Operations Optimize processes and tools to make the most of your team’s time and talent Introduction Messaging 101 Enterprise Messaging Systems (EMS) form the Sun Microsystems created JSR-9147 as JMS API transactional backbone of many large organizations specification with an aim to provide an abstract interface worldwide. They are highly reliable, flexible, and scalable to communicate with messaging providers and to write systems that allow asynchronous message processing portable messaging clients (in Java) for JMS-compliant between two or more applications. This paper provides message brokers. JMS applications are made up of guidance on penetration testing techniques to assess several JMS clients and generally one JMS provider. The the security of ActiveMQ1-based EMS Systems written JMS provider is also known as a messaging server. The using Java Messaging Service (JMS) API.2,3 Applications JMS clients create messages and send those messages that have been written using JMS API are also known as to the JMS provider, which in turn routes the messages JMS Applications. to the other clients based on its configuration and business rules. The paper begins with an introduction to JMS concepts that are relevant to the penetration testing techniques Let us now understand the structure of a message, discussed afterwards, and then introduces JMSDigger,4 messaging models, and the JMS API. an open-source tool to engage and assess ActiveMQ- Anatomy of a JMS Message based JMS Applications. Messages are used to deliver application data and event Please note that this paper does not aim to provide a notifications. A JMS Message is made up of message comprehensive tutorial on JMS concepts or on writing headers, message properties, and a message body as code based on JMS API. There are many excellent JMS5 shown in the image below. Message headers contain and ActiveMQ6 books that you can refer to if you are metadata that describes message attributes like interested. message priority, message ID, message type, message routing information, and message expiry, among others. 4 A Pentesters Guide to Hacking ActiveMQ-Based JMS Applications WHITE PAPER Message properties are the additional headers that can 3. MapMessage: The MapMessage type contains name- be added to a message by the developer or message value pairs as its payload. broker, or can be JMS-defined properties. The message 4. BytesMessage: The ByteMessage type contains body contains the actual content that is to be delivered. an array of primitive bytes as its payload. Messages are delivered between the clients via 5. ObjectMessage: The ObjectMessage type virtual channels called destinations that are hosted contains serialized Java objects as its payload. by the message broker. JMS API supports six primary 6. StreamMessage: The StreamMessage type message types: contains a stream of primitive Java types like byte, , , and others as its payload. 1. Message: The Message type has no payload and is int char typically used for event notifications. Messages are never addressed to any specific client but 2. TextMessage: The TextMessage type carries to the destinations. The message delivery mechanism is plain text or it can be used to carry specialized data determined by the messaging model (discussed below) formats like XML, SOAP8 messages, JSON,9 and others used by a particular application. as its payload. Message Broker Message brokers form the core of the Enterprise Messaging Systems. Messages are transmitted between the messaging clients via virtual channels hosted by Headers the message brokers, also called messaging servers. Properties These virtual channels are also called destinations. Body The message brokers ensure that application data is delivered with high reliability, in an efficient manner, and minimize coupling between messaging clients. Figure 1. A JMS Message. A large number of message brokers like ActiveMQ, RabbitMQ, SonicMQ, and IBM WebSphereMQ support JMS API for message exchange. 5 A Pentesters Guide to Hacking ActiveMQ-Based JMS Applications WHITE PAPER Messaging Models The messages on a Queue behave differently when a Messaging models represent different approaches to QueueBrowser API is used to retrieve messages without messaging. A message broker may support either one or disrupting a Queue’s contents. When a QueueBrowser both the messaging models discussed below. Messaging is used, the querying JMS client receives an enumeration models are also known as messaging domains. of all messages on the Queue at a point in time, which the JMS client can iterate through and analyze Queue Point-to-Point Model contents for any business decisions. This feature is very The virtual channel used for communication in the useful as it allows one to analyze Queue content without point-to-point messaging model is called a Queue. In losing any messages. this model, the JMS clients that produce the messages are called the senders, and the clients that consume the Publish-and-Subscribe Model messages are called the receivers. In the point-to-point The virtual channel used for communication in the messaging model, each message can be consumed only publish-and-subscribe messaging model is called a once, and it gets discarded after it is delivered to any Topic. The JMS clients that produce messages are called one receiver. The send-and-receive operations to and the publishers and the JMS clients that consume the from Queues can be performed either in a synchronous messages are called the subscribers. The publishers or an asynchronous fashion. The receivers can also send messages to the Topic and the subscribers read acknowledge message consumption to the sender. The the messages off the Topic. However, there is no direct point-to-point messaging model is also referred to as communication between the JMS publishers and p2p model. subscribers. The publish-and-subscribe messaging model is also referred to as pub/sub model. The pub/sub messaging model is subscription based. Message Message Queue Acknowledgement Sender Receiver Figure 2. The image shows a point-to-point messaging model. 6 A Pentesters Guide to Hacking ActiveMQ-Based JMS Applications WHITE PAPER There are two types of subscribers in the publish-and- JMS API subscribe model―nondurable and durable subscribers. JMS is an API specification and not a wire-level protocol. The nondurable subscribers receive the messages It is a vendor-agnostic API that can be used with any JMS- only when they are connected to and actively listening compliant messaging broker. Depending on the message on a particular Topic. All messages during the period broker, the JMS API can also be used to communicate of inactivity are lost for the nondurable subscribers. with non-Java or non-JMS messaging clients as we Durable subscribers, however, receive all messages will discuss in the sections below. The JMS API can be even if the subscriber is neither active nor connected classified into three categories: to the message broker. Durable subscribers retain the 1. The general API messages until the messages are retrieved, or until 2. Point-to-point API the messages expire, whichever occurs first. Durable subscribers can be either dynamically or statically 3. Publish-and-subscribe API created by the broker administrators in the configuration The API used for writing a JMS application is based files. Durable subscribers are uniquely identified by a on the messaging model used. The April 2002 JMS combination of a client identifier (for the JMS client) and 1.1 specification, however, allows the general API to a durable subscriber name. send and receive messages to and from Queues or Topics with some restrictions. Since the JMS API code is portable, it can be used to assess JMS applications created using different types of message brokers. Publisher Message Topic Message Subscriber Subscriber Message Subscriber Figure 3. Image shows a publish-and-subscribe messaging model. 7 A Pentesters Guide to Hacking ActiveMQ-Based JMS Applications WHITE PAPER Apache ActiveMQ Basics ActiveMQ is an open-source, JMS-compliant message broker with a full JMS client. It provides a number of client libraries in different programming languages like Java, Ruby, Python, C, C++, and C# and can therefore Figure 4.