1、漏洞复现
登入rabbimq-management 管理界面,f12打开开发者工具,在network一项捕获请求,请求头中的Cookie值为base64 加密密文,可以使用通用base解密,
例如:请求头中抓到 Cookie: m=2258:Z3Vlc3Q6Z3Vlc3Q%253D
对 m=2258:Z3Vlc3Q6Z3Vlc3Q%253D 解密为 guest:guest
2、认证模式
Mechanism | Description |
---|---|
PLAIN | SASL PLAIN 验证。在RabbitMQ服务器和客户端中,默认是启用的,其他大多数客户端也是默认的。 |
AMQPLAIN | PLAIN的非标准版本,用于向后兼容。该功能在RabbitMQ服务器中默认启用。 |
EXTERNAL | 身份验证使用带外机制进行,例如x509证书对等验证、客户端IP地址范围或类似的机制。这种机制通常由RabbitMQ插件提供。 |
RABBIT-CR-DEMO | 演示challenge-response认证的非标准机制。该机制具有与PLAIN等价的安全性,在RabbitMQ服务器中默认不启用。 |
rabbitmq的auth_mechanisms配置中默认为PLAIN模式,与AMQPLAIN同为明文认证,解决AMQP明文验证漏洞需要修改为EXTERNAL
3、EXTERNAL认证配置
修改 RabbitMQ 配置文件 /etc/rabbitmq/rabbitmq.config
,此文件默认不存在,需要手动创建
[{rabbit, [
{ssl_listeners, [5671]},
{ssl_options, [
{cacertfile, "/etc/rabbitmq/ssl/cacert.pem"},
{certfile, "/etc/rabbitmq/ssl/rabbitmq-server.cert.pem"},
{keyfile, "/etc/rabbitmq/ssl/rabbitmq-server.key.pem"},
{verify, verify_peer},
{fail_if_no_peer_cert, true},
{ciphers, [
"ECDHE-ECDSA-AES256-GCM-SHA384","ECDHE-RSA-AES256-GCM-SHA384",
"ECDHE-ECDSA-AES256-SHA384","ECDHE-RSA-AES256-SHA384",
"ECDHE-ECDSA-DES-CBC3-SHA","ECDH-ECDSA-AES256-GCM-SHA384",
"ECDH-RSA-AES256-GCM-SHA384","ECDH-ECDSA-AES256-SHA384",
"ECDH-RSA-AES256-SHA384","DHE-DSS-AES256-GCM-SHA384",
"DHE-DSS-AES256-SHA256","AES256-GCM-SHA384",
"AES256-SHA256","ECDHE-ECDSA-AES128-GCM-SHA256",
"ECDHE-RSA-AES128-GCM-SHA256","ECDHE-ECDSA-AES128-SHA256",
"ECDHE-RSA-AES128-SHA256","ECDH-ECDSA-AES128-GCM-SHA256",
"ECDH-RSA-AES128-GCM-SHA256","ECDH-ECDSA-AES128-SHA256",
"ECDH-RSA-AES128-SHA256","DHE-DSS-AES128-GCM-SHA256",
"DHE-DSS-AES128-SHA256","AES128-GCM-SHA256",
"AES128-SHA256","ECDHE-ECDSA-AES256-SHA",
"ECDHE-RSA-AES256-SHA","DHE-DSS-AES256-SHA",
"ECDH-ECDSA-AES256-SHA","ECDH-RSA-AES256-SHA",
"AES256-SHA","ECDHE-ECDSA-AES128-SHA",
"ECDHE-RSA-AES128-SHA","DHE-DSS-AES128-SHA",
"ECDH-ECDSA-AES128-SHA","ECDH-RSA-AES128-SHA","AES128-SHA"
]}
]},
{auth_mechanisms,['EXTERNAL']},
{ssl_cert_login_from,common_name}
]}].
主要配置项说明:
- verify
-
verify_peer
客户端与服务端互相发送证书 -
verify_none
禁用证书交换与校验
-
- fail_if_no_peer_cert
-
true
不接受没证书的客户端连接 -
false
接受没证书的客户端连接
-
-
auth_mechanisms
认证机制,此处使用EXTERNAL
表示只使用插件提供认证功能 - ssl_cert_login_from使用证书中的哪些信息登录,如果不配置这项是走的DN,配置走CN
-
common_name
CN名称
-
启用插件
#启用rabbitmq_auth_mechanism_ssl作为EXTERNAL认证机制的实现
rabbitmq-plugins enable rabbitmq_auth_mechanism_ssl
#查看启动结果
rabbitmq-plugins list
重启rabbitmq 并添加rabbitmq-client用户
service rabbitmq-server restart
#添加证书登录用户(用户名要与客户端证书名称前缀一致),密码任意
rabbitmqctl add_user 'rabbitmq-client' '2a55f70a841f18b97c3a7db939b7adc9e34a0f1b'
#给rabbitmq-client用户虚拟主机/的所有权限,如需其他虚拟主机替换/
rabbitmqctl set_permissions -p "/" "rabbitmq-client" ".*" ".*" ".*"
代码中添加配置
@Configration
public class RabbitmqConfig{
@Autowired
RabbitProperties rabbitProperties;
@Autowired
CachingConnectionFactory cachingConnectionFactory;
/**
* 解决安全扫描 AMQP明文登录漏洞 仅当rabbitmq启用ssl时并且配置证书时,显式设置EXTERNAL认证机制
* EXTERNAL认证机制使用X509认证方式,服务端读取客户端证书中的CN作为登录名称,同时忽略密码
*/
@PostConstruct
public void rabbitmqSslExternalPostConstruct() {
boolean rabbitSslEnabled = BooleanUtils.toBoolean(rabbitProperties.getSsl().getEnabled());
boolean rabbitSslKeyStoreExists = rabbitProperties.getSsl().getKeyStore() != null;
if (rabbitSslEnabled && rabbitSslKeyStoreExists) {
cachingConnectionFactory.getRabbitConnectionFactory().setSaslConfig(DefaultSaslConfig.EXTERNAL);
}
}
}
application 配置文件修改
spring:
rabbitmq:
host: ip
port: 5671
publisher-returns: true
virtual-host: /
ssl:
enabled: true
key-store: classpath:ssl/rabbitmq-client.keycert.p12
key-store-password: rabbit
trust-store: classpath:ssl/rabbitmqTrustStore
trust-store-type: JKS
verify-hostname: false
listener:
direct:
acknowledge-mode: manual
4、参考文章
https://www.cnblogs.com/hellxz/p/15776987.html
-end-