[ https://issues.apache.org/jira/browse/AMQ-7491?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17124654#comment-17124654 ]
wang Jessie commented on AMQ-7491: ---------------------------------- I have upload my script on GitHub. Here is the address [https://github.com/wqqqy/MPInspector/tree/master/Adapter/AMQP10/hack-amqp10_SameContainerId] > ActiveMQ illegal occupation vulnerability > ----------------------------------------- > > Key: AMQ-7491 > URL: https://issues.apache.org/jira/browse/AMQ-7491 > Project: ActiveMQ > Issue Type: Bug > Components: AMQP, Broker > Affects Versions: 5.15.12 > Environment: We build a script used JavaScript to interact with the > broker in ActiveMQ 5.15.12. > The experiment is performed on Windows10 1903 version. > Reporter: wang Jessie > Priority: Blocker > Labels: security > Attachments: 1590234052205.png > > > *Description:* Two client with the same Container-Id are not allowed to > connect to the broker. When we send *two OPEN packet with same the > Container-Id*, the broker will return error and the client will close the TCP > connection. The client with this Container-Id will *never be able to connect > with the broker* unless the broker resets. This vulnerability can be > exploited by the adversary to perform the aforementioned attacks on many > Container-Id to make a huge set of clients unable to connect with the broker. > As the ActiveMQ are widely adopted by the IoT vendors, this can be a > vulnerability affected a wide range. > Following are the details. > We send *two OPEN packets with the same Container-Id 1* and we can learn from > the log A in the attached picture in the broker side that the broker returned > close packets and the client closed this TCP connection with the broker. > Then we build a new client to connect with the broker using the same > Container-Id 1, we can learn from the log B in the attached pictur that the > broker returned errors as the broker believe the client with Container-Id 1 > already connected. > *Suggestion for repair:* May be the state of the broker after received two > OPEN packets could be checked and the connection state of the client could be > updated when the TCP connection is closed. > > :)I hope what I found can do some help and if you want further discussion, > please email me by [wangqiny...@zju.edu.cn|mailto:wangqiny...@zju.edu.cn]. > Thanks for spending your time on my issue. > -- This message was sent by Atlassian Jira (v8.3.4#803005)