Project Introduction
Apache Ofbiz is a very well-known e-commerce platform and a well-known open source project, providing a framework for creating multi-layer, distributed e-commerce web application systems based on the latest J2EE XML specifications and technical standards for building large and medium-sized enterprises, cross-platform, cross-database, and cross-application servers. The main feature of Ofbiz is that Ofbiz provides a complete set of components and tools for developing J**A-based web applications. Including entity engine, service engine, message engine, workflow engine, rule engine, etc.
Project address
Summary of the vulnerability
at Apache Ofbiz 1712.Version 03 and earlier have a deserialization vulnerability caused by xmlrpc, and the official has hardened the relevant interfaces to fix the vulnerability in subsequent versions, but the fix method has a bypass problem (CVE-2023-49070), and attackers can still exploit the deserialization vulnerability to execute arbitrary commands on the target server.
Affected versions
apache ofbiz < 18.12.10
Environment setup
*After completing Vulhub, go to the CVE-2023-49070 directory and run the docker compose up -d command.
Vulnerability recurrence
1. Use the commonsbeanutils1 chain to construct a malicious paylod
j**a -jar ysoserial.jar commonsbeanutils1 "touch /tmp/success" | base64 | tr -d ""
2. Use the following POC
3. The command is successfully executed.
Vulnerability analysis
The root cause of this vulnerability is the deserialization vulnerability of the XMLRPC component, but since the XMLRPC is no longer updated and maintained, the Apache OfBIZ project team decided to delete the relevant **, and the problem has been completely fixed, and the previous patch** has also been deleted.
In fact, CVE-2023-49070 is a bypass of the historical vulnerability CVE-2020-9496, and the fixes for CVE-2020-9496 are as follows.
But the patch can be bypassed, because Ofbiz uses Tomcat middleware, which supports Control XMLRPC;formatted uri, so the if condition does not hold, successfully bypassed.
However, after bypassing the patch, you still need to log in to exploit it, which involves another authentication bypass vulnerability. The authentication is as follows, and if the next return result is not success, the login page will be returned.
In the checklogin function, the following logic exists, and success is returned as long as any of the following conditions are not met:
Since username and password can be controlled by the user, the following logic exists in the login function.
Hence the construction of xxxx ?The username=&password=&requirepasswordchange=y URL returns success to the authentication function to bypass the authentication. Combined with the above analysis, preauth-rce can be achieved.
Reference Links.