Apache Ofbiz is an e-commerce platform used to build multi-layer and distributed e-commerce application systems at the enterprise level, cross-platform, cross-database, and cross-application servers.
In December 2023, a new version was officially released to fix the CVE-2023-49070 Apache Ofbiz XMLRPC ** execution vulnerability. The xml-rpc component was officially removed from the main branch in April, but not until 1812.The XML-RPC interface was abolished only after the official release of October. An attacker can exploit this vulnerability to obtain server privileges, and we recommend that you fix the vulnerability as soon as possible.
Back in 2020, there was a deserialization vulnerability (CVE-2020-9496) in Apache Ofbiz, which was found in the XML-RPC component. XML-RPC is also a project under the Apache ** Association, but basically it has not been updated since around 2010, and XML-RPC has had multiple deserialization vulnerabilities (such as CVE-2016-5003, CVE-2019-17570) in history, which have not been fixed.
This is affected due to the use of the XML-RPC component by Apache Ofbiz. In subsequent versions, the relevant APIs are hardened to fix the vulnerability, but the fixes are bypassed (CVE-2023-49070).
In CVE-2020-9496, an exploit was exploited by sending a packet containing an XPC request body in XML format to the WebTools Control XMLRPC interface. This object contains the base64 payload:
In May 2020, after the vulnerability appeared, Ofbiz officially submitted the first patch in this commit, which is used to add authentication to the XML-RPC interface
This patch doesn't completely fix the problem, but it raises the threshold for exploits and is no longer a "pre-auth rce" vulnerability.
In October 2021, a person named Jie Zhu reported to the official that this "Post-Auth RCE vulnerability" could be found in the latest 1712.08 version. Since this vulnerability is not caused by Ofbiz, and XML-RPC is no longer maintained, it is not possible to fix this vulnerability fundamentally.
The official can only settle for the next best thing, and use the filter to do a test on the request, as long as it finds that this keyword exists in the body, it will report an error:
This fix was quickly bypassed, as the attacker could add a space to bypass detection.
As a result, the official reinforced, and changed the detection keyword to .
But this direct check exists in the request body with added restrictions on the request path:
On the same day, the official found that the interface restriction path was incorrect, so it made another modification in
And the latest CVE-2023-49070 is a bypass of the above-mentioned official reinforcement method:
Bypass bypasses for bypassing authentication to the XML-RPC interface With these two bypasses, the latest vulnerability reverts back to a Pre-Auth RCE vulnerability. First of all, it needs to be bypassed.
So, we can also try adding a semicolon to the path of the xml-rpc request: webtools control xmlrpc;/。
The first restriction is bypassed, and the server returns a login page.
If the return value of the login() method is not equal to error, the return can be bypassed without entering the if statement"error"to return the check user login method to success.
And in the login() method there are a few lines like this:
Since the username, password, and token parameters are taken from the session and are empty when you are not logged in, if the value of the requirepasswordchange parameter is equal to y, the login() method can return requirepasswordchange, otherwise it will return an error.
To sum up, just modify the request path to WebTools Control XMLRPC;/?username=&password=&requirepasswordchange=y, you can bypass permission detection and .
Start ofbiz:18 with docker12.09's environment. 
After waiting for a few minutes, the visit will see the login page, indicating that the environment has been successfully started.
Sending packets using the reproduction method in CVE-2020-9496 shows that the XMLRPC parsing process has not been successfully entered
Change the path to webtools control xmlrpc;/?username=&password=&requirepasswordchange=y to bypass the restriction:
Entering the container, it can be seen that Touch TMP Success has been successfully executed:
On December 28th, the attack simulation for this vulnerability has been added to the security measurement platform, and you can search for keywords in the security measurement platform“apache ofbiz”or“cve-2023-49070”Get relevant attack simulation verification actions to verify that your security defenses are effective against the vulnerability, and the platform ensures that your verification process is safe and secure in an industry-unique way.