Apache OFBiz is an e-commerce platform for building multi-tier, distributed e-commerce applications for large and medium-sized enterprises that are cross-platform, cross-database, and cross-application server. In May 2024, the official release of a new version fixed the CVE-2024-32113 Apache OFBiz directory traversal leading to code execution vulnerability, allowing attackers to craft malicious requests to control the server. It is recommended to promptly fix the vulnerability.
0X02 Groovy Execution Analysis
/framework/webtools/webapp/webtools/WEB-INF/controller.xml
412-416 lines
<request-map uri="ProgramExport"> <security https="true" auth="true"/> <response name="success" type="view" value="ProgramExport"/> <response name="error" type="view" value="ProgramExport"/> </request-map>
You can see it is of view type
652 lines write the corresponding configuration location
apache-ofbiz-18.12.11/framework/webtools/widget/EntityScreens.xml
74-96 lines
<screen name="ProgramExport"> <section> <actions> <set field="titleProperty" value="PageTitleEntityExportAll"/> <set field="tabButtonItem" value="programExport"/> <script location="component://webtools/groovyScripts/entity/ProgramExport.groovy"/> </actions> <widgets> <decorator-screen name="CommonImportExportDecorator" location="${parameters.mainDecoratorLocation}"> <decorator-section name="body"> <screenlet> <include-form name="ProgramExport" location="component://webtools/widget/MiscForms.xml"/> </screenlet> <screenlet> <platform-specific> <html><html-template location="component://webtools/template/entity/ProgramExport.ftl"/></html> </platform-specific> </screenlet> </decorator-section> </decorator-screen> </widgets> </section> </screen>
You can see the call
/webtools/groovyScripts/entity/ProgramExport.groovy
56-82 lines
parameters.groovyProgram = groovyProgram } else { groovyProgram = parameters.groovyProgram } // Add imports for script. def importCustomizer = new ImportCustomizer() importCustomizer.addImport("org.apache.ofbiz.entity.GenericValue") importCustomizer.addImport("org.apache.ofbiz.entity.model.ModelEntity") def configuration = new CompilerConfiguration() configuration.addCompilationCustomizers(importCustomizer) Binding binding = new Binding() binding.setVariable("delegator", delegator) binding.setVariable("recordValues", recordValues) ClassLoader loader = Thread.currentThread().getContextClassLoader() def shell = new GroovyShell(loader, binding, configuration) if (UtilValidate.isNotEmpty(groovyProgram)) { try { // Check if a webshell is not uploaded but allow "import" if (!SecuredUpload.isValidText(groovyProgram, ["import"])) { logError("================== Not executed for security reason ==================") request.setAttribute("ERROR_MESSAGE", "Not executed for security reason") return }
Obtain parameters from groovyProgram, and perform blacklist check with SecuredUpload.isValidText.
Get the blacklist by calling getDeniedWebShellTokens();
You can see that there is no filtering for execute().
Directly use execute() command, or directly Unicode encoding.
0x03 Directory Traversal Analysis
https://issues.apache.org/jira/browse/OFBIZ-13006 The official vulnerability point has been identified,
/ControlFilter.java
18.12
18.10
You can see that using httpRequest.getRequestURI() to get the URL, there are two ways to bypass it. "../" and ";" are used to bypass filter processing by truncation.
Come and see the repair method,
18.13
equals for judgment, throw directly if inconsistent.
18.14
Replace ".." or ";" in the URL with empty, then compare.
The whole vulnerability point is very simple, bypass the filter.
0x04 Reproduction
Here directly use the 18.10 environment, too lazy to download.
Replace directly with 18.13's framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
You can see that using ";" truncation can bypass detection.
Finally, success is achieved.
0x05 Repair Suggestions
Upgrade to the latest version on the official website.