[
https://issues.apache.org/jira/browse/OFBIZ-12332?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17425349#comment-17425349
]
Jacques Le Roux commented on OFBIZ-12332:
-----------------------------------------
Hi Jie Zhu,
Thank you for the new payload.
If I use it as is, this is what I get:
* In Burp browser:
{noformat}
HTTP Status 400 – Bad Request
Type Status Report
Description The server cannot or will not process the request due to something
that is perceived to be a client error (e.g., malformed request syntax, invalid
request message framing, or deceptive request routing).
Apache Tomcat/9.0.48
{noformat}
* Nothing in OFBiz log (catched before by Tomcat)
If I use [^LocallyAdaptedPayload.txt] with the right JSESSIONID copied from
initial HTTP request to avoid the login screen. After of course being logged in
webtools. Else you get this error: "org.apache.xmlrpc.XmlRpcException: Failed
to parse / read XML-RPC request: Premature end of file." because the payload is
already read by the login request, so there is nothing left.
* In Burp browser:
{code:xml}
This XML file does not appear to have any style information associated with it.
The document tree is shown below.
<methodResponse xmlns:ex="http://ws.apache.org/xmlrpc/namespaces/extensions";>
<fault>
<value>
<struct>
<member>
<name>faultCode</name>
<value>
<i4>0</i4>
</value>
</member>
<member>
<name>faultString</name>
<value>Failed to read XML-RPC request. Please check logs
for more information</value>
</member>
</struct>
</value>
</fault>
</methodResponse>
{code}
BTW I get a 404 at [http://ws.apache.org/xmlrpc/namespaces/extensions] same for
HTTPS
* In OFBiz log
{noformat}
2021-10-07 07:21:38,729 |sse-nio-8443-exec-57 |ControlServlet
|T| [[[webtools::xmlrpc (Domain:https://localhost)] Request Begun,
encoding=[UTF-8]- total:0.0,since last(Begin):0.0]]
2021-10-07 07:21:38,767 |sse-nio-8443-exec-57 |ConfigXMLReader
|I| controller loaded: 0.0s, 0 requests, 0 views in
file:/C:/projectsASF/Git/ofbiz-framework/framework/common/webcommon/WEB-INF/handlers-controller.xml
2021-10-07 07:21:38,768 |sse-nio-8443-exec-57 |ConfigXMLReader
|I| controller loaded: 0.012s, 52 requests, 21 views in
file:/C:/projectsASF/Git/ofbiz-framework/framework/common/webcommon/WEB-INF/common-controller.xml
2021-10-07 07:21:38,779 |sse-nio-8443-exec-57 |ConfigXMLReader
|I| controller loaded: 0.001s, 26 requests, 10 views in
file:/C:/projectsASF/Git/ofbiz-framework/framework/common/webcommon/WEB-INF/portal-controller.xml
2021-10-07 07:21:38,789 |sse-nio-8443-exec-57 |ConfigXMLReader
|I| controller loaded: 0.0s, 30 requests, 13 views in
file:/C:/projectsASF/Git/ofbiz-framework/framework/common/webcommon/WEB-INF/security-controller.xml
2021-10-07 07:21:38,800 |sse-nio-8443-exec-57 |ConfigXMLReader
|I| controller loaded: 0.0s, 5 requests, 0 views in
file:/C:/projectsASF/Git/ofbiz-framework/framework/common/webcommon/WEB-INF/tempexpr-controller.xml
2021-10-07 07:21:38,801 |sse-nio-8443-exec-57 |ConfigXMLReader
|I| controller loaded: 0.058s, 123 requests, 79 views in
file:/C:/projectsASF/Git/ofbiz-framework/framework/webtools/webapp/webtools/WEB-INF/controller.xml
2021-10-07 07:21:38,862 |sse-nio-8443-exec-57 |XmlRpcEventHandler
|E| null
java.lang.RuntimeException: InvocationTargetException:
java.lang.reflect.InvocationTargetException
at
org.apache.commons.beanutils.BeanComparator.compare(BeanComparator.java:171)
~[commons-beanutils-1.9.4.jar:1.9.4]
at
java.util.PriorityQueue.siftDownUsingComparator(PriorityQueue.java:722)
~[?:1.8.0_202]
at java.util.PriorityQueue.siftDown(PriorityQueue.java:688)
~[?:1.8.0_202]
at java.util.PriorityQueue.heapify(PriorityQueue.java:737)
~[?:1.8.0_202]
at java.util.PriorityQueue.readObject(PriorityQueue.java:797)
~[?:1.8.0_202]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
~[?:1.8.0_202]
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
~[?:1.8.0_202]
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
~[?:1.8.0_202]
at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_202]
at
java.io.ObjectStreamClass.invokeReadObject(ObjectStreamClass.java:1170)
~[?:1.8.0_202]
at
java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:2178)
~[?:1.8.0_202]
at
java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2069)
~[?:1.8.0_202]
at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1573)
~[?:1.8.0_202]
at java.io.ObjectInputStream.readObject(ObjectInputStream.java:431)
~[?:1.8.0_202]
at
org.apache.xmlrpc.parser.SerializableParser.getResult(SerializableParser.java:36)
~[xmlrpc-common-3.1.3.jar:3.1.3]
at
org.apache.xmlrpc.parser.RecursiveTypeParserImpl.endValueTag(RecursiveTypeParserImpl.java:78)
~[xmlrpc-common-3.1.3.jar:3.1.3]
at org.apache.xmlrpc.parser.MapParser.endElement(MapParser.java:185)
~[xmlrpc-common-3.1.3.jar:3.1.3]
at
org.apache.xmlrpc.parser.RecursiveTypeParserImpl.endElement(RecursiveTypeParserImpl.java:103)
~[xmlrpc-common-3.1.3.jar:3.1.3]
at
org.apache.xmlrpc.parser.XmlRpcRequestParser.endElement(XmlRpcRequestParser.java:165)
~[xmlrpc-common-3.1.3.jar:3.1.3]
at org.apache.xerces.parsers.AbstractSAXParser.endElement(Unknown
Source) ~[xercesImpl-2.12.1.jar:?]
at
org.apache.xerces.impl.XMLNSDocumentScannerImpl.scanEndElement(Unknown Source)
~[xercesImpl-2.12.1.jar:2.12.1]
at
org.apache.xerces.impl.XMLDocumentFragmentScannerImpl$FragmentContentDispatcher.dispatch(Unknown
Source) ~[xercesImpl-2.12.1.jar:2.12.1]
at
org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown
Source) ~[xercesImpl-2.12.1.jar:2.12.1]
at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
~[xercesImpl-2.12.1.jar:?]
at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
~[xercesImpl-2.12.1.jar:?]
at org.apache.xerces.parsers.XMLParser.parse(Unknown Source)
~[xercesImpl-2.12.1.jar:?]
at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source)
~[xercesImpl-2.12.1.jar:?]
at org.apache.xerces.jaxp.SAXParserImpl$JAXPSAXParser.parse(Unknown
Source) ~[xercesImpl-2.12.1.jar:?]
at
org.apache.ofbiz.webapp.event.XmlRpcEventHandler.getRequest(XmlRpcEventHandler.java:290)
~[main/:?]
at
org.apache.ofbiz.webapp.event.XmlRpcEventHandler.execute(XmlRpcEventHandler.java:232)
[main/:?]
at
org.apache.ofbiz.webapp.event.XmlRpcEventHandler.invoke(XmlRpcEventHandler.java:147)
[main/:?]
at
org.apache.ofbiz.webapp.control.RequestHandler.runEvent(RequestHandler.java:1026)
[main/:?]
at
org.apache.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:677)
[main/:?]
at
org.apache.ofbiz.webapp.control.ControlServlet.handle(ControlServlet.java:231)
[main/:?]
at
org.apache.ofbiz.webapp.control.ControlServlet.doPost(ControlServlet.java:81)
[main/:?]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:681)
[tomcat-servlet-api-9.0.48.jar:4.0.FR]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:764)
[tomcat-servlet-api-9.0.48.jar:4.0.FR]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:228)
[tomcat-catalina-9.0.48.jar:9.0.48]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:163)
[tomcat-catalina-9.0.48.jar:9.0.48]
at
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
[tomcat-embed-websocket-9.0.41.jar:9.0.41]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:190)
[tomcat-catalina-9.0.48.jar:9.0.48]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:163)
[tomcat-catalina-9.0.48.jar:9.0.48]
at
org.apache.ofbiz.webapp.control.SameSiteFilter.doFilter(SameSiteFilter.java:45)
[main/:?]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:190)
[tomcat-catalina-9.0.48.jar:9.0.48]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:163)
[tomcat-catalina-9.0.48.jar:9.0.48]
at
org.apache.ofbiz.webapp.control.ContextFilter.doFilter(ContextFilter.java:185)
[main/:?]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:190)
[tomcat-catalina-9.0.48.jar:9.0.48]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:163)
[tomcat-catalina-9.0.48.jar:9.0.48]
at
org.apache.ofbiz.webapp.control.ControlFilter.doFilter(ControlFilter.java:156)
[main/:?]
at javax.servlet.http.HttpFilter.doFilter(HttpFilter.java:57)
[tomcat-servlet-api-9.0.48.jar:4.0.FR]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:190)
[tomcat-catalina-9.0.48.jar:9.0.48]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:163)
[tomcat-catalina-9.0.48.jar:9.0.48]
at
org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71)
[log4j-web-2.13.2.jar:2.13.2]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:190)
[tomcat-catalina-9.0.48.jar:9.0.48]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:163)
[tomcat-catalina-9.0.48.jar:9.0.48]
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202)
[tomcat-catalina-9.0.48.jar:9.0.48]
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)
[tomcat-catalina-9.0.48.jar:9.0.48]
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:542)
[tomcat-catalina-9.0.48.jar:9.0.48]
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:143)
[tomcat-catalina-9.0.48.jar:9.0.48]
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
[tomcat-catalina-9.0.48.jar:9.0.48]
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
[tomcat-catalina-9.0.48.jar:9.0.48]
at
org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:687)
[tomcat-catalina-9.0.48.jar:9.0.48]
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:357)
[tomcat-catalina-9.0.48.jar:9.0.48]
at
org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:382)
[tomcat-coyote-9.0.48.jar:9.0.48]
at
org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
[tomcat-coyote-9.0.48.jar:9.0.48]
at
org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:893)
[tomcat-coyote-9.0.48.jar:9.0.48]
at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1723)
[tomcat-coyote-9.0.48.jar:9.0.48]
at
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
[tomcat-coyote-9.0.48.jar:9.0.48]
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
[?:1.8.0_202]
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
[?:1.8.0_202]
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
[tomcat-util-9.0.48.jar:9.0.48]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_202]
2021-10-07 07:21:38,863 |sse-nio-8443-exec-57 |RequestHandler
|I| Ran Event [xmlrpc:#] from [request], result is [null]
2021-10-07 07:21:38,863 |sse-nio-8443-exec-57 |ControlServlet
|T| [[[webtools::xmlrpc (Domain:https://localhost)] Request Done-
total:0.134,since last([webtools::xmlrpc...):0.134]]
{noformat}
So for now I'm unable to reproduce. Could you please reproduce the issue at
[https://demo-trunk.ofbiz.apache.org/webtools/control/xmlrpc/]
TIA for your help
> post-auth Remote Code Execution Vulnerability
> ---------------------------------------------
>
> Key: OFBIZ-12332
> URL: https://issues.apache.org/jira/browse/OFBIZ-12332
> Project: OFBiz
> Issue Type: Sub-task
> Components: framework/webtools
> Affects Versions: Trunk
> Reporter: Jie Zhu
> Assignee: Jacques Le Roux
> Priority: Minor
> Attachments: LocallyAdaptedPayload.txt,
> image-2021-10-03-11-43-20-021.png, image-2021-10-03-11-43-31-228.png,
> payload.txt, payload_windows.txt
>
>
> I found that the latest version of the OFBiz framework was affected by an
> XMLRPC Remote Code Execution Vulnerability.
> This vulnerability is caused by incomplete patch repair of cve-2020-9496.
> !image-2021-10-03-11-43-20-021.png!
> Successful exploit:
> !image-2021-10-03-11-43-31-228.png!
> Please refer to the attachment for payload details.This HTTP request will
> execute the command `touch /tmp/success` file on the attacked server.
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
