CVE-2020-9496: RCE in Apache OFBiz XMLRPC via Deserialization of Untrusted Data
September 16, 2020 | Trend Micro Research TeamIn this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, John Simpson and Dusan Stevanovic of the Trend Micro Research Team detail a recent code execution vulnerability in the Apache OFBiz suite. The bug was originally discovered and reported by Alvaro Munoz from the GitHub Security Lab team. The following is a portion of their write-up covering CVE-2020-9496, with a few minimal modifications.
An insecure deserialization vulnerability has been reported in Apache OFBiz. This vulnerability is due to Java serialization issues when processing requests sent to /webtools/control/xmlrpc. A remote unauthenticated attacker can exploit this vulnerability by sending a crafted request. Successful exploitation would result in arbitrary code execution.
The Vulnerability
Apache OFBiz is an open-source enterprise resource planning (ERP) system. It provides a suite of enterprise applications that integrate and automate many of the business processes of an enterprise. It includes a framework providing a common data model and a set of business processes. All applications are built atop this framework using common data, logic, and process components. Beyond the framework itself, Apache OFBiz offers functionality including accounting (agreements, invoicing, vendor management, general ledger), asset maintenance, catalog and product management, a facility and warehouse management system (WMS), manufacturing execution/manufacturing operations management (MES/MOM), order processing, inventory management, automated stock replenishment, etc., content management system (CMS), human resources (HR), people and group management, project management sales force automation, work effort management, electronic point of sale (ePOS), electronic commerce (eCommerce) and scrum (development).
Apache OFBiz uses a set of open source technologies and standards such as Java, Java EE, XML, and SOAP.
Hypertext Transfer Protocol is a request/response protocol described in RFC 7230-7237 and others. A request is sent by a client machine to a server, which in turn sends a response back to the client. An HTTP request consists of a request line, various headers, an empty line, and an optional message body:
CRLF represents the new line sequence Carriage Return (CR) followed by Line Feed (LF). SP represents the space character. Parameters can be passed from the client to the server as name-value pairs in either the Request- URI or message-body, depending on the specified Method and Content-Type header. For example, a simple HTTP request passing a parameter named "param" with value "1" using the POST method might look like:
Java Serialization
Java allows serialization of objects, enabling them to be represented as a compact and portable byte stream. This byte stream can then be transferred via the Network and deserialized for use by the receiving servlet or applet. The following example illustrates how a class is serialized then later extracted:
All Java Objects that are serializable implement the Serializable or Externalizable interface. This interface enforces the writeObject()/writeExternal() and readObject()/readExternal() methods, which are called when serializing and deserializing objects respectively. These methods can be modified to implement custom behavior during the serialization and deserialization of Java Objects.
XML-RPC
XML-RPC is a remote procedure call (RPC) protocol which uses XML to encode its calls and HTTP as a transport mechanism. It is a specification and a set of implementations that allow software running on disparate operating systems, running in different environments to make procedure calls over the Internet. In XML-RPC, a client performs an RPC by sending an HTTP request to a server that implements XML-RPC and receives the HTTP response.
Each XML-RPC request starts with XML element "<methodCall></methodCall>". This element contains a single subelement "<methodName>something</methodName>". The element "<methodName>" contains subelement "<params>" which can contain one or more "<param>" elements. The param XML element can contain a number of datatypes.
Common datatypes are converted into their XML equivalents with example values shown below. An exampleof array encoding is as follows:
An example of encoding various primitives is as follows:
An example of string encoding is as follows:
An example of struct encoding is as follows:
Serialized data is encoded by surrounding the serialized base64-encoded object representation with "org.apache.xmlrpc.parser.SerializableParser.
An insecure deserialization vulnerability exists in Apache OFBiz. This vulnerability is due to OFBiz being configured to use XML-RPC to intercept and convert XML data in the HTTP body when sent to the "/webtools/control/xmlrpc" URL. The requests sent to this endpoint are initially handled by Java class org.apache.ofbiz.webapp.control.RequestHandler, which determines the mapping for the URL. Next, the execute() method is called in the org.apache.ofbiz.webapp.event.XmlRpcEventHandler class. The XML parsing starts by calling the parse() method in the XMLReader class from the getRequest() method org.apache.ofbiz.webapp.event.XmlRpcEventHandler class.
The elements in the XML-RPC request are parsed in the following classes:
org.apache.xmlrpc.parser.XmlRpcRequestParser
org.apache.xmlrpc.parser.RecursiveTypeParserImpl
org.apache.xmlrpc.parser.MapParser
The insecure deserialization of the contents of the getResult() method of the org.apache.xmlrpc.parser.SerializableParser class.
A remote, unauthenticated attacker could exploit this vulnerability by sending a malicious HTTP request containing a crafted XML payload in the body of the HTTP request. Since OFBiz uses vulnerable versions of the Apache Commons BeanUtils Library and the Apache ROME Library, an attacker can craft malicious payloads in an XML format using the ysoserial gadget tool. Successful exploitation of this vulnerability could result in arbitrary code execution in the context of the user running the application.
Source Code Walkthrough
The following code snippet was taken from Apache OFBiz version 17.12.03. Some of the comments have been added by Trend Micro.
In org.apache.ofbiz.webapp.control.RequestHandler:
In org.apache.ofbiz.webapp.event.XmlRpcEventHandler:
In org.apache.xmlrpc.parser.XmlRpcRequestParser:
In org.apache.xmlrpc.parser.SerializableParser:
To trigger the vulnerability, an attacker would send an HTTP request containing a crafted serialized object in an XML format to the affected target. The vulnerability is triggered when the server deserializes the XML data.
Conclusion
Apache fixed this bug earlier this year. According to their write-up, the root cause of the vulnerability was the fact of "2 xmlrpc related requets [sic] in webtools (xmlrpc and ping) not using authentication they are vulnerable to unsafe deserialization." Users of Apache OFBiz should definitely apply the patch if they haven’t already.
Special thanks to John Simpson and Dusan Stevanovic of the Trend Micro Research Team for providing such a thorough analysis of this vulnerability. For an overview of Trend Micro Research services please visit http://go.trendmicro.com/tis/.
The threat research team will be back with other great vulnerability analysis reports in the future. Until then, follow the ZDI team for the latest in exploit techniques and security patches.