New PoC exploit for Apache OfBiz vulnerability puts ERP systems at risk

Apache OfBiz Vulnerability

Cybersecurity researchers have done that developed a proof-of-concept (PoC) code that exploits a recently disclosed critical flaw in the Apache OfBiz open-source Enterprise Resource Planning (ERP) system to execute a memory-resident payload.

The vulnerability in question is CVE-2023-51467 (CVSS score: 9.8), a bypass for another serious flaw in the same software (CVE-2023-49070CVSS score: 9.8) that can be used to bypass authentication and remotely execute arbitrary code.

While it was stuck Apache OFbiz version 18.12.11 Released last month, threat actors have been observed attempting to exploit the flaw, targeting vulnerable instances.

VulnCheck’s latest findings show that CVE-2023-51467 can be exploited to execute a payload directly from memory, leaving little to no trace of malicious activity.

Security flaws revealed in Apache OFBiz (e.g. CVE-2020-9496) have been exploited by threat actors in the past, including by threat actors associated with the Sysrv botnet. Another three year old bug in the software (CVE-2021-29200) has witnessed exploitation attempts from 29 unique IP addresses in the last 30 days, per GreyNoise data.

Moreover, Apache OFBiz was also one of the first products with a public exploitation for Log4Shell (CVE-2021-44228), illustrating that it remains interesting for both defenders and attackers.

Apache OfBiz Vulnerability

CVE-2023-51467 is no exception, detailing a remote code execution endpoint (“/webtools/control/ProgramExport”) and also PoC for execution of assignments emerge just days after the public unveiling.

While safety railings (i.e Coarse sandbox) are built in such a way that they block all attempts To upload arbitrary web shells or execute Java code via the endpoint, the incomplete nature of the sandbox means an attacker could execute curl commands and obtain a bash reverse shell on Linux systems.

“For a sophisticated attacker, however, these payloads are not ideal,” said Jacob Baines, VulnCheck’s Chief Technology Officer. “They touch the disk and rely on Linux-specific behavior.”

The Go-based exploit devised by VulnCheck is a cross-platform solution that works on both Windows and Linux and bypasses the deny list by taking advantage of groovy.util.Eval functions to launch a Nashorn reverse shell in memory as a payload.

“OFBiz isn’t very popular, but it has been exploited in the past. There’s a lot of hype around CVE-2023-51467, but there’s no public weaponization, which begs the question of whether it was even possible,” Baines said. “We concluded that not only is it possible, but we can achieve arbitrary execution of the memory code.”


#PoC #exploit #Apache #OfBiz #vulnerability #puts #ERP #systems #risk

Notify of
Inline Feedbacks
View all comments
Previous Post
FBot Hacking Toolkit

New Python-based FBot Hacking Toolkit targeting cloud and SaaS platforms

Next Post
CISA Flags 6 Vulnerabilities

CISA identifies six vulnerabilities: Apple, Apache, Adobe, D-Link, Joomla are under attack

Related Posts