Cybersecurity researchers have developed a proof-of-concept (PoC) code that exploits a just lately disclosed essential flaw within the Apache OfBiz open-source Enterprise Useful resource Planning (ERP) system to execute a memory-resident payload.
The vulnerability in query is CVE-2023-51467 (CVSS rating: 9.8), a bypass for one more extreme shortcoming in the identical software program (CVE-2023-49070, CVSS rating: 9.8) that may very well be weaponized to bypass authentication and remotely execute arbitrary code.
Whereas it was mounted in Apache OFbiz model 18.12.11 launched final month, menace actors have been noticed trying to use the flaw, concentrating on susceptible cases.
The newest findings from VulnCheck present that CVE-2023-51467 may be exploited to execute a payload straight from reminiscence, leaving little to no traces of malicious exercise.
Safety flaws disclosed in Apache OFBiz (e.g., CVE-2020-9496) have been exploited by menace actors up to now, together with by menace actors related to the Sysrv botnet. One other three-year-old bug within the software program (CVE-2021-29200) has witnessed exploitation makes an attempt from 29 distinctive IP addresses over the previous 30 days, per information from GreyNoise.
What’s extra, Apache OFBiz was additionally one of many first merchandise to have a public exploit for Log4Shell (CVE-2021-44228), illustrating that it continues to be of curiosity to each defenders and attackers alike.
CVE-2023-51467 isn’t any exception, with particulars a couple of distant code execution endpoint (“/webtools/management/ProgramExport”) in addition to PoC for command execution rising merely days after public disclosure.
Whereas safety guardrails (i.e., Groovy sandbox) have been erected such that they block any makes an attempt to add arbitrary internet shells or run Java code through the endpoint, the unfinished nature of the sandbox signifies that an attacker may run curl instructions and acquire a bash reverse shell on Linux methods.
“For a complicated attacker, although, these payloads aren’t splendid,” VulnCheck’s Chief Expertise Officer Jacob Baines stated. “They contact the disk and depend on Linux-specific habits.”
The Go-based exploit devised by VulnCheck is a cross-platform answer that works on each Home windows and Linux in addition to will get across the denylist by profiting from groovy.util.Eval features to launch an in-memory Nashorn reverse shell because the payload.
“OFBiz shouldn’t be broadly fashionable, but it surely has been exploited up to now. There’s a honest deal of hype round CVE-2023-51467 however no public weaponized payload, which referred to as into query if it was even attainable,” Baines stated. “We have concluded that not solely is it attainable, however we are able to obtain arbitrary in reminiscence code execution.”