Cybersecurity researchers have developed a proof-of-concept (PoC) code that exploits a recently revealed critical flaw in the Apache OfBiz open source enterprise resource planning (ERP) system to execute a memory-resident payload.
The vulnerability, CVE-2023-51467 (CVSS score: 9.8), bypasses another critical flaw in the same software (CVE-2023-49070, CVSS score: 9.8) and can be weaponized to bypass authentication and Execute arbitrary commands remotely. Program code.
While the issue was fixed in Apache OFbiz version 18.12.11 released last month, threat actors have been observed trying to exploit the flaw to target vulnerable instances.
New findings from VulnCheck reveal that CVE-2023-51467 can be exploited to execute a payload directly from memory, leaving virtually no trace of malicious activity.
Security flaws disclosed in Apache OFBiz, such as CVE-2020-9496, have been exploited by threat actors in the past, including those associated with the Sysrv botnet. Another three-year-old vulnerability in the software (CVE-2021-29200) has seen exploitation attempts from 29 unique IP addresses in the past 30 days, according to GreyNoise.
In addition, Apache OFBiz was also one of the first products to publicly exploit Log4Shell (CVE-2021-44228), indicating that it is still of interest to defenders and attackers alike.
CVE-2023-51467 is no exception, and details about the remote code execution endpoint (“/webtools/control/ProgramExport”) and the PoC used for command execution emerged just days after it was publicly disclosed.
While security guardrails (i.e., the Groovy sandbox) have been put in place to block any attempts to upload arbitrary web shells or run Java code through endpoints, the incomplete nature of the sandbox means that an attacker can execute a curl command and obtain a bash reverse shell on Linux systems.
“However, these payloads are not ideal for advanced attackers,” said Jacob Baines, CTO of VulnCheck. “They touch the disk and rely on Linux-specific behavior.”
The Go-based exploit designed by VulnCheck is a cross-platform solution that runs on Windows and Linux and bypasses the deny list by leveraging the groovy.util.Eval function to launch an in-memory Nashorn reverse shell as the payload .
“OFBiz is not widely popular, but it has been exploited in the past. There is a lot of hype around CVE-2023-51467, but there are no publicly available weaponized payloads, which casts doubt on whether it is possible,” Baines said. “We concluded that not only is this possible, but we can achieve arbitrariness in memory code execution.”
