Vulnerability Overview#

The authentication bypass in the previously disclosed OFBiz issue was not fully fixed, which led to this vulnerability. By reaching the Groovy execution path from an external entry point and bypassing the blacklist, an attacker can achieve RCE.

Analysis#

The vulnerable spot is straightforward:  vulnerability/1703677648017-9c965b63-048d-4fcd-84b9-3483ba12e5f6.png)

The key question is: how do we find an entry point that lets us pass in the expression parameter? It turns out there is an admin feature that accepts an expression:  vulnerability/1703860971243-0a974dea-3881-4e2c-92ad-4456215d3727.png)

From controller.xml we can tell this endpoint is implemented as a view, so we inspect the view configuration:  vulnerability/1703861056964-b99df67d-ba47-4dd6-ad11-118e8558f8ef.png)

After locating the corresponding file, we can see how the value is received. After that it ends up executing Groovy via a shell call (omitted here):  vulnerability/1703861146878-be5b83b6-6c3b-4c36-b5a7-e4b67b6ee6b5.png)

The final result looks like this:  vulnerability/1703782220217-31942f51-a016-4532-908e-0263a7d1d344.png)

Interestingly, I didn’t find the issue from the config file at first. There is a feature in the web UI called 可编程导出 (“Programmable Export”) that maps to this URL and uses the same parameter. By abusing the still-unfixed auth checks, you can bypass login and execute commands directly.

Payload example: groovyProgram=println+%22calc%22.execute%28%29.text

There’s no special trick here—just calling execute.