• Home
  • Attack
  • Dataset
  • Contact Us
        • T1-24–01–S–N–CL
        • T2-24–01–S–N–CL
        • T3-24–01–S–N–CL
        • T4-24–01–S–E–M
        • T5-24–01–S–E–LM
        • T6-24–01–S–E–FH
        • T7-24–01–M–NE–CLM
        • T8-24–01–M–NE–CFHL
        • T9-24–01–M–NE–CLM
        • T1-24–02–S–N–CIKM
        • T2-24–02–S–N–CL
        • T3-24–02–S–N–CL
        • T4-24-02-S-E-M
        • T5-24-02-S-E-DL
        • T6-24-02-S-E-DEGN
        • T7-24-02-M-NE-CDEGLN
        • T8-24-02-M-NE-CDL
        • T9-24-02-M-NE-CLH
        • T1-25–01–S–N–CD
        • T2-25–01–S–N–CL
        • T3-25–01–S–N–CD
        • T4-25-01-S-E-FH
        • T5-25-01-S-E-CL
        • T6-25-01-S-E-CL
        • T7-25-01-M-NE-CDN
        • T8-25-01-M-NE-CLFH
        • T9-25-01-M-NE-CDFH
  • T3-25–01–S–N–CD

  • Apache OFBiz RCE (CVE-2024-38856)

    Apache OFBiz RCE (CVE-2024-38856) is an incorrect-authorization vulnerability in Apache OFBiz 18.12.14 and earlier that allows unauthenticated attackers to trigger server-side screen rendering (e.g., ProgramExport) by submitting crafted requests (for example, a groovyProgram payload), resulting in remote code execution (RCE). This can enable attackers to install persistent backdoors, steal credentials, manipulate application or network configurations, and move laterally with the environment. Mitigation includes upgrading Apache OFBiz to 18.12.15 or later, or blocking access to the affected /webtools/control endpoints.

    •  


  • OS IP Software Log collection
    time    		 Program
    runtime
    Attacker Ubuntu 22.04.1 172.17.0.1 - 30 sec 60 sec
    Victim (docker) Ubuntu 22.04.1 172.17.0.2 Apache OFBiz v18.12.14

  • Installation
  • python3 -m venv venv
    source ./venv/bin/activate
    pip install -r requirements.txt

  • Usage
  • sudo docker load -i T3-25-01-S-N-CD.tar
    python3 run.py

  • MITRE ATT&CK Framework
  • Attack Tactic
    Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion
    Credential Discovery Lateral Movement Collection Command and Control Exfiltration Impact

  • Logs
  • ./log/2025_01_T3_{time}.pcap # YYmmdd_HHMMSS


  • References
  • [1] NIST [CVE-2024-38856]
    [2] SecureLayer7 [CVE-2024-38856 – Apache Ofbiz RCE]
    [3] Github – securelayer7 [CVE-2024-38856_Scanner]
    [4] Zscaler Blog [CVE-2024-38856: Pre-Auth RCE Vulnerability in Apache OFBiz]

  • ※ Click on the attack name to see a description and scenario for the attack
    • 2025
    • T1-25–01–S–N–CD
    • T2-25–01–S–N–CL
    • T3-25–01–S–N–CD
    • T4-25–01–S–E–FH
    • T5-25–01–S–E–CL
    • T6-25–01–S–E–CL
    • T7-25–01–M–NE–CDN
    • T8-25–01–M–NE–CLFH
    • T9-25–01–M–NE–CDFH
  • Copyright(C) 2024, KAIST Cyber Security Reserch Center. All Rights Reserved.