Multiple Vulnerabilities in Openfire Admin Console

Openfire is a group chat server for the Extensible Messaging and Presence Protocol (XMPP). It is written in Java and licensed under the Apache License 2.0. Two vulnerabilities, CVE-2019-18394 and CVE-2019-18393, were reported in Openfire Admin Console by a Penetration Testing Expert, Alexandr Shvetsov.

Vulnerability Details
    1. CVE-2019-18394 – Full Read SSRF Vulnerability
      A Server-Side Request Forgery (SSRF) vulnerability in FaviconServlet.java in Openfire Admin Console allows attackers to send arbitrary HTTP GET requests and obtain full-sized outputs from the targeted web services.Vulnerable code in FaviconServlet.java file

      Image Source – https://swarm.ptsecurity.com/openfire-admin-console/

      doGet and getImage methods get the host variable using the get parameters and construct a URL from it without any constraints. Thus, attackers can place any sequence of characters inside of it, and make the server connect to any URL they want.

      Malicious Request

      GET /getFavicon?host=SERVER_IP:PORT/secrets.txt? HTTP/1.1

      We successfully reproduced the vulnerability in our Qualys Lab, here’s the details of exploitation.

      There are multiple available targets for Openfire Admin Control

      Image Source – Shodan.io

      We have found one target for Openfire Admin Console with vulnerable version  4.1.5

      Image Source – Qualys Lab

      We have exploit this vulnerable using ngrok server. We sent malicious request to vulnerable target and able to get the file content with status code 200.

      Image Source – Qualys lab

      On ngrok server , we can see that,request is sent to vulnerable target

      Image Source – Qualys Lab

      Vulnerable Versions
      Ignite Realtime Openfire through 4.4.2

    2. CVE-2019-18393 – Arbitrary File Read Vulnerability
      An Arbitrary File Read vulnerability in PluginServlet.java in Openfire allows attackers to retrieve files located under the Openfire home directory. This vulnerability affects/impacts only Windows installations of the Openfire Admin Console. To exploit this vulnerability, attackers need to have an administrative account on server.

      Image Source – https://swarm.ptsecurity.com/openfire-admin-console/

      The handleOtherRequest method is responsible for handling the /plugin/search/path. This method splits the pathInfo variable with the “/” character. Attackers can perform a path-traversal attack as there is no allowlist of characters or any checking for the “\” character.

      Malicious Request

      This vulnerability exists in the URL itself; HTTP parameters are not required. To exploit the vulnerability, log in to the server and send the malicious request with the administrator’s JSESSIONID cookie:

      GET /plugins/search/..\..\..\conf\openfire.xml HTTP/1.1 
      Host: SERVER_IP:PORT 
      Cookie: JSESSIONID=xxxxxxx.xxx;

      Here’s an example of CVE-2019-18393 exploitation in Burp Suite:

      Image Source – https://swarm.ptsecurity.com/openfire-admin-console/

      Vulnerable Versions
      Ignite Realtime Openfire through 4.4.2 (Windows Installations)

Remediation

Customers are recommended to patch their vulnerable assets with the recently released Ignite Realtime Openfire 4.4.3.

Detection

Qualys customers can scan their network with QID 13958 to detect vulnerable assets. Please continue to follow Qualys Threat Protection for more coverage on latest vulnerabilities.

References

https://swarm.ptsecurity.com/openfire-admin-console/
https://github.com/igniterealtime/Openfire/pull/1498
https://github.com/igniterealtime/Openfire/pull/1497

Leave a Reply

Your email address will not be published. Required fields are marked *