Path Traversal in Openfire Admin Console

Understanding CVE-2023-32315: Path Traversal in Openfire Admin Console

Introduction

In today's fast-paced digital landscape, effective communication is key to the success of any organization. Whether it's team collaboration, customer support, or community engagement, having a reliable real-time communication platform can significantly enhance productivity and streamline workflows. One such platform that has gained popularity for its versatility and robustness is Openfire.

What is Openfire?

Openfire, formerly known as Wildfire and Jive Messenger, is an open-source real-time collaboration (RTC) server. It is built on the XMPP (Extensible Messaging and Presence Protocol) protocol, which is a widely adopted open standard for instant messaging and presence information. Openfire provides a scalable, secure, and extensible platform for instant messaging (IM), group chat, voice and video conferencing, and more.

Key Features:

  • Scalability: Openfire is designed to scale effortlessly, making it suitable for both small businesses and large enterprises. It can handle thousands of concurrent connections and supports clustering for high availability and fault tolerance.
  • Extensibility: One of the standout features of Openfire is its extensibility. It comes with a plugin architecture that allows developers to extend its functionality according to their specific requirements. Whether it's integrating with third-party services, adding custom features, or modifying existing behavior, Openfire's plugin system makes it possible.
  • Cross-platform Compatibility: Openfire is compatible with a wide range of platforms, including Windows, Linux, macOS, and Unix-like systems. This flexibility ensures that organizations can deploy Openfire in their existing infrastructure without significant changes.
  • Web-based Administration: Managing Openfire is made easy through its web-based administration console. Administrators can configure user accounts, chat rooms, security settings, and more using a simple and intuitive interface.
  • Rich Chat Features: Openfire supports a variety of chat features, including one-on-one messaging, group chat rooms, file sharing, and presence notifications. It also offers support for voice and video calls, making it a comprehensive solution for all communication needs.

CVE-2023-32315: Path Traversal leading to Remote Code Execution

This CVE affects openfire's administration console, a web-based application, which was found to be vulnerable to a path traversal attack via the setup environment. This allowed restricted pages in the Openfire Admin Console reserved for administrative users to be accessed by an unauthorized user using the unauthorized Openfire Setup Environment in an already established Openfire environment. Starting with version 3.10.0, this vulnerability affects every version of Openfire released after April 2015 in general. Openfire releases 4.7.5 and 4.6.8 provide fixes for the issue. CVSS score for 8.6 (Github) and affected versions can be summarized as : >= 3.10.0, < 4.6.8 and >= 4.7.0, < 4.7.5.

Openfire exposes the installed version on the login page and hence identifying this vulnerability is pretty straight forward , just check if the version falls in the range of affected version and then move to use any publically available exploit.

Exploitation and Technical aspects of the vulnerability:

You can setup your lab locally using the following commands:

$ docker pull nasqueron/openfire:4.7.1

$ sudo docker run --name openfire -d --restart=always --publish 9090:9090 --publish 5222:5222 --publish 7777:7777 nasqueron/openfire:4.7.1

Below are some steps to understand the vulnerability and manually exploit it:

  • Getting valid tokens:
    Make a request to following endpoint and from response headers get the value for JSESSIONID and csrf cookies:
  • Admin user creation and login:
    Create a new admin user using the following endpoint:

Now Login using the above created user on the vulnerable instance of the application.

  • Upload malicious plugin:
    Since we can now log in as an admin user, we can directly manipulate any server setting and directly upload plugins as well, here is an example of a plugin with webshell.Go to Plugins and upload the shell downloaded from the above link.

After successful upload of the the webshell i can be access as:Server > Server Settings > Management Tool

Password for the shell is 123 and can be used to execute system commands, surf the file system, etc.

We were able to directly access the endpoints for user creationThere are publicly available exploits which follow the same steps, that is,  create and return a set of credentials for an admin account from which the attacker can login and upload a shell. But there is a more stealthy way to do the same attack if you can create a custom plugin , you can upload it directly without creating a user. The custom plugin has to be made in such a way that you can access it without logging in. And it is more stealthy because the user creation activity is logged and can be detected easily.

Real World Implications:

A serious authentication bypass vulnerability in Openfire, a popular XMPP server, is represented by CVE-2023-32315. Because of this vulnerability, bad actors can access the Openfire administration interface without the need for a working login and password. Once inside, attackers have the power to take over the server and carry out a variety of nefarious deeds, such as:

  • Modifying the setup parameters on the server.
  • Installing viruses or other harmful applications.
  • Pilfering private information.
  • Interfering with the server's regular functions.

Mitigation

In order to protect your Openfire server from the threats posed by CVE-2023-32315, you should take the following extensive precautions:

  • Update Openfire to the Most Recent Version: Make sure you update Openfire as soon as possible to the most recent version, which contains important security updates. It is advised to use versions 4.7.5 or 4.6.8, since they expressly fix this issue.
  • Put Firewall Restrictions Into Practice: Use a firewall to limit who may access your Openfire server. Set it up such that it will only accept connections from networks or IP addresses you can trust. This additional security measure lessens the possibility of unwanted access.
  • Utilize Reputable AV and IPS Solutions: You may strengthen your security posture by using antivirus and intrusion prevention systems that are reliable. Check your server environment often for indications of compromise. 
  • Monitor and Analyze Server Logs: To identify odd or suspicious activity occurring on your Openfire server, put in place a reliable system for log monitoring and analysis. Rapid reactions to possible hazards can be made possible via early detection.


Through the implementation of these procedures and persistent security efforts, you may considerably lower your vulnerability to CVE-2023-32315 and other possible attacks.

References