Very High
CVE-2023-32315
CVE-2023-32315
Description
Openfire is an XMPP server licensed under the Open Source Apache License. Openfire’s administrative console, a web-based application, was found to be vulnerable to a path traversal attack via the setup environment. This permitted an unauthenticated user to use the unauthenticated Openfire Setup Environment in an already configured Openfire environment to access restricted pages in the Openfire Admin Console reserved for administrative users. This vulnerability affects all versions of Openfire that have been released since April 2015, starting with version 3.10.0. The problem has been patched in Openfire release 4.7.5 and 4.6.8, and further improvements will be included in the yet-to-be released first version on the 4.8 branch (which is expected to be version 4.8.0). Users are advised to upgrade. If an Openfire upgrade isn’t available for a specific release, or isn’t quickly actionable, users may see the linked github advisory (GHSA-gw42-f939-fhvm) for mitigation advice.
Add Assessment
Technical Analysis
Openfire (previously known as Wildfire, and Jive Messenger) is an instant messaging (IM) and groupchat server for the Extensible Messaging and Presence Protocol (XMPP). It is written in Java and licensed under the Apache License 2.0.
On May 26, 2023, Openfire's administrative console, a web-based application, was found to be vulnerable to a path traversal attack via the setup environment using the path http://localhost:9090/setup/setup-s/%u002e%u002e/%u002e%u002e/. Endpoints such as log.jsp, user-groups.jsp and user-create.jsp can be used to gain unauthorized admin access.
It allows an unauthenticated user to use the unauthenticated Openfire Setup Environment in an already configured Openfire environment to access restricted pages in the Openfire Admin Console reserved for administrative users.
The vulnerability affects all versions of Openfire that have been released since April 2015, starting with version 3.10.0 and is patched in Openfire release 4.7.5, 4.6.8 and 4.8.0 and later.
Reading the security advisory, it reminded me of a previous Openfire vulnerability CVE-2008-6508 discovered in 2008 that faced a similar issue. There is even an existing Metasploit module available a.k.a. exploit\multi\http\openfire_auth_bypass that exploits this vulnerability (see Metasploit PR 522).
With that in mind, it should be not too difficult to build a new variant that exploits the latest vulnerability CVE-2023-32315.
The attack sequence is quite simple:
- Grab the cookies using the path traversal vulnerability via
http://<IP>:9090/setup/setup-s/%u002e%u002e/%u002e%u002e/user-groups.jsp
- Use the cookies to add an admin user using the path traversal vulnerability via
http://<IP>:9090/setup/setup-s/%u002e%u002e/%u002e%u002e/user-create.jsp
- Upload an Openfire plugin weaponized with a java payload triggering an RCE via endpoint
http://<IP>:9090/plugin-admin.jsp. For step 3, you need understand how to create an customizedOpenfireplugin which is described in more detail here.
And as usual, I took the liberty to code a nice Metasploit module that does it all for you.
You can find the module here in my local repository or as PR 18173 at the Metasploit Github development.
This module has been tested on:
Ubuntu Linux 22.04
- Openfire 3.10.1, 4.0.4, 4.1.0, 4.2.0, 4.3.0, 4.4.0, 4.5.0, 4.6.0. 4.7.0, 4.7.1, 4.7.3
- Java 7, 8, 17
Windows Server 2019 Datacenter
- Openfire 4.7.3
- Java 20
You can setup your own testing environment by following the instructions below.
Instructions for an Openfire installation:
Download Openfire releases here.
Follow installation instructions here.
Mitigation
Please update your Openfire application to version 4.8.0 or higher and or upgrade to the patched versions 4.7.5 or 4.6.8.
References
Igniterealtime Security Advisory
CVE-2023-32315
Openfire Authentication Bypass RCE – h00die-gr3y Metasploit local repository
Metasploit PR 18173
Openfire plugin development
Openfire release downloads
Openfire installation instructions
CVSS V3 Severity and Metrics
General Information
Vendors
- igniterealtime
Products
- openfire
Metasploit Modules
Exploited in the Wild
References
Exploit
Additional sources will be added here as they become relevant.
Notes: We will only add the top 3 POCs for a given CVE. POCs added here must have at least 2 GitHub stars.
Great write-up, @h00die-gr3y, thank you!
@ccondon-r7, you are most welcome!
Enjoy your upcoming Christmas and New Year.