神刀安全网

All Your Meetings Are Belong to Us: Remote Code Execution in Apache OpenMeetings

As part of my personal “ Hacking Open Source Software for Fun and Non-Profit ” project, I took a look at the latest (at the time of writing) version of Apache OpenMeetings, 3.0.7. The findings in this post have also been confirmed to work on version 3.1.0, released after this post was written, and have been patched in version 3.1.1, available here .

According to Wikipedia (as there is no good description on the official project website ), OpenMeetings is:

“…software used for presenting, online training, web conferencing, collaborative whiteboard drawing and document editing, and user desktop sharing. The product is based on OpenLaszlo RIA framework and Red5 media server, which in turn are based on a number of open source components. Communication takes place in virtual “meeting rooms” which may be set to different communication, security and video quality modes. The recommended database engine for backend support is MySQL. The product can be set up as an installed server product, or used as a hosted service.

Work on OpenMeetings started in 2006, and it has been downloaded over 250 000 times. OpenMeetings is available in 31 languages.”

One particularly interesting aspect of OpenMeeting from a security standpoint is that it is exposed to the Internet by design, as one of its main features is the possibility to have virtual meetings with external parties.

During my audit, I came across multiple issues of varying severity , among them two vulnerabilities that, with some additional trickery, would allow for an unauthenticated attacker to gain Remote Code Execution on the system, with knowledge of an administrator’s username as the only pre-requisite. As you have probably guessed, this is a brief write-up of those issues and the path to code execution.

Another ZIP archive path traversal (CVE-2016-0784)

One of the first things I found was a bug similar to one that I found inApache Jetspeed 2, namely a ZIP archive path traversal. Just like in the Jetspeed case, the bug exists in a function that requires administrative privileges to access, and the issue lies in that names of files in ZIP archives are not checked for dangerous character sequences before being written to disk.

The bug exists in the Import/Export System Backup function in the OpenMeetings administrative menu, and the vulnerable code can be found below. Notice the missing name check on line 217 and onward.

All Your Meetings Are Belong to Us: Remote Code Execution in Apache OpenMeetings

However, as OpenMeetings does not support JSP files in its default configuration, achieving code execution will not be as straight-forward this time.

Predictable password reset token (CVE-2016-0783)

When auditing code, it is always good to review security sensitive areas such as authentication and related functions. One such function is the ability to reset a forgotten password, and in the case of OpenMeetings, this turned out to be a jackpot. The following code is an extract from the password reset function.

All Your Meetings Are Belong to Us: Remote Code Execution in Apache OpenMeetings

As you may notice, the password reset token that is emailed to the user who has forgotten their password is made up of highly predictable components. On line 241, the username and the current system date and time is concatenated and assigned to the loginData variable, and on line 243, an MD5 hash of that variable is generated and written to the database. The hash is then read from the database and appended to the password reset link on line 245, which is then emailed to the user. As the output format of Java’s Date() class does not even include milliseconds (the format is Tue Aug 16 15:30:00 UTC 1977), an attacker with knowledge of an existing user’s username can calculate the password reset token in less than a second as shown in the PoC below.

1. Reset the password of an administrative user

All Your Meetings Are Belong to Us: Remote Code Execution in Apache OpenMeetings

2. Calculate the password reset token

All Your Meetings Are Belong to Us: Remote Code Execution in Apache OpenMeetings

3. Follow the link to change the password

All Your Meetings Are Belong to Us: Remote Code Execution in Apache OpenMeetings

Getting code execution (it’s a kind of Magick)

With the ability to gain access to the system by compromising an administrator’s account, and being able to upload files to arbitrary locations on the file systems, the only thing left is a way to turn these issues into code execution. As previously mentioned, OpenMeetings does not support JSP files in its default configuration so a different approach is needed. Enter, third party integrations.

OpenMeetings has several third party integrations for things such as image conversion, IP telephony, instant messaging, and more. These integrations are usually triggered by a certain system event and are invoked using Java’s getRuntime.exec(). One such third party solution is ImageMagick, which is used to create a thumbnail when a user uploads a file. The default path to ImageMagick’s ‘convert’ binary, used for creating the thumbnails, is /usr/bin/.

All Your Meetings Are Belong to Us: Remote Code Execution in Apache OpenMeetings

As can be seen in the image from the OpenMeetings administrative menu above, the path to the ‘convert’ binary can be configured from the web interface. This means that an attacker with administrative access (which is assumed considering the previously described password reset vulnerability) can change the ImageMagick path to /tmp/, and then upload a ZIP archive containing an executable file named “../../../../../../../../../../tmp/convert”. This file will be executed the next time an image is uploaded, effectively resulting in Remote Code Execution.

1. Upload a file

All Your Meetings Are Belong to Us: Remote Code Execution in Apache OpenMeetings

2. Get a shell

All Your Meetings Are Belong to Us: Remote Code Execution in Apache OpenMeetings

(It should be mentioned that if the Tomcat application server is running as the root user, which can not be assumed, it would be possible for the attacker to simply overwrite the ‘convert’ file in /usr/bin/ without having to change the configuration settings. This would however make the attack less reliable, and would also break system functionality, making the attack less stealthy.)

Final words

Just like in my previous post, the chaining of two not-so-advanced vulnerabilities (plus some additional not-so-advanced trickery) resulted in Remote Code Execution in an application that appears to be quite popular (250 000 downloads). The last reported vulnerability in OpenMeetings that I could find is an XSS from 2013 , something that hints at how infrequently a lot of Open Source projects are audited. As I have previously stated , more effort is definitely needed in this area.

I would like to thank the OpenMeetings maintainers, especially Maxim, for being so cool about my report and fixing the issues in a very timely manner. The fixes are included in the new and improved OpenMeetings version 3.1.1, available for download from the official project website.

转载本站任何文章请注明:转载至神刀安全网,谢谢神刀安全网 » All Your Meetings Are Belong to Us: Remote Code Execution in Apache OpenMeetings

分享到:更多 ()

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址
分享按钮