CVE-2008-6508
published 2009-03-23CVE-2008-6508: Directory traversal vulnerability in the AuthCheck filter in the Admin Console in Openfire 3.6.0a and earlier allows remote attackers to bypass authentication…
PriorityP272high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
83.38%
99.6th percentile
Directory traversal vulnerability in the AuthCheck filter in the Admin Console in Openfire 3.6.0a and earlier allows remote attackers to bypass authentication and access the admin interface via a .. (dot dot) in a URI that matches the Exclude-Strings list, as demonstrated by a /setup/setup-/.. sequence in a URI.
Affected
25 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| igniterealtime | openfire | <= 3.6.0a | — |
| igniterealtime | openfire | — | — |
| igniterealtime | openfire | — | — |
| igniterealtime | openfire | — | — |
| igniterealtime | openfire | — | — |
| igniterealtime | openfire | — | — |
| igniterealtime | openfire | — | — |
| igniterealtime | openfire | — | — |
| igniterealtime | openfire | — | — |
| igniterealtime | openfire | — | — |
| igniterealtime | openfire | — | — |
| igniterealtime | openfire | — | — |
| igniterealtime | openfire | — | — |
| igniterealtime | openfire | — | — |
| igniterealtime | openfire | — | — |
| igniterealtime | openfire | — | — |
| igniterealtime | openfire | — | — |
| igniterealtime | openfire | — | — |
| igniterealtime | openfire | — | — |
| igniterealtime | openfire | — | — |
| igniterealtime | openfire | — | — |
| igniterealtime | openfire | — | — |
| igniterealtime | openfire | — | — |
| igniterealtime | openfire | — | — |
| igniterealtime | openfire | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlhttp://www.foo.bar:9090/setup/setup-/../../plugins/sip/sipark-log-summary.jsp?type=all'UNION%20SELECT%20'attack-code'%20INTO%20OUTFILE%20'/tmp/attack.sh'%20/*&startDate=Any&endDate=Any&submit=true&get=Search↗
- →Alert on HTTP POST requests to '/setup/setup-/../../plugin-admin.jsp?uploadplugin' which indicates malicious plugin upload exploitation of the auth bypass. ↗
- →Monitor for multipart/form-data POST requests containing JAR file uploads (plugin-metasploit.jar) to the Openfire admin console plugin-admin.jsp endpoint. ↗
- →Detect unauthenticated access to Openfire admin pages (e.g., log.jsp, plugin-admin.jsp) via traversal path '/setup/setup-/../../' without a valid authenticated session. ↗
- →Flag HTTP requests to Openfire's DWR endpoint '/setup/setup-/../../dwr/exec/downloader.installPlugin.dwr' used to install remote plugins without authentication. ↗
- →Identify the Metasploit exploit by the server fingerprint check pattern matching 'Openfire, \D*: (\d)\.(\d).(\d)' in HTTP response bodies on port 9090. ↗
- ·The authentication bypass works because the AuthCheckFilter's Exclude-Strings list includes 'setup/setup-' — any URL containing this substring bypasses auth entirely, regardless of what follows. ↗
- ·Openfire listens on both tcp/9090 (HTTP) and tcp/9091 (HTTPS) for admin console access by default; both ports are affected and should be blocked at the firewall. ↗
- ·Removing the uploaded malicious plugin after exploitation may leave the server in an unstable state, making re-exploitation difficult; manual removal is recommended. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Openfire Server 3.6.0a - Admin Console Authentication Bypass (Metasploit)
exploitdb·2012-06-28
CVE-2008-6508 Openfire Server 3.6.0a - Admin Console Authentication Bypass (Metasploit)
Openfire Server 3.6.0a - Admin Console Authentication Bypass (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'rex/zip'
class Metasploit3 [ /(Jetty)/ ] }
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::EXE
def initialize(info = {})
super(update_info(info,
'Name' => 'Openfire Admin Console Authentication Bypass',
'Description' => %q{
This module exploits an authentication bypass vulnerability in the administration
console of Openfire servers. By using this vulnerability it is possible to
upload/execute a malicious Openfire
Exploit-DB
Openfire Server 3.6.0a - Authentication Bypass / SQL Injection / Cross-Site Scripting
exploitdb·2008-11-09
CVE-2008-6511 Openfire Server 3.6.0a - Authentication Bypass / SQL Injection / Cross-Site Scripting
Openfire Server 3.6.0a - Authentication Bypass / SQL Injection / Cross-Site Scripting
---
Advisory: Openfire Server Multiple Vulnerabilities
Advisory ID: AKADV2008-001
Release Date: 2008/11/07
Revision: 1.0
Last Modified: 2008/11/07
Date Reported: 2008/05/17
Author: Andreas Kurtz (mail at andreas-kurtz.de)
Affected Software: Openfire Server
AuthCheck
org.jivesoftware.admin.AuthCheckFilter
excludes
login.jsp,index.jsp?logout=true,setup/index.jsp,
setup/setup-,.gif,.png,error-serverdown.jsp
When a request URL contains one of these Exclude-Strings the
auth check mechanism is totally circumvented. This was considered
necessary for the initial setup process or the presence plugin.
Following POC demonstrates how an attacker could access
internal functions by manipulating the URL providing
Metasploit
Openfire Admin Console Authentication Bypass
metasploit
Openfire Admin Console Authentication Bypass
Openfire Admin Console Authentication Bypass
This module exploits an authentication bypass vulnerability in the administration console of Openfire servers. By using this vulnerability it is possible to upload/execute a malicious Openfire plugin on the server and execute arbitrary Java code. This module has been tested against Openfire 3.6.0a. It is possible to remove the uploaded plugin after execution, however this might turn the server in some kind of unstable state, making re-exploitation difficult. You might want to do this manually.
No writeups or analysis indexed.
http://osvdb.org/49663http://secunia.com/advisories/32478http://www.andreas-kurtz.de/advisories/AKADV2008-001-v1.0.txthttp://www.andreas-kurtz.de/archives/63http://www.igniterealtime.org/builds/openfire/docs/latest/changelog.htmlhttp://www.igniterealtime.org/issues/browse/JM-1489http://www.securityfocus.com/archive/1/498162/100/0/threadedhttp://www.securityfocus.com/bid/32189http://www.vupen.com/english/advisories/2008/3061https://exchange.xforce.ibmcloud.com/vulnerabilities/46488https://www.exploit-db.com/exploits/7075http://osvdb.org/49663http://secunia.com/advisories/32478http://www.andreas-kurtz.de/advisories/AKADV2008-001-v1.0.txthttp://www.andreas-kurtz.de/archives/63http://www.igniterealtime.org/builds/openfire/docs/latest/changelog.htmlhttp://www.igniterealtime.org/issues/browse/JM-1489http://www.securityfocus.com/archive/1/498162/100/0/threadedhttp://www.securityfocus.com/bid/32189http://www.vupen.com/english/advisories/2008/3061https://exchange.xforce.ibmcloud.com/vulnerabilities/46488https://www.exploit-db.com/exploits/7075
2009-03-23
Published