-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Openfire Authentication Bypass RCE [CVE-2023-32315] #18173
Openfire Authentication Bypass RCE [CVE-2023-32315] #18173
Conversation
modules/exploits/multi/http/openfire_auth_bypass_rce_cve_2023_32315.rb
Outdated
Show resolved
Hide resolved
modules/exploits/multi/http/openfire_auth_bypass_rce_cve_2023_32315.rb
Outdated
Show resolved
Hide resolved
modules/exploits/multi/http/openfire_auth_bypass_rce_cve_2023_32315.rb
Outdated
Show resolved
Hide resolved
modules/exploits/multi/http/openfire_auth_bypass_rce_cve_2023_32315.rb
Outdated
Show resolved
Hide resolved
modules/exploits/multi/http/openfire_auth_bypass_rce_cve_2023_32315.rb
Outdated
Show resolved
Hide resolved
It loos like there's a compiled java plugin required for this exploit module; can you please provide the source and build instructions? |
@bwatters-r7, you should have the source already. |
For future travelers, here is the PR that brought in the plugin: #522 |
|
modules/exploits/multi/http/openfire_auth_bypass_rce_cve_2023_32315.rb
Outdated
Show resolved
Hide resolved
modules/exploits/multi/http/openfire_auth_bypass_rce_cve_2023_32315.rb
Outdated
Show resolved
Hide resolved
modules/exploits/multi/http/openfire_auth_bypass_rce_cve_2023_32315.rb
Outdated
Show resolved
Hide resolved
modules/exploits/multi/http/openfire_auth_bypass_rce_cve_2023_32315.rb
Outdated
Show resolved
Hide resolved
A suggestion for sharing the files better: h00die-gr3y#1 |
Adjust files to be better shared
Co-authored-by: Spencer McIntyre <58950994+smcintyre-r7@users.noreply.github.com> Co-authored-by: Brendan <bwatters@rapid7.com>
|
Release NotesThis PR adds a module for CVE-2023-32315, a remote code execution vulnerability for all versions of Openfire that have been released since April 2015, starting with version 3.10.0. Patched versions are 4.7.5+ 4.6.8+ and 4.8.0+. |
Openfire authentication bypass with RCE plugin
Openfire's
administrative console, a web-based application, was found to be vulnerable to a path traversal attackvia the setup environment. This permitted an unauthenticated user to use the unauthenticated
Openfire
Setup Environment in an already configuredOpenfire
environment to access restricted pages in theOpenfire
Admin Console reserved for administrative users.This module will use the vulnerability to create a new admin user that will be used to upload a
Openfire
management plugin weaponized with aJava
native payload that triggers an RCE.This vulnerability affects all versions of
Openfire
that have been released since April 2015, starting with version3.10.0
.The problem has been patched in
Openfire
release4.7.5
and4.6.8
, and further improvements will be included in the first version on the4.8
branch, which is version4.8.0
.This module has been tested on:
Instructions for an Openfire installation:
Download Openfire releases here.
Follow installation instructions here.
Verification
msfconsole
exploit/multi/http/openfire_auth_bypass_rce_cve_2023_32315
set rhosts <ip-target>
set rport <port>
set target <0=Java Universal>
exploit
reverse shell
orMeterpreter
session depending on thepayload
andtarget
settingsScenarios
Ubuntu 22.04 - Openfire 4.7.0 - java/meterpreter/reverse_tcp
Windows Server 2019 Datacenter - Openfire 4.7.3 - java/shell/reverse_tcp