search

K3ysTr0K3R / CVE-2023-32315-EXPLOIT

A PoC exploit for CVE-2023-32315 - Openfire Authentication Bypass
3 stars 2 forks source link

openfire 4.0.3 doesn't return CSRF token #1

Open Fr0gZero opened 3 months ago

Fr0gZero commented 3 months ago

Good Afternoon,

the openfire 4.0.3 instance that i have does not return a csrf token from the login page.

The LFI seems to still be present as the following url still returns the logs: /setup/setup-s/%u002e%u002e/%u002e%u002e/log.jsp

any guidance of how to retrieve the CSRF token for this version?

Thank you

K3ysTr0K3R commented 3 months ago

Hi there, glad you reported an issue.

Did you run 'curl -I "http://192.168.8.102:9090/login.jsp?url=%2Findex.jsp"' to see if the the CSRF token is present?

You will find it in the 'Set-Cookie' header. If it's not present i would highly recommend you build a vulnerable environment via docker.

Go to https://github.com/vulhub/vulhub/tree/master/openfire/CVE-2023-32315 and get the 'docker-compose.yml' file, then run 'sudo docker-compose up -d' to set it up with no trouble at all.

Feel free to ask for help if there are any new or if you're still facing this problem.

Fr0gZero commented 3 months ago

Yes I have hit that url directly. I currently am on a live engagement for a pentest. I am running against openfire 4.0.3, and when I hit that url the only set cookie that is returned is a new JSESSIONID no sign of a CSRF token.

Have you ever taken a look at this specific version? Sources list it as vulnerable, and I can reproduce the LFI via the .log file.

K3ysTr0K3R commented 3 months ago

Did you try 'Metasploit' to determine if the target is vulnerable or not? If it's a vulnerable version it doesn't always mean it's vulnerable. My PoC might be giving out false positives.

Hope to hear back from you.

Fr0gZero commented 3 months ago

yes i was able to do that and it show as vulnerable. I also confirmed manually and the LFI to the log file is present. Once again there is just no place where the app returns a CSRF token to create the admin user.

K3ysTr0K3R commented 3 months ago

Yeah that happens. It didn't spawn a shell 2 i bet. It's not exploitable then unfortunately, the CSRF might be disabled even when a target is vulnerable on one end except for another end such as the CSRF in this case to complete the entire exploit process. Do you mind sending me the target here perhaps? I'll see if can find the token for you. Or for responsible purposes send the target to me through email via jaredbrts175@gmail.com