OpenKM 5.1.7 Privilege Escalation

#############################################################
#
# COMPASS SECURITY ADVISORY http://www.csnc.ch/
#############################################################
#
# ID:      COMPASS-2012-001
# Product: OpenKM Document Management System 5.1.7 [1]
# Vendor:  OpenKM
# Subject: Privilege Escalation, Improper Access Control
# Risk:    High
# Effect:  Remotely exploitable
# Author:  Cyrill Brunschwiler (cyrill.brunschwiler@csnc.ch)
# Date:    January 3rd 2012
#
#############################################################

Description:
------------
Cyrill Brunschwiler, Security Analyst at Compass Security Network Computing,
Switzerland discovered an authorization flaw in the OpenKM solution. OpenKM
does allow application administrators to manage users and to assign roles.
Unfortunately, a standard user having the UserRole may alter the roles of
existing account. This is possible because OpenKM does not properly check
for the sufficient privileges. The changes are being applied even though the
OpenKM user interface displays an "insufficient privileges" message to the
unprivileged user.

Vulnerable:
-----------
OpenKM version 5.1.7 and most likely prior versions (unconfirmed)

Not vulnerable:
---------------
OpenKM version 5.1.8.

Workaround:
-----------
Grant access to /OpenKM/admin path to specific IPs only (requires additional
WAF or Reverse Proxy setup[2])

Exploit:
--------
Login as low privileged User (having the UserRole) and call the following
URL to gain administrative privileges.

Upgrade Existing User (add AdminRole)
http://example.com/OpenKM/admin/Auth?action=userEdit&persist=true&usr_id=usr&usr_active=on&usr_roles=AdminRole

Timeline:
---------
August 6th, Vulnerability discovered
August 9th, Vendor contacted
August 10th, Vendor notified
December 1st, Patched version released
January 2nd, Advisory released

References:
-----------
[1] OpenKM http://www.openkm.com
is an Free/Libre document management system that provides a web interface for
managing arbitrary files. OpenKM includes a content repository, Lucene
indexing, and jBPM workflow. The OpenKM system was developed using Java
technology.

[2] Open Source Web Entry Server
Talk at OWASP Appsec Washington D.C. in November 2010 about setting up an
Apache based Open Source Web Entry Server
https://www.owasp.org/images/f/f4/AppSecDC_Open_Source_Web_Entry_Server_V2.2.ppt

ImageMagick C++ Template

This entry is intended to give anyone interested in using the C++ ImageMagick API a kickstart.

Base C++ code

#include <iostream>
#include <Magick++.h>

using namespace Magick;
using namespace std;

 

int main(void) {
cout << "hello ImageMagick.";
return 0;
}

Base Makefile

CC=g++
CFLAGS=-c -Wall -m32 -Wall -ansi -pedantic -O3 -Wno-long-long -I /usr/include/ImageMagick
LDFLAGS=-m32 -pthread -L /usr/lib/ImageMagick-6.6.2 -lMagick++ -ljpeg -lpng -ltiff -lbz2 -lxml2 -lz -lm -lgomp -lMagickWand -lMagickCore

SOURCES=image.cpp
OBJECTS=$(SOURCES:.cpp=.o)
EXECUTABLE=test

all: $(SOURCES) $(EXECUTABLE)

$(EXECUTABLE): $(OBJECTS)
$(CC) $(LDFLAGS) $(OBJECTS) -o $@
.cpp.o:
$(CC) $(CFLAGS) $< -o $@

 

clean:
rm $(EXECUTABLE) *.o

IBM ThinkPad Unauthorized Network Card

I did replace my old-fashioned IBM ThinkPad R50 wireless miniPCI network card with a new 802.11n device. Unfortunately, the BIOS did not really like it… Error 1802 Unathorized network card… As you might guess, there are work arounds. Some have posted how to add the new card to the list of accepted ones (patch some BIOS bytes) and some have posted how to flip the correct BIOS byte to disable the check.

I feared the effort to create a new BIOS and flash it to the ROM. Moreover, a BIOS updated would just obsolete my changes. However, there is a pretty cool bootable DOS CDROM that includes a patch

1) download and burn ISO here
2) disable your laptops wireless device (so the BIOS does not complain with Err 1802)
3) boot from disc
4) type no-1802 at the command prompt (there will be no message, don’t worry)
5) reboot, enable wireless device

Worked out of the box.

Google +1 Button for Pebble Blog

You basically need to change 2 files to add the Google +1 button to the Pebble Blog.

First, add the Google +1 button javascript code at the end of your favorite template. This should be located somewhere around themes/your-theme/template.jsp

<script type="text/javascript" src="https://apis.google.com/js/plusone.js">
</script>
<script type="text/javascript">
   (function() {
      var po = document.createElement('script');
      po.type = 'text/javascript'; po.async = true;
      po.src = 'https://apis.google.com/js/plusone.js';
      var s = document.getElementsByTagName('script')[0];
      s.parentNode.insertBefore(po, s);
   })();
</script>

Second, set the button tag within the entry Java server page. So it does appears right behind the title of each blog entry. You will find the file in WEB-INF/jsp/blogEntry.jsp

<h1>
<a href="${blogEntry.permalink}">${blogEntry.title}</a>&nbsp;
<g:plusone size="small" href="${blogEntry.localPermalink}"></g:plusone>

</h1>

How to chkconfig (OpenKM JBOSS init script)

It needs some steps to integrate OpenKM properly. Therefore, you basically need to engineer your start script yourself. The following notes should help to get JBOSS up quickly.

1) create a new user 

  # useradd jboss
2) copy script

  # cp JBOSS_HOME/bin/jboss_init_redhat.sh /etc/init.d/jboss
3) add chkconfig properties to init file

  # chkconfig: 345 65 35
  # description: JBOSS AS init script
  # pidfile: /var/run/jboss.pid
4) adjust all other variables in the init file header 
5) add script to chkconfig
  # chkconfig --add jboss
6) set jboss to be started at level 3
  # chkconfig jboss --level 3 on
7) start now (# service jboss start)

Configuring alternatives in CentOS (e.g. Oracle Java SE)

The installation of Oracle Java SE (JDK) on some Linux distribution is still a fight. Probably the most staright forward way on Cent OS is downloading and installing the most current  self-exctracting archive (.bin) and installing it to /opt.

Finally, ensure the Oracle Java SE binary ist called instead of the GNU ones.

#alternatives --install /usr/bin/java java /opt/jdk1.6.025/bin/java
#alternatives --config java

There are 2 programs which provide 'java'.

Selection Command
------------------------------------------------
*+ 1 /usr/lib/jvm/jre-1.4.2-gcj/bin/java
2 /opt/jdk1.6.025/bin/java

 

Enter to keep the current selection[+], or type selection number: 2