Introduction
It's time to dive into another old vulnerability. Let's go back to 2013. Argo lit up the silver screen. The dulcet sounds of Daft Punk filled the air. And the kids would tick-tock away the hours online in six-second blocks watching funny Vines.
Old vulnerabilities are interesting history lessons. They capture information about techniques that worked in the past and still could be applicable to modern software today. They also provide guidance to modern software developers of some potential risks and pitfalls to avoid when building applications.
IBM Lotus Sametime (ca. 2013)
Today we'll be looking at (what was) IBM Lotus Sametime. These days, Sametime is an HCL property, moving from Lotus, to IBM, to ultimately HCL...after a pass-through transaction involving the Scheinhardt Wig Company. A lot of the original copy for this vulnerable is now offline and abandoned, but it's recorded as CVE-2013-0553. In a time period between IRC and Slack, Sametime was a popular enterprise instant messaging platform.
Some weird formatting from a linkified message in Sametime 7.5.1 initially sent me down the path of looking at Sametime. In this case, typing a literal www.<something>.com as a chat message got turned into an unexpected www..com hyperlink:
Cleary something was up. I managed to turn that "weird formatting" into fully-automatic RCE, but at the time Sametime 7.5.1 was already a few releases behind the current version -- and that specific exploit didn't work against the latest (at the time) Sametime clients. But regardless -- I was confident that more Sametime vulnerabilities were out there and I started hunting.
I spent most of my time looking at the Sametime clients, and was never really that familiar with the server-side components. The clients were written in Java and came bundled with Lotus Expeditor, which provided embedded web browser functionality to render HTML and other rich content in Sametime messages. Sametime offered multi-platform clients and an SDK that supported building chatbots and other custom application. The SDK would come in handy later.
Vulnerability Research
Lotus Expeditor includes a Gecko-compliant browser, but in 2013, it did not include many of the security features that were baked into Firefox, IE, Chrome, and Safari releases of the day -- that were the result of years of secure development, external security research, and published security advisories. Looking for security bugs in Expeditor in 2013 was like going back in time with the benefit of contemporary browser security research. Books such as The Tangled Web helped my focus and understanding when attacking a browser.
I dug into the technical guts of the Sametime clients. The fact that they were written in Java made this task easier. I found that different versions of the clients processed and sanitized HTML messages a little differently, but the first big thing that I realized was that much the HTML filtering was done by the sending client. Different versions of the Sametime clients each validated and sanitized received messages a little differently, but this was done with assumptions about what types of messages clients could send in the first place. I'm sure you can see the security flaw here.
Exploitation
With the ability to send and render HTML messages in Sametime clients, there was a lot of attack surface to explore. All versions of the clients could be used for various Pass-the-Hash, SMB Relay, and forced-CSRF type attacks. I won't go into specifics here, as these types of attacks are well-documented elsewhere. These attacks were interesting, but I looking for reliable RCE, and with the increasing ubiquity of MS08-068 and LANMAN hashes being disabled, these techniques were a little less useful.
I spent a lot of time looking at and testing how the various versions of Sametime (and Expeditor) processed, filtered, and rendered HTML. Sametime 8.5.1 was the current version and the target that I was most interested in. Sametime 8.5.0 had actually made a big change in how it processed and rendered HTML; that version had added HTML whitelisting, and by default, most HTML tags were blocked. RCE was possible, but it required some very light user interaction. But Sametime 8.5.1 added IBM's Active Content Filter (ACF), which replaced HTML whitelisting as the default configuration. ACF allowed lots of HTML tags, but actively filtered out standard XSS payloads and other malicious primitives. But I now had my goal -- bypass ACF and I'd likely have my RCE.
Since some of the HTML filtering was expected to happen within the sending client, I could create my own client and have full control over the messages that I sent. Using the Sametime SDK, I wrote a Sametime client/bot that did no HTML encoding or modification of outbound messages, and started fuzzing away. After many failures and a string of late nights with this album in heavy rotation, I finally found one bypass that worked and gave me fully-automated RCE. Enter this discovery:
<!--><my exploit payload here>
That was the key to the exploit. It was a syntax that took advantage of a discrepancy and confusion between ACF and Expeditor's Gecko rendering. ACF treated the entire string like a single comment, and allowed the exploit payload; without the <!--> prefix, ACF would have stripped and blocked the exploit. But Expeditor treated <!--> alone as the comment, and then happy rendered my payload. With an XSS-type payload, I had achieved automated RCE! It was a pretty satisfying moment, and one of the vulnerabilities and exploits that I'm most proud of.
As a red teamer, the exploit was very handy. :) But defense and getting the flaw fixed was important too. After disclosing the bug to IBM, the provided a custom patch and it was fixed with a public patch a little while later.
NOTE TO HCL: If anyone from HCL is reading this, I'd love to take a look at the current version of Sametime. I've been unable to find a way to obtain demo software or procure a single-user/small-user licensed environment.
No comments:
Post a Comment