Multiple security flaws have been revealed in Apache OpenMeetings, a web conferencing solution that could be exploited by malicious attackers to take control of administrator accounts and execute malicious code on vulnerable servers. may be executed.
“An attacker could force an application into an unexpected state, allowing it to take over any user account, including administrator accounts,” said Stefan Schiller, a vulnerability researcher at Sonar. said in a report shared with The Hacker News.
“Additional administrative privileges could be exploited to exploit another vulnerability, allowing an attacker to execute arbitrary code on the Apache OpenMeetings server.”
Following responsible disclosure on March 20, 2023, this vulnerability was resolved with the release of Openmeetings version 7.1.0 on May 9, 2023. Here is a list of the three flaws:
- CVE-2023-28936 (CVSS score: 5.3) – Poor checking of invitation hashes
- CVE-2023-29032 (CVSS score: 8.1) – Authentication bypass leading to unrestricted access via invitation hash
- CVE-2023-29246 (CVSS score: 7.2) – NULL byte (%00) injection that allows an attacker with administrative privileges to execute code
Meeting invitations created using OpenMeetings are not only bound to a specific room and user, but also come with a unique hash that applications use to retrieve the details associated with the invitation.
Shielding Against Insider Threats: Mastering SaaS Security Posture Management
Worried about insider threats? We’ve got you covered! Join us for this webinar to explore practical strategies and proactive security secrets using SaaS Security Posture Management.
join today
The first two flaws, in a nutshell, involve weak hash comparisons between user-supplied hashes and those present in the database, and the quirk that allows room invites to be created without a room being assigned. , a scenario where there is an invitation with no room associated with it.
An attacker could exploit these shortcomings by creating an event, joining the corresponding room, and then deleting the event, creating an invitation to a non-existing room for an admin user. I have. In the next step, we can take advantage of the weak hash comparison bug to enumerate the sent invitations and redeem them by providing a wildcard his hash input.
“When the associated event is deleted, the room is also deleted, but since there is an attacker in the room, this becomes a zombie room,” Schiller explained. “An error occurs when redeeming the hash of such an invitation, but a valid web session is created for the invitee with full privileges for this user.”
In other words, zombie rooms allow an attacker to gain administrative privileges and make changes to an OpenMeetings instance, such as adding or removing users or groups, changing room settings, or terminating sessions of connected users. It may become possible.
Sonar also identified a third vulnerability rooted in a feature that allows administrators to set the path of an executable associated with ImageMagick, an open source software used to edit and process images. said. This would allow an attacker with administrative privileges to execute code by changing her ImageMagic path to “/bin/sh%00x” and triggering any shell her command.
“If you upload a fake image containing a valid image header followed by any shell command, the conversion will produce /bin/sh with the fake image as the first argument, and all commands within it will effectively It will be done,” Schiller said.
“Combining this vulnerability with account takeover allows a self-registered attacker to execute remote code on the underlying server.”
