OpenMeetings Hack: Instance Hijack and Server Code Execution

A vulnerability associated with OpenMeetings by Apache, that enables hackers to seize control by executing codes remotely has been discovered.  A research done by Sonar discovered a list of weaknesses in the video conferencing app.

schedule-open-meetings.png

The vulnerabilities which were assigned the CVE numbers of: CVE-2023-28936, CVE-2023-29023, and CVE-2023-29246, are said to affect the hash comparison, access to the meeting via invitation hash, and Null-Byte Injection.

WHAT IS OPEN MEETINGS VIDEO CONFERENCING APP:

openmeetings-Apache.png
Apache OpenMeetings is a cross-platform application, users can schedule meetings, seminars, or events. Empowering users the ability to connect, collaborate, and innovate.

In a fast-growing business digital era, OpenMeetings, is a free open-source video conferencing application which was designed by Apache, that allows users able to schedule, invite, and attend video conferencing meetings, webinars, interactive presentations and online training sessions. It was first developed under Apache Software Foundation, and was first released in the year 2007.

The video conferencing tool can boast of numerous technological features such as web conferencing, collaborative tools, recording and playbacks, Integration capabilities, polls & surveys, and language supports.

Its merits are that the tool is open-source and free, can run across different platforms, customizable, scalable, and a list of other advantageous features.

The Impact of Vulnerabilities in OpenMeetings:

The vulnerabilities discovered by sonar in the OpenMeetings Application has a total number of three. A curated lists of the vulnerabilities and their assigned CVEs are:

  1. Weak Hash Comparison assigned CVE-2023-28936.
  2. Unrestricted Access via Invitation Hash assigned CVE-2023-29023.
  3. Null-Byte Injection assigned CVE-2023-29246

According to the research and discovery by sonar, the vulnerabilities allow any user to self-register their accounts (a default configuration by the application), and then the user taking over an administrative account, in other to execute malicious codes remotely.

The ability to take over an account is made possible as a result of a combination of flaws; Logical and Hash Comparison.

How does the vulnerabilities works:

A malicious intended persons or group are able to trigger certain actions in a varying order, which allows them to create a room invitation (a meeting room) without a room assigned to it. The attacker then takes a further step to redeem the invitation they created by using a wildcard, and in turn it gives them administrative privileges.

As a result of insufficient validation of items that are configurable, the attacker is able to utilize the acquired admin rights obtained to inject a Null-byte in one of the binary paths.  This is then taking advantage of to run an arbitrary binary and thus results in remote code execution.

Technical Details of OpenMeetings Vulnerabilities:

  1. The OpenMeetings allows users to create an event and add to their calendars. When a new event is created, an individual room is created as well, that can be used during the event.
  1. The user who is now in a room, can send an invitation to another user, which is represented as an Invitation class. When an object of the class is created, the invitee is then set, and a random UUID is used as the hash. The invitation which is bound to that specific room created, calls the setRoom method.
  1. The invitation which is submitted by the user; in turn the invitee gets an email notification bearing the meeting invitation link. Think link points to the path /openmeetings/hash and contains the generated hash in the invitation query parameters.

An invitation link is bound to a specific room which the link was generated for and also the user. It can be recovered with a randomly generated hash value.

  • Weak Hash Comparison assigned CVE-2023-28936:

The weak hash comparison, is found in the getByHash It uses the query as described below in retrieving the Invitation object from the database, which is identified by the user-provided hash:

                                                                                                            Image-Source: sonarsource.com

 Openmeetings-db/src/main/java/org/apache/openmeetings/db/entity/room/invitation.java

The value retrieved is then compared using the SQL operator LIKE. Comparing it to a strict operator such as the equal sign (=) in SQL command, the LIKE operator allows the use of wildcard. The default database requires at least a character in the wildcard.  

This for example can be seen when a wildcard containing the hash value “5%” is passed, all invitation that contains the number “5” in its hash values are then returned, allowing the attacker to enumerate valid invitation hash values and recovers them.

  • Unrestricted Access via Invitation Hash assigned CVE-2023-29023:

The checkHashes Method, retrieves an invitation and continues by declaring hrights and tries to determine the room of the invitation.

                                                                                                      Image-Source: sonarsource.com

Openmeetings-web/src/main/java/org/apache/openmeetings/web/app/WebSession.java

If the meeting room is valid (successfully identified), the constant, Rights.ROOM is added to the hrights set, and then the setUser is called passing both the invitee and hrights as parameters.

Openmeetings-web/src/main/java/org/apache/openmeetings/web/app/WebSession.java

This implies that redeeming an invitation that has no room attached to it, will result in a session that is not restricted to be obtained by the invited user.  An attacker can manipulate this by Altering the application to an unforeseen condition.

STEPS TAKEN BY THE ATTACKER TO GAIN ACCESS:

  1. The attacker, will first create an event.
  2. The attacker, will then join the associated room of the event created.
  3. The attacker, then deletes the event upon joining associated room of that event (with the attacker still remaining in the room they just created).
  4. The attacker then creates an invitation room for the admin user to the room they just joined.
  5. The attacker then takes advantage of the weak hash comparison by using a wildcard character. An error is raised when the hash is rendered for such invitation, a valid web meeting session is created, which is then accessed by using the session cookie in the server’s response.
  6. The new acquired admin privilege by the hacker, gives the hacker the right to change the configuration of the OpenMeetings Session running. Attacker, can now be able to add users, remove users, and even groups. Other functionalities the attacker can adjust, includes room settings, and terminating sessions of users connected to the room.
  • Null-Byte Injection assigned CVE-2023-29246:

This vulnerability allows the admin of the meeting room, to configure the paths for various executables such of ImageMagick, FFMPEG, For instance, calling the getPath, retrieves the convert binary with the configuration key CONFIG_PATH_IAMGEMAGIC, and the associate name of the binary (convert)


Openmeetings-core/src/main/java/org/apache/openmeetings/core/converter/BaseConverter.java

This allows the getPath method to add a file separator to the already configured path if not present, and then appends the name of the binary.

The configured path ends with a file separator always, and fixes the executable name, and it is also not possible to run executables with different names. Every character is ignored, when injecting the null-byte, and the ProcessBuilder used in the code execution command carries on the null-byte in the java realm.

The execution is OS-specific and is implemented in native C language. Attacker can gain admin privileges by changing the imageMagic path to “/bin/sh%00x”. When an attacker uploads a fake image containing a valid header, and malicious shell commands embedded, the conversion spawns “/bin/sh” with the first argument which is the fake image, and executes all the command.

MITIGATION:

Apache promptly released an update in a version Apache OpenMeetings 7.1.0, which addressed the following vulnerabilities listed below:

  1. Weak Hash Comparison assigned CVE-2023-28936: The weak hash vulnerability was fixed, by introducing additional check in the SQL statement; this compares the retrieved hash value with the provided hash value, and see if it matches. Thus, preventing a malicious person’s from redeeming an invitation hash using a wildcard character.

  1. Unrestricted Access via Invitation Hash assigned CVE-2023-29023: The setUser method was adjusted, and the applied permission are not derived from the given user anymore, if the rights that was set is empty. It thus prevents access to an invitation without a room assigned to it.

  1. Null-Byte Injection assigned CVE-2023-29246: The mitigation provides a solution by validating the configured path via the method of

openmeetings-web/src/main/java/org/apache/openmeetings/web/admin/configurations/ConfigForm.java

An exception (InvalidPathException) is thrown if the configured path contains a null-byte, and the validation fails, preventing the truncation of the applied file separator and binary name.

Conclusion:

The article discusses the vulnerabilities found in OpenMeetings, which leave instances susceptible to hacking and enable remote code execution. These weaknesses result to unauthorized access, data manipulation, and potential control of the session by malicious actors. The vulnerabilities highlight the importance of promptly applying updates and implementing robust security measures to safeguard the platform and its users from potential exploitation.

Also, software developers are to adopt clean code principles to reduce the presence of weakness found in software. The codes should harden the soften which makes it an application that cannot be easily manipulated, nor make the application malfunction. Read about the security patch and update here

 

 

 

Put your comments below in the comment section on your thoughts about this.

Find this article and information helpful? Show some love and support  “Click-Here”
5 1 vote
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments