Several security flaws have been disclosed in Apache OpenMeetings, a web conferencing solution, which could potentially be exploited by bad actors to wrest control of admin accounts and run malicious code on vulnerable servers.
“Attackers can bring applications into unforeseen states, allowing them to take over any user account, including admin accounts,” Sonar vulnerability researcher Stefan Schiller said in a report shared with The Hacker News.
“The acquired admin privileges can then be leveraged to exploit other vulnerabilities that allow an attacker to execute arbitrary code on the Apache OpenMeetings server.”
Following the responsible disclosure on March 20, 2023, the vulnerability has been addressed with the release Open meeting version 7.1.0 which was released on 9 May 2023. The list of three drawbacks is as follows –
- CVE-2023-28936 (CVSS Score: 5.3) – Insufficient invite hash check
- CVE-2023-29032 (CVSS score: 8.1) – Authentication shortcut leading to unrestricted access via invite hash
- CVE-2023-29246 (CVSS score: 7.2) – Injection of NULL bytes (%00) which allows attackers with admin privileges to gain code execution
Meeting invitations generated using OpenMeetings come are not only tied to a specific room and user, but also come with a unique hash which is used by the application to retrieve the details associated with the invitation.
Protecting Against Insider Threats: SaaS Master Security Posture Management
Worried about insider threats? We are here to help you! Join this webinar to explore practical strategies and secrets to proactive security with SaaS Security Posture Management.
In summary, the first two drawbacks relate to weak hash comparisons between the user-supplied hash and what is in the database and a quirk that allows the creation of room invites with no room assigned to them, leading to a scenario where invitations exist without a room attached to them.
A threat actor could exploit this flaw to create an event and join the appropriate room, and follow up by deleting the event, in which an invitation is made to the admin user to a non-existent space. In a later step, the weak hash comparison bug can be exploited to enumerate sent invitations and redeem them by providing a wildcard hash input.
“Although the room was also deleted when the associated event was deleted, the presence of the assailant in the room made it a zombie room,” explains Schiller. “Even if an error appears when redeeming the hash for such an invitation, a valid web session for the person invited with the full permissions of this user is established.”
In other words, a zombie room allows an attacker to gain admin privileges and make modifications to the OpenMeetings instance, including adding and removing users and groups, changing room settings, and terminating connected user sessions.
Sonar also identified a third vulnerability rooted in a feature that allowed administrators to configure paths for executable files related to ImageMagick, open source software used for image editing and processing. This allows an attacker with admin privileges to gain code execution by changing the ImageMagic path to “/bin/sh%00x” and triggering an arbitrary shell command.
“When now uploading a bogus image containing a valid image header followed by an arbitrary shell command, the conversion spawns /bin/sh with the first argument being the bogus image, effectively executing every command within it,” says Schiller.
“In combination with account takeover, this vulnerability allows a self-registered attacker to gain remote code execution on the underlying server.”