Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:31274
HistoryOct 16, 2014 - 12:00 a.m.

SEC Consult SA-20140716-0 :: Multiple SSRF vulnerabilities in Alfresco Community Edition

2014-10-1600:00:00
vulners.com
35
JSON

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SEC Consult Vulnerability Lab Security Advisory < 20140716-0 >

          title: Multiple SSRF vulnerabilities
        product: Alfresco Community Edition

vulnerable version: <=4.2.f
fixed version: 5.0.a
impact: High
homepage: http://www.alfresco.com
found: 2014-05-15
by: V. Paulikas
SEC Consult Vulnerability Lab

Vendor description:

"Alfresco Community Edition allows organizations to manage any type of content
from simple office documents to scanned images, photographs, engineering drawings
and large video files. It is commonly used as a document management system,
content platform, CMIS-compliant repository."

http://www.alfresco.com/products/community

Business recommendation:

Multiple SSRF vulnerabilities were identified within the affected Alfresco product.

By exploiting these vulnerabilities an unauthenticated attacker is able to
scan available ports on internal systems and access internal web applications
which should not be accessible from the Internet.

It is recommended to restrict access to the affected servlets until an
official patch is released by the vendor.

Vulnerability overview/description:

1) Server Side Request Forgery (SSRF)

A Server Side Request Forgery vulnerability allows to issue remote connections
on behalf of the affected server. This can be exploited in order to reach
internal systems, which are not reachable from the Internet, or to bypass
access restrictions.

Proof of concept:

SSRF PoC 1)
An unauthenticated user can access the proxy servlet and perform internal
system port scanning by accessing the URL provided below:

http://host/alfresco/proxy?endpoint=http://internal_system:port

The server responds with an error message "Connection refused" when the port
is not accessible (firewalled or not available). Other error messages indicate
a service running on the port which is being probed.

The proxy servlet implementation in older versions of the Alfresco Community Edition
support the file:// URI, allowing the attacker to disclose the contents of the files
on the affected server.

SSRF PoC 2)
The Content Management Interoperability Service (CMIS) can also be exploited
by an unauthenticated attacker in order to issue internal connections. The
following URL can be used in order to exploit the vulnerability:

http://host/alfresco/cmisbrowser?url=http://internal_system:port

The server responds with similar error messages when the port is open or closed.

If the victim is tricked to access a resource, protected with Basic authentication,
on the affected host via the cmisbrowser servlet, further requests include the submitted
credentials and can be intercepted by an attacker. An example of such a scenario:

Vulnerable / tested versions:

The vulnerabilities have been verified to exist in the Alfresco Community
Edition version 4.2.f, which was the most recent version at the time of
discovery.

The version 2.9.0B was verified to support the file:// URI scheme,
allowing the attackers to disclose contents of the local files on the affected
server.

Vendor contact log:

2014-05-30: Contacting vendor through [email protected] - no response.
2014-06-02: Contacting vendor through online form at http://www.alfresco.com/company/contact
- no response.
2014-06-09: Contacting vendor through [email protected] and online form - no response.
2014-06-16: Contacting vendor through [email protected] and online form.
2014-06-17: Response from the vendor.
2014-06-24: Advisory sent to the vendor.
2014-07-07: Vendor acknowledges that a new version (5.0.a) of the Alfresco CMS
is available
2014-07-16: SEC Consult releases security advisory

Solution:

According to the vendor, the new version 5.0.a fixes the identified problems.
The new version can be downloaded from their website.

However, by inspecting the updated version of the Alfresco CMS it was identified,
that only the /proxy endpoint was properly fixed. The /cmisbrowser was commented out
in the web.xml for default installations and once enabled could be exploited
by unauthenticated attackers as described above.

Advisory URL:

https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm

SEC Consult Vulnerability Lab

SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius

Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone:   +43 1 8903043 0
Fax:     +43 1 8903043 15

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

Interested in working with the experts of SEC Consult?
Write to [email protected]

EOF V. Paulikas / @2014
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 &#40;MingW32&#41;
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJTxkLMAAoJECyFJyAEdlkKeSAIAJ9Ssya/gH6tqJwcXUXhMdH9
Ux7c4y8QsRWdffAho71Rx+ikTV/GUxt3Le9Z0zOL0z7Xxlr+OPopSkuAOIx0Qa+G
5OqJm/JaaeHmlzeA3VFQyRcDbKLLtSi4yc2FHrt+sT1SLMXAke0RBt8yKZks2pk7
sy43fNloUX1DdjlKXbUZ4a6cZBi8jpdjpjnDD0vyeq4sxa/0nm1EqeV+/g8a9rYN
uP1fxi9tzaHl92kMyyw7kMxeIrI5D6/TcN54mt/oenQ7Hp9rhCtVWq8vzzks3AF+
hzHxiNAj9MWxNX586ytTI11OvXMjpa+ITBVfvR65PYrnNKh9lnaal/el95n+wmw=
=03Vv
-----END PGP SIGNATURE-----
JSON