XMPP/Jabber

Pentesting XMPP/Jabber - TCP Ports 5222, 5269, 8010

Theory

Extensible Messaging and Presence Protocol (XMPP, originally named Jabber) is an open communication protocol designed for instant messaging (IM), presence information, and contact list maintenance. Based on XML (Extensible Markup Language), it enables the near-real-time exchange of structured data between two or more network entities. The service usually run over ports TCP 5222, 5269 or 8010

Practice

Connect to a XMPP server

Pidgin is a chat program that allows to connect to multiple chat networks, including XMPP servers.

Openfire

Openfire is an instant messaging (IM) and groupchat server for the Extensible Messaging and Presence Protocol (XMPP) written in Java.

CVE-2023-32315 - Authentication Bypass Vulnerability

CVE-2023-32315 is a path traversal vulnerability found in the web-based Admin Console of Openfire. This security flaw enables unauthenticated users to access restricted pages that are meant exclusively for administrative use within a configured Openfire environment. Successful exploitation of this vulnerability allows an attacker to create a new administrative user.

This vulnerability impacts all Openfire versions released after April 2015, commencing from version 3.10.0. The issue has been patched in releases 4.7.5 and 4.6.8.

The CVE-2023-32315 python script allow to exploit this vulnerability

python3 CVE-2023-32315.py -t http://127.0.0.1:9090
python3 CVE-2023-32315.py -l lists.txt

Remote Code Execution (RCE)

If you have administrator access to the Openfire console, you can achieve remote code execution by deploying a web shell through a plugin upload. To do this, follow these steps:

go to tab plugin > upload plugin openfire-management-tool-plugin.jar
go to tab server > server settings > Management tool
Access the websehll with password "123"
We should now be able to execute commands

Resources

Pentesting VoIP | HackTricks

XMPPWikipedia

Last updated 2 months ago