IBM Installation Manager iim URI Handling Code Execution

2009-10-16T00:00:00
ID SAINT:0503FCF3E4C28D670BCB7D6D1E09290D
Type saint
Reporter SAINT Corporation
Modified 2009-10-16T00:00:00

Description

Added: 10/16/2009
CVE: CVE-2009-3518
BID: 36549
OSVDB: 58420

Background

IBM Installation Manager (IIM) is a software tool that helps to install, update, modify, and uninstall packages.

Problem

When IIM is installed it registers the application IBMIM.exe as the iim:// scheme handler, so when an iim:// URI is opened, the web browser launches the IIM as the default application. An argument injection vulnerability allows non-privileged command execution when a user loads a page that uses double quotes in the URI to manipulate the -vm argument to IBMIM.exe. The -vm argument allows the specification of an executable to use for the Java virtual machine. A successful attacker can cause a malicious file to be executed from remote locations using Server Message Block (SMB).

Resolution

Upgrade to a version of IIM newer than 1.3.2 when it becomes available.

References

<http://secunia.com/advisories/36906/>

Limitations

Exploit works on IBM Installation Manager 1.3.2 and requires a user to load the exploit page in Internet Explorer 6, 7, or 8.

In order for this exploit to succeed, first download the exploit.exe file from the exploit server and place it on the specified SMB share, which must be accessible by the target.

Platforms

Windows