IBM Rational Quality Manager and Test Lab Manager Policy Bypass

2010-11-0500:00:00

SAINT Corporation

download.saintcorporation.com

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

0.011 Low

EPSS

Percentile

83.0%

JSON

Added: 11/05/2010
CVE: CVE-2010-4094
BID: 44172

Background

IBM Rational Quality Manager is a web-based centralized test management environment for test planning, workflow control, tracking and metrics reporting. IBM Rational Quality Manager incorporates Apache Tomcat 5 to help serve custom web applications.

IBM Rational Test Lab Manager integrates fully with Rational Quality Manager and helps to improve the efficiency of the test lab and optimize how resources are requested and provided.

Problem

An unauthorized file upload vulnerability exists in IBM Rational Quality Manager. IBM Rational Quality Manager generates credentials for a default user/password combination in Apache Tomcat. A remote attacker can leverage this vulnerability by sending a crafted HTTP request using the default credentials. Once authenticated, the attacker can upload a malicious web application to a vulnerable system.

Resolution

Download the fix for IBM Rational Quality Manager 2.0.1 from IBM.

References

<http://www.zerodayinitiative.com/advisories/ZDI-10-214/>

Limitations

Exploit works on IBM Rational Quality Manager 2.0.1 on Microsoft Windows Server 2003 and Windows Server 2008.

It may take longer than usual to establish the connection after successful exploitation because it takes time for the affected server to deploy the malicious WAR file.