IBM Rational Quality Manager and Test Lab Manager Policy Bypass

2010-11-05T00:00:00
ID SAINT:627454943189EB0A2BD02D71CE81E15E
Type saint
Reporter SAINT Corporation
Modified 2010-11-05T00:00:00

Description

Added: 11/05/2010
CVE: CVE-2010-4094
BID: 44172

Background

IBM Rational Quality Manager is a web-based centralized test management environment for test planning, workflow control, tracking and metrics reporting. IBM Rational Quality Manager incorporates Apache Tomcat 5 to help serve custom web applications.

IBM Rational Test Lab Manager integrates fully with Rational Quality Manager and helps to improve the efficiency of the test lab and optimize how resources are requested and provided.

Problem

An unauthorized file upload vulnerability exists in IBM Rational Quality Manager. IBM Rational Quality Manager generates credentials for a default user/password combination in Apache Tomcat. A remote attacker can leverage this vulnerability by sending a crafted HTTP request using the default credentials. Once authenticated, the attacker can upload a malicious web application to a vulnerable system.

Resolution

Download the fix for IBM Rational Quality Manager 2.0.1 from IBM.

References

<http://www.zerodayinitiative.com/advisories/ZDI-10-214/>

Limitations

Exploit works on IBM Rational Quality Manager 2.0.1 on Microsoft Windows Server 2003 and Windows Server 2008.

It may take longer than usual to establish the connection after successful exploitation because it takes time for the affected server to deploy the malicious WAR file.

Platforms

Windows