#2543 Possible indication DoS vulnerability

Security
closed-rejected
5
2012-10-06
2012-10-01
No

Abstract -
White Hat reported issue with Director CIM. Product team is responsible for
working with the reporter as they deem necessary on the issue of publication of
the vuln. For this reporters policy document please contact
servsec"@"us.ibm.com

Full Text -
Product description:
---------------

IBM Director is an application that can track and view system
configurations of remote computers. It is available for Linux, AIX, and
Windows servers.

Vulnerability overview:
---------------

The CIM server from the IBM Director suite for Microsoft Windows is
prone to a local privilege escalation vulnerability because the
application fails to properly validate incoming indication requests. By
exploiting this vulnerability an attacker can run arbitrary code with
the privileges of the CIM server process (LOCAL SYSTEM in the Windows
version).

Vulnerability details:
---------------

The CIM server listens for so-called indication requests which it passes
to local consumers. These consumers are implemented within dynamic link
libraries or shared objects that reside on the system.
Because the consumer named is not checked for Windows path
metacharacters (""), it is possible to traverse the filesystem and
specify any library on the system. CIM server will load the specified
DLL and call its entry point function, PegasusCreateProvider(const char
*).

For example, the following request will load C:mydll.dll:

M-POST /CIMListener/........mydll HTTP/1.1
CIMOperation: MethodCall
CIMExport: MethodRequest
CIMExportMethod: ExportIndication

[some xml]

The vulnerability can be exploited by a local user or an attacker who is
able to upload a file to the target system.

Bonus DOS vulnerability:
---------------

On a side note, the CIM server also crashes in a non-exploitable way on
receiving long consumer names:

M-POST /CIMListener/[Ax512] HTTP/1.1
CIMOperation: MethodCall
CIMExport: MethodRequest
CIMExportMethod: ExportIndication

[some xml]

Vulnerable versions:
---------------

IBM Director for Windows <=

Discussion

  • Dave Blaschke

    Dave Blaschke - 2012-10-06

    The first line of an HTTP request/response contains "method resource HTTP/1.1" where method is GET, POST, etc and resource is something like /CIMListener/........mydll.

    As for incoming HTTP requests (indications):

    1) HttpConnectionHandler.handleConnection() -

    sets localAddress to "http://" + socket.getLocalAddress(), so at a minimum it is http:// but is usually something like http://1.2.3.4:5678, and passes it to:

    2) CIMIndicationHandler.handleContent() -

    passes pLocalAddress directly to:

    3) CIMIndicationHandler.dispatchIndications() -

    sets path to resource from HTTP header (/CIMListener/........mydll)
    if resource null, sets id to pLocalAddress + "/"
    else if resource "/cimom", sets id to "/cimom"
    else if resource starts with "http", set id to resource
    else set id to pLocalAddress + path

    and passes id to:

    4) ReliableIndicationHandler.handleIndication() -

    puts pId in CIMEvent and passes to:

    5) CIMEventDispatcher.dispatchEvent() -

    passed pId to indicationOccurred() as pIndicationURL

    So, the Java CIM Client does not load the resource passed in with an indication. In the typical case, a modified version of the resource is passed to the indication handler as a string. Using the values supplied above, it would be "http://1.2.3.4:5679/CIMListener/........mydll"

    As for outgoing HTTP requests to Director, the Java CIM Client sets the resource to the scheme, host and port passed to WBEMClient.initialize() + "/cimom" So if something invalid like "/CIMListener/........mydll" is passed in an exception will be thrown because it is not a valid URI. If "http://1.2.3.4:5678/CIMListener/........mydll" is passed in then the resource sent to Director would be http://1.2.3.4:5678/cimom which would not result in any file getting loaded.

    To summarize, this is a non-issue for the Java CIM Client.

     
  • Dave Blaschke

    Dave Blaschke - 2012-10-06
    • status: open --> closed-rejected
     

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks