Aerosol Posted February 15, 2015 Report Share Posted February 15, 2015 Advisory: Cross-Site Scripting in IBM Endpoint Manager Relay Diagnostics PageDuring a penetration test, RedTeam Pentesting discovered that the IBMEndpoint Manager Relay Diagnostics page allows anybody to persistentlystore HTML and JavaScript code that is executed when the page is openedin a browser.Details=======Product: IBM Endpoint ManagerAffected Versions: 9.1.x versions earlier than 9.1.1229, 9.2.x versions earlier than 9.2.1.48Fixed Versions: 9.1.1229, 9.2.1.48Vulnerability Type: Cross-Site ScriptingSecurity Risk: mediumVendor URL: http://www-03.ibm.com/software/products/en/endpoint-manager-familyVendor Status: fixed version releasedAdvisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-013Advisory Status: publishedCVE: CVE-2014-6137CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6137Introduction============IBM Endpoint Manager products - built on IBM BigFix technology - canhelp you achieve smarter, faster endpoint management and security. Theseproducts enable you to see and manage physical and virtual endpointsincluding servers, desktops, notebooks, smartphones, tablets andspecialized equipment such as point-of-sale devices, ATMs andself-service kiosks. Now you can rapidly remediate, protect and reporton endpoints in near real time.(from the vendor's homepage)More Details============Systems that run IBM Endpoint Manager (IEM, formerly Tivoli EndpointManager, or TEM) components, such as TEM Root Servers or TEM Relays,typically serve HTTP and HTTPS on port 52311. There, the server or relaydiagnostics page is normally accessible at the path /rd. That page canbe accessed without authentication and lets users query and modifydifferent information. For example, a TEM Relay can be instructed togather a specific version of a certain Fixlet site by requesting a URLsuch as the following:http://tem-relay.example.com:52311/cgi-bin/bfenterprise/ BESGatherMirrorNew.exe/-gatherversion ?Body=GatherSpecifiedVersion &url=http://tem-root.example.com:52311/cgi-bin/bfgather.exe/actionsite &version=1 &useCRC=0The URL parameter url is susceptible to cross-site scripting. When thefollowing URL is requested, the browser executes the JavaScript codeprovided in the parameter:http://tem-relay.example.com:52311/cgi-bin/bfenterprise/ BESGatherMirrorNew.exe/-gatherversion ?Body=GatherSpecifiedVersion &version=1 &url=http://"><script>alert(/XSS/)</script> &version=1 &useCRC=0The value of that parameter is also stored in the TEM Relay's site list,so that the embedded JavaScript code is executed whenever thediagnostics page is opened in a browser:$ curl http://tem-relay.example.com:52311/rd[...]<select NAME="url">[...] <option>http://"><script>alert(/XSS/)</script></option></select>Proof of Concept================http://tem-relay.example.com:52311/cgi-bin/bfenterprise/ BESGatherMirrorNew.exe/-gatherversion ?Body=GatherSpecifiedVersion&version=1 &url=http://"><script>alert(/XSS/)</script> &version=1 &useCRC=0Fix===Upgrade IBM Endpoint Manager to version 9.1.1229 or 9.2.1.48.Security Risk=============As the relay diagnostics page is typically not frequented byadministrators and does not normally require authentication, it isunlikely that the vulnerability can be exploited to automatically andreliably attack administrative users and obtain their credentials.Nevertheless, the ability to host arbitrary HTML and JavaScript code onthe relay diagnostics page, i.e. on a trusted system, may allowattackers to conduct very convincing phishing attacks.This vulnerability is therefore rated as a medium risk.Timeline========2014-07-29 Vulnerability identified during a penetration test2014-08-06 Customer approves disclosure to vendor2014-09-03 Vendor notified2015-01-13 Vendor releases security bulletin and software upgrade2015-02-04 Customer approves public disclosure2015-02-10 Advisory releasedRedTeam Pentesting GmbH=======================RedTeam Pentesting offers individual penetration tests, short pentests,performed by a team of specialised IT-security experts. Hereby, securityweaknesses in company networks or products are uncovered and can befixed immediately.As there are only few experts in this field, RedTeam Pentesting wants toshare its knowledge and enhance the public knowledge with research insecurity-related areas. The results are made available as publicsecurity advisories.More information about RedTeam Pentesting can be found athttps://www.redteam-pentesting.de.-- RedTeam Pentesting GmbH Tel.: +49 241 510081-0Dennewartstr. 25-27 Fax : +49 241 510081-9952068 Aachen https://www.redteam-pentesting.deGermany Registergericht: Aachen HRB 14004Geschäftsführer: Patrick Hof, Jens LiebchenSource Quote Link to comment Share on other sites More sharing options...