Land #13770, Update IBM DRM modules with URL and correct versions
This commit is contained in:
commit
ad47a2e9c9
|
@ -4,8 +4,9 @@ IBM Data Risk Manager (IDRM) contains two vulnerabilities that can be chained by
|
|||
The first is an unauthenticated bypass, followed by a path traversal.
|
||||
This module exploits both vulnerabilities, giving an attacker the ability to download (non-root) files.
|
||||
A downloaded file is zipped, and this module also unzips it before storing it in the database.
|
||||
By default, this module downloads Tomcat's 1application.properties` files, which contains the database password, amongst other sensitive data.
|
||||
At the time of disclosure, this is a 0day. Versions 2.0.3 and 2.0.2 are confirmed to be affected, and the latest 2.0.6 is most likely affected too. Version 2.0.1 is not vulnerable.
|
||||
By default, this module downloads Tomcat's application.properties file, which contains the database password, amongst other sensitive data.
|
||||
At the time of disclosure, this is was a 0 day, but IBM later patched it and released their advisory.
|
||||
Versions 2.0.2 to 2.0.4 are vulnerable, version 2.0.1 is not.
|
||||
|
||||
### Vulnerability information
|
||||
For more information about the vulnerability check the advisory at:
|
||||
|
|
|
@ -3,7 +3,8 @@
|
|||
IBM Data Risk Manager (IDRM) contains three vulnerabilities that can be chained by an unauthenticated attacker to achieve remote code execution as root.
|
||||
The first is an unauthenticated bypass, followed by a command injection as the server user, and finally abuse of an insecure default password.
|
||||
This module exploits all three vulnerabilities, giving the attacker a root shell.
|
||||
At the time of disclosure, this is a 0day. Versions 2.0.3 and below are confirmed to be affected, and the latest 2.0.6 is most likely affected too.
|
||||
At the time of disclosure this was an 0day, but it was later confirmed and patched by IBM. The authentication bypass works on versions <= 2.0.6.1,
|
||||
but the command injection should only work on versions <= 2.0.4 according to IBM.
|
||||
|
||||
|
||||
### Vulnerability information
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
|
||||
This module abuses a known default password in IBM Data Risk Manager. The 'a3user' has the default password 'idrm' and allows an attacker to log in to the virtual appliance via SSH.
|
||||
This can be escalated to full root access, as 'a3user' has `sudo` access with the default password.
|
||||
At the time of disclosure, this is a 0day. Versions <= 2.0.3 are confirmed to be affected, and the latest 2.0.6 is most likely affected too.
|
||||
At the time of disclosure this was an 0day, but it was later confirmed and patched by IBM. Versions <= 2.0.6.1 are confirmed to be vulnerable.
|
||||
|
||||
### Vulnerability information
|
||||
For more information about the vulnerability, check the advisory at:
|
||||
|
|
|
@ -21,8 +21,8 @@ class MetasploitModule < Msf::Auxiliary
|
|||
A downloaded file is zipped, and this module also unzips it before storing it in the database.
|
||||
By default this module downloads Tomcat's application.properties files, which contains the
|
||||
database password, amongst other sensitive data.
|
||||
At the time of disclosure, this is a 0 day. Versions 2.0.3 and 2.0.2 are confirmed to be
|
||||
affected, and the latest 2.0.6 is most likely affected too. Version 2.0.1 is not vulnerable.
|
||||
At the time of disclosure, this is was a 0 day, but IBM later patched it and released their advisory.
|
||||
Versions 2.0.2 to 2.0.4 are vulnerable, version 2.0.1 is not.
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
|
@ -38,7 +38,8 @@ class MetasploitModule < Msf::Auxiliary
|
|||
[ 'CVE', '2020-4427' ], # auth bypass
|
||||
[ 'CVE', '2020-4429' ], # insecure default password
|
||||
[ 'URL', 'https://github.com/pedrib/PoC/blob/master/advisories/IBM/ibm_drm/ibm_drm_rce.md' ],
|
||||
[ 'URL', 'https://seclists.org/fulldisclosure/2020/Apr/33' ]
|
||||
[ 'URL', 'https://seclists.org/fulldisclosure/2020/Apr/33' ],
|
||||
[ 'URL', 'https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-exist-in-ibm-data-risk-manager-cve-2020-4427-cve-2020-4428-cve-2020-4429-and-cve-2020-4430/']
|
||||
],
|
||||
'DisclosureDate' => '2020-04-21',
|
||||
'Actions' => [
|
||||
|
|
|
@ -20,8 +20,9 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
The first is an unauthenticated bypass, followed by a command injection as the server user,
|
||||
and finally abuse of an insecure default password.
|
||||
This module exploits all three vulnerabilities, giving the attacker a root shell.
|
||||
At the time of disclosure, this is a 0day. Versions 2.0.3 and below are confirmed to be
|
||||
affected, and the latest 2.0.6 is most likely affected too.
|
||||
At the time of disclosure this was an 0day, but it was later confirmed and patched by IBM.
|
||||
The authentication bypass works on versions <= 2.0.6.1, but the command injection should only work on
|
||||
versions <= 2.0.4 according to IBM.
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
|
@ -34,13 +35,14 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
[ 'CVE', '2020-4428' ], # command injection
|
||||
[ 'CVE', '2020-4429' ], # insecure default password
|
||||
[ 'URL', 'https://github.com/pedrib/PoC/blob/master/advisories/IBM/ibm_drm/ibm_drm_rce.md' ],
|
||||
[ 'URL', 'https://seclists.org/fulldisclosure/2020/Apr/33' ]
|
||||
[ 'URL', 'https://seclists.org/fulldisclosure/2020/Apr/33' ],
|
||||
[ 'URL', 'https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-exist-in-ibm-data-risk-manager-cve-2020-4427-cve-2020-4428-cve-2020-4429-and-cve-2020-4430/' ]
|
||||
],
|
||||
'Platform' => 'linux',
|
||||
'Arch' => [ ARCH_X86, ARCH_X64 ],
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'IBM Data Risk Manager <= 2.0.3 (<= 2.0.6 possibly affected)', {} ]
|
||||
[ 'IBM Data Risk Manager <= 2.0.4', {} ]
|
||||
],
|
||||
'Privileged' => true,
|
||||
'DefaultOptions' =>
|
||||
|
|
|
@ -17,8 +17,8 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
This module abuses a known default password in IBM Data Risk Manager. The 'a3user'
|
||||
has the default password 'idrm' and allows an attacker to log in to the virtual appliance
|
||||
via SSH. This can be escalate to full root access, as 'a3user' has sudo access with the default password.
|
||||
At the time of disclosure, this is a 0day. Versions <= 2.0.3 are confirmed to be
|
||||
affected, and the latest 2.0.6 is most likely affected too.
|
||||
At the time of disclosure this was an 0day, but it was later confirmed and patched by IBM.
|
||||
Versions <= 2.0.6.1 are confirmed to be vulnerable.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
|
@ -29,7 +29,8 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
[
|
||||
[ 'CVE', '2020-4429' ], # insecure default password
|
||||
[ 'URL', 'https://github.com/pedrib/PoC/blob/master/advisories/IBM/ibm_drm/ibm_drm_rce.md' ],
|
||||
[ 'URL', 'https://seclists.org/fulldisclosure/2020/Apr/33' ]
|
||||
[ 'URL', 'https://seclists.org/fulldisclosure/2020/Apr/33' ],
|
||||
[ 'URL', 'https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-exist-in-ibm-data-risk-manager-cve-2020-4427-cve-2020-4428-cve-2020-4429-and-cve-2020-4430/']
|
||||
],
|
||||
'Payload' =>
|
||||
{
|
||||
|
@ -42,7 +43,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Arch' => ARCH_CMD,
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'IBM Data Risk Manager <= 2.0.3 (<= 2.0.6 possibly affected)', {} ]
|
||||
[ 'IBM Data Risk Manager <= 2.0.6.1', {} ]
|
||||
],
|
||||
'Privileged' => true,
|
||||
'DefaultTarget' => 0,
|
||||
|
|
Loading…
Reference in New Issue