'[Full-disclosure] ADV: IBM QRadar SIEM'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [Full-disclosure] ADV: IBM QRadar SIEM
From:       Thomas Pollet <thomas.pollet () gmail ! com>
Date:       2014-01-24 11:28:04
Message-ID: CAN00zFBVxmbCTmAdr9VBrSGEP78pWbnYE_4dApp-w7A_oDkSKg () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


Hello,

Copy/paste from
http://thomaspollet.blogspot.be/2014/01/ibm-qradar-siem-csrf-xss-mitm-rce.html:

IBM QRadar SIEM CSRF - XSS - MITM - RCE
I have found the IBM QRadar Security Intelligence Platform auto update
mechanisms exposes a number of security bugs.

Web Interface Sreenshot (/console/do/qradar/autoupdateConsole)
<http://4.bp.blogspot.com/-59tEPlAPaQM/UuJIL7p-oZI/AAAAAAAAAhw/Vz8iHxWG60M/s1600/qupdate.PNG>



   - The autoupdateConsole doesn't check for cross site request forgery
   - Input to the autoupdateConsole proxyUsername field is not sanitized,
   therefore it is possible to inject html into the web interface
   - The autoupdate mechanism doesn't check ssl certificates before
   downloading the updates
   - The autoupdate mechanism downloads a file scripts/script_list which
   contains a list of files together with their hash. The autoupdate process
   then tries to verify the hash but doing so, it doesn't escape shell
   characters. This way it is possible to execute commands. For example, the
   appliance will reboot if the script_list contains an entry


372e25f23b5a8ae33c7ba203412ace30  $(reboot)

   - The autoupdate mechanism runs as root


Regards,
Thomas

[Attachment #5 (text/html)]

<div dir="ltr">Hello,<div><br></div><div>Copy/paste from <a \
href="http://thomaspollet.blogspot.be/2014/01/ibm-qradar-siem-csrf-xss-mitm-rce.html">http://thomaspollet.blogspot.be/2014/01/ibm-qradar-siem-csrf-xss-mitm-rce.html</a> \
:</div> <div><br></div><div><h3 class="" itemprop="name" style="margin:0.25em 0px \
0px;padding:0px 0px 4px;font-size:18px;font-weight:normal;line-height:1.4em;color:rgb(204,102,0);font-family:Georgia,serif">IBM \
QRadar SIEM CSRF - XSS - MITM - RCE</h3> <div class="" \
style="color:rgb(51,51,51);font-family:Georgia,serif;font-size:13px"><div \
class=""></div></div><div class="" id="post-body-6227710438301354274" itemprop="description \
articleBody" style="margin:0px 0px \
0.75em;line-height:1.6em;color:rgb(51,51,51);font-family:Georgia,serif;font-size:13px"> I have \
found the IBM QRadar Security Intelligence Platform auto update mechanisms exposes a number of \
security bugs.<br><br><div style="text-align:center">Web Interface Sreenshot \
(/console/do/qradar/autoupdateConsole)</div> <div class="" \
style="clear:both;text-align:center"><a \
href="http://4.bp.blogspot.com/-59tEPlAPaQM/UuJIL7p-oZI/AAAAAAAAAhw/Vz8iHxWG60M/s1600/qupdate.PNG" \
style="color:rgb(153,153,153);text-decoration:none;margin-left:1em;margin-right:1em"><img \
border="0" src="http://4.bp.blogspot.com/-59tEPlAPaQM/UuJIL7p-oZI/AAAAAAAAAhw/Vz8iHxWG60M/s1600/qupdate.PNG" \
height="198" width="320" style="border: 1px solid rgb(204, 204, 204); padding: 4px;"></a></div> \
<br><br><ul><li>The autoupdateConsole doesn&#39;t check for cross site request \
forgery</li><li>Input to the autoupdateConsole proxyUsername field is not sanitized, therefore \
it is possible to inject html into the web interface</li> <li>The autoupdate mechanism \
doesn&#39;t check ssl certificates before downloading the updates</li><li>The autoupdate \
mechanism downloads a file scripts/script_list which contains a list of files together with \
their hash. The autoupdate process then tries to verify the hash but doing so, it doesn&#39;t \
escape shell characters. This way it is possible to execute commands. For example, the \
appliance will reboot if the script_list contains an entry </li> </ul><div \
style="text-align:center"></div><br><div \
style="text-align:center">372e25f23b5a8ae33c7ba203412ace30  $(reboot)</div><div><ul><li>The \
autoupdate mechanism runs as root</li></ul><div><br></div></div><div>Regards,</div> \
<div>Thomas</div></div></div></div>



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic