IBM Installation Manager iim URI Handling Code Execution

2009-10-1600:00:00

SAINT Corporation

download.saintcorporation.com

CVSS2

9.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

EPSS

0.019

Percentile

88.7%

JSON

Added: 10/16/2009
CVE: CVE-2009-3518
BID: 36549
OSVDB: 58420

Background

IBM Installation Manager (IIM) is a software tool that helps to install, update, modify, and uninstall packages.

Problem

When IIM is installed it registers the application IBMIM.exe as the iim:// scheme handler, so when an iim:// URI is opened, the web browser launches the IIM as the default application. An argument injection vulnerability allows non-privileged command execution when a user loads a page that uses double quotes in the URI to manipulate the -vm argument to IBMIM.exe. The -vm argument allows the specification of an executable to use for the Java virtual machine. A successful attacker can cause a malicious file to be executed from remote locations using Server Message Block (SMB).

Resolution

Upgrade to a version of IIM newer than 1.3.2 when it becomes available.

References

<http://secunia.com/advisories/36906/>

Limitations

Exploit works on IBM Installation Manager 1.3.2 and requires a user to load the exploit page in Internet Explorer 6, 7, or 8.

In order for this exploit to succeed, first download the exploit.exe file from the exploit server and place it on the specified SMB share, which must be accessible by the target.