IBM System Storage DS Storage Manager Profiler Multiple Vulnerabilities

2012-06-2000:00:00

Gjoko Krstic

zeroscience.mk

CVSS2

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

AI Score

6.3

Confidence

High

EPSS

0.004

Percentile

74.6%

JSON

Title: IBM System Storage DS Storage Manager Profiler Multiple Vulnerabilities
Advisory ID: ZSL-2012-5094
Type: Local/Remote
Impact: Exposure of System Information, Exposure of Sensitive Information, Manipulation of Data, Cross-Site Scripting
Risk: (3/5)
Release Date: 20.06.2012

Summary

Through its extraordinary flexibility, reliability, and performance, the IBM® System Storage® series is designed to manage a broad scope of storage workloads that exist in today’s complex data center and do it effectively and efficiently. This flagship IBM disk system can bring simplicity to your storage environment by supporting a mix of random and sequential I/O workloads for a mix of interactive and batch applications, regardless of whether they are running on one of today’s popular distributed server platforms or on the mainframe.

Description

IBM System Storage DS Storage Manager Profiler suffers from an SQL Injection and a Cross-Site Scripting (XSS) vulnerability. Input passed via the GET parameter ‘selectedModuleOnly’ in ‘ModuleServlet.do’ script is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. The GET parameter ‘updateRegn’ in the ‘SoftwareRegistration.do’ script is vulnerable to a XSS issue where the attacker can execute arbitrary HTML and script code in a user’s browser session in context of an affected site.

Vendor

IBM Corporation - <http://www.ibm.com>

Affected Version

4.8.6

Tested On

Apache-Coyote/1.1
MySQL

Vendor Status

[03.03.2012] Vulnerabilities discovered.
[19.04.2012] Reported vulnerability report to vendor.
[19.04.2012] Vendor acknowledges receipt of the vulnerability report.
[25.04.2012] Asked vendor for confirmation.
[26.04.2012] Vendor confirms the issues, working on mitigation plan.
[01.05.2012] Vendor promises that the updated package will be available in June timeframe.
[05.06.2012] Asked vendor for status update.
[07.06.2012] Vendor replies.
[15.06.2012] Vendor releases fix.
[20.06.2012] Coordinated public security advisory released.

PoC

ibmssdssmp_sqlixss.txt

Credits

Vulnerability discovered by Gjoko Krstic - <[email protected]>

References

[1] <https://www.ibm.com/connections/blogs/PSIRT/entry/secbulletin_stg-storage_cve-2012-2171_cve-2012-2172>
[2] http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5090850&brandind=5000008&myns=x008&mync=R
[3] <http://xforce.iss.net/xforce/xfdb/75236>
[4] <http://xforce.iss.net/xforce/xfdb/75239>
[5] <https://vulners.com/cve/CVE-2012-2171>
[6] <https://vulners.com/cve/CVE-2012-2172>
[7] <http://secunia.com/advisories/49582>
[8] <http://cxsecurity.com/issue/WLB-2012060257>
[9] <http://packetstormsecurity.org/files/114008>
[10] <http://www.exploit-db.com/exploits/19321/>
[11] <http://www.securelist.com/en/advisories/49582>
[12] <http://www.securitytracker.com/id/1027194>
[13] <http://www.securityfocus.com/bid/54112>
[14] <http://osvdb.org/show/osvdb/83177>
[15] <http://osvdb.org/show/osvdb/83179>

Changelog

[20.06.2012] - Initial release
[21.06.2012] - Added reference [7], [8], [9], [10], [11] and [12]
[22.06.2012] - Added reference [13]
[24.06.2012] - Added reference [14] and [15]

Contact

Zero Science Lab

Web: <http://www.zeroscience.mk>
e-mail: [email protected]

<html><body><p>IBM System Storage DS Storage Manager Profiler Multiple Vulnerabilities


Vendor: IBM Corporation
Product web page: http://www.ibm.com
Affected version: 4.8.6

Summary: Through its extraordinary flexibility, reliability, and performance,
the IBM� System Storage� series is designed to manage a broad scope of storage
workloads that exist in today�s complex data center and do it effectively and
efficiently. This flagship IBM disk system can bring simplicity to your storage
environment by supporting a mix of random and sequential I/O workloads for a mix
of interactive and batch applications, regardless of whether they are running on
one of today�s popular distributed server platforms or on the mainframe.

Desc: IBM System Storage DS Storage Manager Profiler suffers from an SQL Injection
and a Cross-Site Scripting (XSS) vulnerability. Input passed via the GET parameter
'selectedModuleOnly' in 'ModuleServlet.do' script is not properly sanitised before
being returned to the user or used in SQL queries. This can be exploited to manipulate
SQL queries by injecting arbitrary SQL code. The GET parameter 'updateRegn' in the
'SoftwareRegistration.do' script is vulnerable to a XSS issue where the attacker can
execute arbitrary HTML and script code in a user's browser session in context of an
affected site.

Tested on: Apache-Coyote/1.1
           MySQL


Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
                              @zeroscience


Vendor status:

[03.03.2012] Vulnerabilities discovered.
[19.04.2012] Reported vulnerability report to vendor.
[19.04.2012] Vendor acknowledges receipt of the vulnerability report.
[25.04.2012] Asked vendor for confirmation.
[26.04.2012] Vendor confirms the issues, working on mitigation plan.
[01.05.2012] Vendor promises that the updated package will be available in June timeframe.
[05.06.2012] Asked vendor for status update.
[07.06.2012] Vendor replies.
[15.06.2012] Vendor releases fix.
[20.06.2012] Coordinated public security advisory released.


Advisory ID: ZSL-2012-5094
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5094.php

IBM Advisory: https://www.ibm.com/connections/blogs/PSIRT/entry/secbulletin_stg-storage_cve-2012-2171_cve-2012-2172
IBM Fix: http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5090850&amp;brandind=5000008&amp;myns=x008&amp;mync=R

ISS X-Force ID (SQLi): 75236
ISS X-Force URL: http://xforce.iss.net/xforce/xfdb/75236

ISS X-Force ID (XSS): 75239
ISS X-Force URL: http://xforce.iss.net/xforce/xfdb/75239

CVE ID (SQLi): CVE-2012-2171
CVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2171

CVE ID (XSS): CVE-2012-2172
CVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2172


03.03.2012

-----

XSS: http://10.1.0.3:9000/SoftwareRegistration.do?updateRegn="&gt;<script>alert(1);</script>

SQLi: http://10.1.0.3:9000/ModuleServlet?DeviceId=1&amp;state=state_viewmodulelog&amp;selectedModuleOnly=1[SQL QUERY]&amp;selectedModule=1
</p></body></html>