TippingPoint Zero Day Initiative
 

IBM Tivoli Provisioning Manager Express for Software Distribution 4.1.1 Multiple Remote Code Execution Vulnerabilities

ZDI-12-040: March 1st, 2012

CVE ID

CVSS Score

Affected Vendors

Affected Products

Vulnerability Details


IBM Tivoli Provisioning Manager soapServlet SOAP Message Printer.getPrinterAgentKey SQL Injection Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of IBM Tivoli Provisioning Manager Express for Software Distribution. Authentication is not required to exploit this vulnerability.

The specific flaw exists due to improperly escaped user input for an SQL query in the SoapServlet servlet. The resulting SQL injection allows a remote attacker to read data from the database including the SHA1 160 bits encrypted admin password. With the admin account it is possible to upload file to the webserver and execute code under the SYSTEM account.

IBM Tivoli Provisioning Manager Isig.isigCtl.1 ActiveX Control Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of IBM Tivoli Provisioning Manager Express 4.1.1 Isig.isigCtl.1 ActiveX Control. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the way the ActiveX Control parses data supplied to the RunAndUploadFile function. The ActiveX control is used to create an Asset Information file for the local system to be uploaded to the IBM Tivoli Provisioning Manager Express Server. Due to an unsafe call to strcat it is possible to cause a stack buffer overflow allowing for remote code execution under the context of the current user.

IBM Tivoli Provisioning Manager User.updateUserValue() SQL Injection Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of IBM Tivoli Provisioning Manager Express for Software Distribution. Authentication is not required to exploit this vulnerability.

The specific flaw exists due to improperly escaped user input for an SQL query in the register.do servlet. The resulting SQL injection allows a remote attacker to update their account rights to an admin level. With the admin account it is possible to upload file to the webserver and execute code under the SYSTEM account.

IBM Tivoli Provisioning Manager User.isExistingUser() SQL Injection Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of IBM Tivoli Provisioning Manager Express for Software Distribution. Authentication is not required to exploit this vulnerability.

The specific flaw exists due to improperly escaped user input for an SQL query in the logon.do servlet. The resulting SQL injection allows a remote attacker to read data from the database including the SHA1 160 bits encrypted admin password. With the admin account it is possible to upload file to the webserver and execute code under the SYSTEM account.

IBM Tivoli Provisioning Manager Asset.getHWKey() SQL Injection Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of IBM Tivoli Provisioning Manager Express for Software Distribution. Authentication is not required to exploit this vulnerability.

The specific flaw exists due to improperly escaped user input for an SQL query in the CallHomeExec servlet. The resulting SQL injection allows a remote attacker to read data from the database including the SHA1 160 bits encrypted admin password. With the admin account it is possible to upload file to the webserver and execute code under the SYSTEM account.

IBM Tivoli Provisioning Manager Asset.getMimeType() SQL Injection Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of IBM Tivoli Provisioning Manager Express for Software Distribution. Authentication is not required to exploit this vulnerability.

The specific flaw exists due to improperly escaped user input for an SQL query in the getAttachment servlet. The resulting SQL injection allows a remote attacker to read data from the database including the SHA1 160 bits encrypted admin password. With the admin account it is possible to upload file to the webserver and execute code under the SYSTEM account.

Vendor Response

IBM has issued an update to correct this vulnerability. More details can be found at:

Disclosure Timeline

    2011-08-24 - Vulnerability reported to vendor
    2012-03-01 - Coordinated public release of advisory

Credit

This vulnerability was discovered by:
    Andrea Micalizzi aka rgod