[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] ADV: IBM QRadar SIEM

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] ADV: IBM QRadar SIEM
From: Thomas Pollet <thomas.pollet@xxxxxxxxx>
Date: Fri, 24 Jan 2014 12:28:04 +0100

Hello,

Copy/paste from
http://thomaspollet.blogspot.be/2014/01/ibm-qradar-siem-csrf-xss-mitm-rce.html:

IBM QRadar SIEM CSRF - XSS - MITM - RCE
I have found the IBM QRadar Security Intelligence Platform auto update
mechanisms exposes a number of security bugs.

Web Interface Sreenshot (/console/do/qradar/autoupdateConsole)
<http://4.bp.blogspot.com/-59tEPlAPaQM/UuJIL7p-oZI/AAAAAAAAAhw/Vz8iHxWG60M/s1600/qupdate.PNG>



   - The autoupdateConsole doesn't check for cross site request forgery
   - Input to the autoupdateConsole proxyUsername field is not sanitized,
   therefore it is possible to inject html into the web interface
   - The autoupdate mechanism doesn't check ssl certificates before
   downloading the updates
   - The autoupdate mechanism downloads a file scripts/script_list which
   contains a list of files together with their hash. The autoupdate process
   then tries to verify the hash but doing so, it doesn't escape shell
   characters. This way it is possible to execute commands. For example, the
   appliance will reboot if the script_list contains an entry


372e25f23b5a8ae33c7ba203412ace30  $(reboot)

   - The autoupdate mechanism runs as root


Regards,
Thomas

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: [Full-disclosure] [CVE-2013-6235] - Multiple Reflected XSS vulnerabilities in JAMon v2.7
Next by Date: [Full-disclosure] DAVOSET v.1.1.6
Previous by thread: [Full-disclosure] [CVE-2013-6235] - Multiple Reflected XSS vulnerabilities in JAMon v2.7
Next by thread: [Full-disclosure] DAVOSET v.1.1.6
Index(es):
- Date
- Thread