Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

ADV: IBM QRadar SIEM

From: Thomas Pollet <thomas.pollet () gmail com>
Date: Fri, 24 Jan 2014 12:28:04 +0100
Hello,

Copy/paste from
http://thomaspollet.blogspot.be/2014/01/ibm-qradar-siem-csrf-xss-mitm-rce.html:

IBM QRadar SIEM CSRF - XSS - MITM - RCE
I have found the IBM QRadar Security Intelligence Platform auto update
mechanisms exposes a number of security bugs.

Web Interface Sreenshot (/console/do/qradar/autoupdateConsole)
<http://4.bp.blogspot.com/-59tEPlAPaQM/UuJIL7p-oZI/AAAAAAAAAhw/Vz8iHxWG60M/s1600/qupdate.PNG>



   - The autoupdateConsole doesn't check for cross site request forgery
   - Input to the autoupdateConsole proxyUsername field is not sanitized,
   therefore it is possible to inject html into the web interface
   - The autoupdate mechanism doesn't check ssl certificates before
   downloading the updates
   - The autoupdate mechanism downloads a file scripts/script_list which
   contains a list of files together with their hash. The autoupdate process
   then tries to verify the hash but doing so, it doesn't escape shell
   characters. This way it is possible to execute commands. For example, the
   appliance will reboot if the script_list contains an entry


372e25f23b5a8ae33c7ba203412ace30  $(reboot)

   - The autoupdate mechanism runs as root


Regards,
Thomas

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: