Full Disclosure mailing list archives
ADV: IBM QRadar SIEM
From: Thomas Pollet <thomas.pollet () gmail com>
Date: Fri, 24 Jan 2014 12:28:04 +0100
Hello, Copy/paste from http://thomaspollet.blogspot.be/2014/01/ibm-qradar-siem-csrf-xss-mitm-rce.html: IBM QRadar SIEM CSRF - XSS - MITM - RCE I have found the IBM QRadar Security Intelligence Platform auto update mechanisms exposes a number of security bugs. Web Interface Sreenshot (/console/do/qradar/autoupdateConsole) <http://4.bp.blogspot.com/-59tEPlAPaQM/UuJIL7p-oZI/AAAAAAAAAhw/Vz8iHxWG60M/s1600/qupdate.PNG> - The autoupdateConsole doesn't check for cross site request forgery - Input to the autoupdateConsole proxyUsername field is not sanitized, therefore it is possible to inject html into the web interface - The autoupdate mechanism doesn't check ssl certificates before downloading the updates - The autoupdate mechanism downloads a file scripts/script_list which contains a list of files together with their hash. The autoupdate process then tries to verify the hash but doing so, it doesn't escape shell characters. This way it is possible to execute commands. For example, the appliance will reboot if the script_list contains an entry 372e25f23b5a8ae33c7ba203412ace30 $(reboot) - The autoupdate mechanism runs as root Regards, Thomas
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- ADV: IBM QRadar SIEM Thomas Pollet (Jan 24)