Subject: Unauthenticated access to IBM Host On-Demand administration pages
Date: Mon, 11 Dec 2006 08:39:09 -0600
Message-ID: <6868F396F5637540AE9D274CC90BD88F025F73B2@FNEX01.fishsec.com.>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Unauthenticated access to IBM Host On-Demand administration pages
Thread-Index: AccdMh1iQSvKdSSPQ6GlX3x88SQ/MQ==
From: "Ferguson, David (Kansas City)" <Dave.Ferguson@fishnetsecurity.com.>
To: <bugtraq@securityfocus.com.>, <full-disclosure@lists.grok.org.uk.>
X-OriginalArrivalTime: 11 Dec 2006 14:39:11.0675 (UTC) FILETIME=[1F7610B0:01C71D32]
X-Virus-Scanned: antivirus-gw at tyumen.ru
SUMMARY
Vulnerability found in: IBM WebSphere Host On-Demand (HOD)
Type: Unauthorized, remote access to HOD administration pages
Applies to: Version 6.0, 7.0, 8.0, and 9.0 (possibly 10.0)
Severity Level: High
Exploit Difficulty: Very Low
Initial Vendor Notification: approximately 11/3/2006
Discovered By: Dave Ferguson, FishNet Security
Secunia advisory location: http://secunia.com/advisories/22652
BACKGROUND
IBM's WebSphere Host On-Demand (HOD) provides a framework for accessing =
host applications and data
from a Java-enabled web browser. The HOD administration pages consist =
of a set of Java applets. One
applet controls user authentication. Others allow you to start and stop =
services, manage users,
configure telnet redirectors, set up LDAP service, and manage licenses. =
Information about HOD can be
found here: http://www-306.ibm.com/software/webservers/hostondemand.
VULNERABILITY OVERVIEW
FishNet Security discovered that a remote, unauthenticated user can =
access and interact with several
of the HOD administration applets. Essentially, a simple URL =
manipulation attack can bypass the
authentication and authorization process. This was found in HOD =
versions 6.0, 7.0, 8.0, and 9.0.
Version 10 (released in 2006) may also be vulnerable, but was not =
tested.
DETAILS
The applet that handles user authentication is normally located at the =
following URL:
https://server/hod/HODAdmin.html. Once this page loads and the applet =
is running, the URL showing in
the web browser reads something like this:
https://server/hod/frameset.html?Java2=3Dtrue,Obplet=3Dobject,cshe=3Dfals=
e,pnl=3DLogon,hgt=3D480,wth=3D640,full=3Dfa
lse,BrowserLocale=3Den.there. The web page displays an area for the =
user to logon and a menu on the
left side with several links to other pages/applets. Each of these =
links is disabled. The links are:
- Introduction
- Users/Groups
- Services
- Redirector Service
- Directory Service
- OS/400 Proxy Server
- Licenses
- Logoff
To bypass the authentication process, you change the value of "pnl" in =
the current URL. For example,
to see the OS/400 Proxy Server page, you would change the pnl parameter =
from "Logon" to "os400proxy".
The page loads and the functionality of the applet appears to be normal =
in every way. The other links
in the menu become enabled, so changing the URL manually is no longer =
necessary. Two of the
pages/applets seem to have additional access control, because the =
applets remain blank and/or empty
and can't be used.
Pages that could be accessed in an unauthenticated state:
Services, Redirector Service, Directory Service, and OS/400 Proxy Server
Pages that could NOT be accessed:
Users/Groups and Licenses
ATTACK SCENARIOS
An attacker can perpetrate a number of actions:
- stopping critical HOD services
- reconfiguring existing services (e.g., port numbers, ip addresses)
- creating and starting unnecessary services
- changing the security configuration for redirectors
- creating a user to administer the LDAP service
Any of these could have an adverse effect on business operations and/or =
allow a malicious person to
open more potential attack vectors.
VENDOR RESPONSE
Secunia notified IBM about this vulnerability around 11/3/2006. No =
response has been received.
CONTACT
You can reach the author of this advisory at: =
dave.ferguson[at]fishnetsecurity(dot)com
