Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

ADV: IBM QRadar SIEM
From: Thomas Pollet <thomas.pollet () gmail com>
Date: Fri, 24 Jan 2014 12:28:04 +0100

Hello,

Copy/paste from
http://thomaspollet.blogspot.be/2014/01/ibm-qradar-siem-csrf-xss-mitm-rce.html:

IBM QRadar SIEM CSRF - XSS - MITM - RCE
I have found the IBM QRadar Security Intelligence Platform auto update
mechanisms exposes a number of security bugs.

Web Interface Sreenshot (/console/do/qradar/autoupdateConsole)
<http://4.bp.blogspot.com/-59tEPlAPaQM/UuJIL7p-oZI/AAAAAAAAAhw/Vz8iHxWG60M/s1600/qupdate.PNG>



   - The autoupdateConsole doesn't check for cross site request forgery
   - Input to the autoupdateConsole proxyUsername field is not sanitized,
   therefore it is possible to inject html into the web interface
   - The autoupdate mechanism doesn't check ssl certificates before
   downloading the updates
   - The autoupdate mechanism downloads a file scripts/script_list which
   contains a list of files together with their hash. The autoupdate process
   then tries to verify the hash but doing so, it doesn't escape shell
   characters. This way it is possible to execute commands. For example, the
   appliance will reboot if the script_list contains an entry


372e25f23b5a8ae33c7ba203412ace30  $(reboot)

   - The autoupdate mechanism runs as root


Regards,
Thomas
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • ADV: IBM QRadar SIEM Thomas Pollet (Jan 24)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]