CVE-2009-0880 IBM System Director Remote SYSTEM Exploit Demo.

IBM Systems Director has a Web Service listening on 6988/TCP. This service, malady the “CIM Server”, in versions prior to 5.20.3 SP2 is vulnerable to a directory traversal vulnerability, permitting loading of local DLL files and their execution. This is assigned CVE-2009-0880.

Executing Local DLL files? Not really all that interesting. However, no rx then our good friend @kingcope decided to take a look at this bug, and suddenly, it became VERY interesting.

Because of how Windows treats files, you can not only load a LOCAL DLL file, but you can load a REMOTE DLL file, if said DLL file is made available over a WebDAV share. Essentially turning “Execute some file on the remote box” into “Remote code execution with SYSTEM privileges”.

How this exploit works, is it sends a specially crafted HTTP request to the CIM Listener service, telling it that it should totally load hackerhacker.dll because it is definately a legit DLL file to execute.

This software, being inherently silly, decides “Sure! Of course I will load this DLL file!” and loads the remote DLL file, executing whatever code is at its initialization routine (your reverse shell mayhaps?).

To make the whole party even more fun, the code is executed as SYSTEM, and no authentication whatsoever is needed to exploit this vulnerability.

The original exploit by Kingcope may be found here: http://isowarez.de/Exploits/IBMDirector.txt however he has disabled access to “wootwoot” DLL file, so I could not use his exploit code in the following demo. I ended up using the Metasploit module which was released shortly after his exploit came out.

What I find most interesting is that no one before Kingcope ever though about using a Webdav share to serve up a remotely loaded DLL. Perhaps now people will have to revise old bugs and write new, super effective exploits?

Without further ado, here is the demo!

The WHCMS Exploit…

The WHCMS Exploit…

So, there has been some low level hype over this WHCMS 0day that was for sale a while back, for the extortionate price of $6k. Sure, some exploits are worth that, but definately not a friggin blind SQLi vuln. Does that mean I can sell RFI bugs for $10k “because they are more dangerous”? I somehow doubt it…

Anyway, as I was considering beginning some fuzzing of WHCMS, I noticed the following post on Full Disclosure – The FD Post

So, like many people, I downloaded the provided scripts and had a look. Having been burned before with the “OOH SHINY – OOH SHIT I GOT RM’d” syndrome, I decided to FULLY read the code first.

exploit.py seems to simply check for the vulnerable part, and tells you if you can own it or not. For archival reasons it is mirrored on my pastebin -> http://pastebin.com/QS9ZRYyc

blind_sqli.py is FAR more interesting. It is a full blown, explicitly targetted Blind SQL Injection script. You point it at your target, let it run, and bam. Admin login creds come out. Fairly well written for a “lame PoC”, and I have archived it pn my pastebin also -> http://pastebin.com/WB3BnB2G

Now I have not bothered getting a copy of WHCMS to test this all out on, as it is not so interesting to me, but seriously. This sold for 6 grand? I wonder how much my SCADA/WinCC/MiniWeb DoS would have sold for?

Anyways, I’m off. Not taking any responsibility for what is done using those scripts I mirrored, but apparently “EVERYONE WAS GETTING OWNED” or something. nice.

~infodox