module
IBM Data Risk Manager Arbitrary File Download
| Disclosed | Created |
|---|---|
| Apr 21, 2020 | May 5, 2020 |
Disclosed
Apr 21, 2020
Created
May 5, 2020
Description
IBM Data Risk Manager (IDRM) contains two vulnerabilities that can be chained by
an unauthenticated attacker to download arbitrary files off the system.
The first is an unauthenticated bypass, followed by a path traversal.
This module exploits both vulnerabilities, giving an attacker the ability to download (non-root) files.
A downloaded file is zipped, and this module also unzips it before storing it in the database.
By default this module downloads Tomcat's application.properties files, which contains the
database password, amongst other sensitive data.
At the time of disclosure, this is was a 0 day, but IBM later patched it and released their advisory.
Versions 2.0.2 to 2.0.4 are vulnerable, version 2.0.1 is not.
an unauthenticated attacker to download arbitrary files off the system.
The first is an unauthenticated bypass, followed by a path traversal.
This module exploits both vulnerabilities, giving an attacker the ability to download (non-root) files.
A downloaded file is zipped, and this module also unzips it before storing it in the database.
By default this module downloads Tomcat's application.properties files, which contains the
database password, amongst other sensitive data.
At the time of disclosure, this is was a 0 day, but IBM later patched it and released their advisory.
Versions 2.0.2 to 2.0.4 are vulnerable, version 2.0.1 is not.
Author
Pedro Ribeiro [email protected]
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.