module
IBM Data Risk Manager Arbitrary File Download
| Disclosed | Created |
|---|---|
| Apr 21, 2020 | May 5, 2020 |
Disclosed
Apr 21, 2020
Created
May 5, 2020
Description
IBM Data Risk Manager (IDRM) contains two vulnerabilities that can be chained by
an unauthenticated attacker to download arbitrary files off the system.
The first is an unauthenticated bypass, followed by a path traversal.
This module exploits both vulnerabilities, giving an attacker the ability to download (non-root) files.
A downloaded file is zipped, and this module also unzips it before storing it in the database.
By default this module downloads Tomcat's application.properties files, which contains the
database password, amongst other sensitive data.
At the time of disclosure, this is was a 0 day, but IBM later patched it and released their advisory.
Versions 2.0.2 to 2.0.4 are vulnerable, version 2.0.1 is not.
an unauthenticated attacker to download arbitrary files off the system.
The first is an unauthenticated bypass, followed by a path traversal.
This module exploits both vulnerabilities, giving an attacker the ability to download (non-root) files.
A downloaded file is zipped, and this module also unzips it before storing it in the database.
By default this module downloads Tomcat's application.properties files, which contains the
database password, amongst other sensitive data.
At the time of disclosure, this is was a 0 day, but IBM later patched it and released their advisory.
Versions 2.0.2 to 2.0.4 are vulnerable, version 2.0.1 is not.
Author
Pedro Ribeiro pedrib@gmail.com
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.