module
IBM TM1 / Planning Analytics Unauthenticated Remote Code Execution
| Disclosed | Created |
|---|---|
| Dec 19, 2019 | Mar 30, 2020 |
Disclosed
Dec 19, 2019
Created
Mar 30, 2020
Description
This module exploits a vulnerability in IBM TM1 / Planning Analytics that allows
an unauthenticated attacker to perform a configuration overwrite.
It starts by querying the Admin server for the available applications, picks one,
and then exploits it. You can also provide an application name to bypass this step,
and exploit the application directly.
The configuration overwrite is used to change an application server authentication
method to "CAM", a proprietary IBM auth method, which is simulated by the exploit.
The exploit then performs a fake authentication as admin, and finally abuses TM1
scripting to perform a command injection as root or SYSTEM.
Testing was done on IBM PA 2.0.6 and IBM TM1 10.2.2 on Windows and Linux.
Versions up to and including PA 2.0.8 are vulnerable. It is likely that versions
earlier than TM1 10.2.2 are also vulnerable (10.2.2 was released in 2014).
an unauthenticated attacker to perform a configuration overwrite.
It starts by querying the Admin server for the available applications, picks one,
and then exploits it. You can also provide an application name to bypass this step,
and exploit the application directly.
The configuration overwrite is used to change an application server authentication
method to "CAM", a proprietary IBM auth method, which is simulated by the exploit.
The exploit then performs a fake authentication as admin, and finally abuses TM1
scripting to perform a command injection as root or SYSTEM.
Testing was done on IBM PA 2.0.6 and IBM TM1 10.2.2 on Windows and Linux.
Versions up to and including PA 2.0.8 are vulnerable. It is likely that versions
earlier than TM1 10.2.2 are also vulnerable (10.2.2 was released in 2014).
Authors
Pedro Ribeiro pedrib@gmail.com
Gareth Batchelor gbatchelor@cloudtrace.com.au
Gareth Batchelor gbatchelor@cloudtrace.com.au
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.