This module exploits a vulnerability in IBM TM1 / Planning Analytics that allows
an unauthenticated attacker to perform a configuration overwrite.
It starts by querying the Admin server for the available applications, picks one,
and then exploits it. You can also provide an application name to bypass this step,
and exploit the application directly.
The configuration overwrite is used to change an application server authentication
method to "CAM", a proprietary IBM auth method, which is simulated by the exploit.
The exploit then performs a fake authentication as admin, and finally abuses TM1
scripting to perform a command injection as root or SYSTEM.
Testing was done on IBM PA 2.0.6 and IBM TM1 10.2.2 on Windows and Linux.
Versions up to and including PA 2.0.8 are vulnerable. It is likely that versions
earlier than TM1 10.2.2 are also vulnerable (10.2.2 was released in 2014).
- Pedro Ribeiro <firstname.lastname@example.org>
- Gareth Batchelor <email@example.com>