Author Archives: Shafeeque Olassery Kunnikkal

  1. CVE-2018-1528 – IBM Maximo Asset Management could allow an authenticated user to obtain sensitive information from the WhoAmI API

    Leave a Comment

    Reported this vulnerability while doing a penetration testing of IBM Maximo Asset Management software

    Summary

    IBM Maximo Asset Management could allow an authenticated user to obtain sensitive information from the WhoAmI API.

    This vulnerability affects the following versions of the IBM Maximo Asset Management core product, and all other IBM Maximo Industry Solution and IBM Control Desk products, regardless of their own version, if they are currently installed on top of an affected IBM Maximo Asset Management. *

    Maximo Asset Management core product affected versions:
    Maximo Asset Management 7.6

    Industry Solutions products affected if using an affected core version:
    Maximo for Aviation
    Maximo for Government
    Maximo for Life Sciences
    Maximo for Nuclear Power
    Maximo for Oil and Gas
    Maximo for Transportation
    Maximo for Utilities

    IBM Control Desk products affected if using an affected core version:
    SmartCloud Control Desk
    IBM Control Desk
    Tivoli Integration Composer

    * To determine the core product version, log in and view System Information. The core product version is the “Tivoli’s process automation engine” version. Please consult the Product Coexistence Matrix for a list of supported product combinations.

    Credits

    More details is available here :- https://www.ibm.com/support/pages/security-bulletin-ibm-maximo-asset-management-could-allow-authenticated-user-obtain-sensitive-information-whoami-api-cve-2018-1528

  2. CVE-2018-5798 – Cross-site scripting vulnerability in Cloudera Manager – Part 2

    Leave a Comment

    Below is the details of the reflected XSS , I have found in Cloudera Enterprise. More details can be found here :-  https://www.cloudera.com/documentation/other/securitybulletins/topics/Security-Bulletin.html#DOCS-3186

    Login to Cloudera manager using credentials
    admin:admin

    1. Navigate the following URL which includes the XSS Payload.

    xss

    2. Navigate the following URL in browser after login to Cloudera Manager, use these credentials for login:- admin:admin

    http://localhost:7180/cmf/config2/dialog?metadataUrl=%2fcmf%2fclusters%2f1%2fsearchConfig%2fmetadata.json%3fserviceDep%3dtrue%26q%3dspark_on_yarn%3C%2fscript%3E%3Cscript%3Ealert%28%27reflected%20xss%27%29%3C%2fscript%3E

    Will see the XSS payload executed as shown in the image below.

    XSS
  3. CVE-2018-5798 – Cross-site scripting vulnerability in Cloudera Manager – Part 1

    Leave a Comment

    Below is the details of the reflected XSS , I have found in Cloudera Enterprise. There were multiple XSS was reported and will be publishing this details in subsequent posts. More details can be found here :-

    https://docs.cloudera.com/documentation/other/security-bulletins/topics/Security-Bulletin.html#DOCS-3186

    Cloudera Enterprise Version Details

    Login to Cloudera manager using credentials
    admin:admin or cloudera:cloudera

    We need to intercept the HTTP traffic so launch Burps suite. Set the proxy in browser 127.0.0.1, port 8080

    Click on add services against the cluster in Cloudera Manager, select any service, Let me choose the service as flume.

    Add Services to Cluster

    Click continue, the traffic will be intercepted in browser.
    Click forward of the proxy traffic tab in the burp till you get the request as shown in the image.

    request - one

    Now we want to inject the XSS payload in the parameter ‘ServiceType’ as shown in the following image.

    XSS Payload Injected.

    Switch of the interception in burp and come back to the browser. Will see the XSS payload executed as shown in the below image.

    XSS Payload executed.

    The vulnerability can be reproduced by accessing the following URL

    directly.http://localhost:7180/cmf/clusters/1/add-service/index?serviceType=

    Please note you have to log in to the Cloudera Manager with above mentioned credentials. Replace the IP of the Cloudera Manager instead of localhost if you are accessing remotely.

Categories

Tags

Archives