IBM OpenAdmin Tool welcomeService.php Remote Code Execution

critical Nessus Plugin ID 104104
New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it is different from CVSS.

VPR Score: 7.4

Synopsis

The remote web server contains a PHP application that is affected by a code injection flaw.

Description

The version of OpenAdmin Tool installed on the remote host is affected by a remote code execution vulnerability. The welcomeService.php file offers a SOAP interface, which does not validate code passed to the 'saveHomePage' method, allowing a remote attacker to save arbitrary code into 'config.php', which is accessible to remote users. A remote attacker could exploit this issue to execute arbitrary code with the privileges of the target service.

Solution

Upgrade to version 3.16 or later.

See Also

http://www-01.ibm.com/support/docview.wss?uid=swg22002897

https://blogs.securiteam.com/index.php/archives/3210

Plugin Details

Severity: Critical

ID: 104104

File Name: ibm_informix_soap_inject.nasl

Version: 1.4

Type: remote

Family: CGI abuses

Published: 10/23/2017

Updated: 6/13/2018

Dependencies: openadmin_tool_detect.nasl

Risk Information

Risk Factor: Critical

VPR Score: 7.4

CVSS v2.0

Base Score: 10

Temporal Score: 8.3

Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: E:F/RL:OF/RC:ND

CVSS v3.0

Base Score: 9.8

Temporal Score: 9.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: E:F/RL:O/RC:X

Vulnerability Information

Required KB Items: installed_sw/openadmin_tool

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 5/31/2017

Vulnerability Publication Date: 5/31/2017

Exploitable With

Core Impact

Metasploit (IBM OpenAdmin Tool SOAP welcomeServer PHP Code Execution)

Reference Information

CVE: CVE-2017-1092

EDB-ID: 42541