New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add exploit for IBM DRM RCE (CVE-2020-4427, CVE-2020-4428, CVE-2020-4429) #13300
Conversation
I am waiting on the CVE IDs, but please go ahead with the review while we wait. |
Added |
@gwillcox-r7 I can send pcaps if needed, same for PR #13301 |
If you can send PCAPs for both this PR and for #130001 to msfdev[at]metasploit.com this would greatly assist our team in helping to confirm info. Thanks! |
@pedrib If you could also send a demo of both of the modules to the same email address this would also be helpful. |
@gwillcox-r7 a demo? Like an asciinema cast? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for bringing us to the 0-day party! Detection seems a bit wobbly, though, and I think we would want to properly parse the JSON responses instead of just using regexes. I think there are also some code styling things that rubocop -a
can help fix.
@acammack-r7 all done, and thanks for showing me rubocop, will use it from now on on all my submissions. I'm still waiting for those CVE, do you mind waiting or want to merge these PR now? If so I can send you the pcaps |
Are you still waiting for CVEs? |
@wvu-r7 all done. Yes I am still waiting, there's emails back and forth between myself and MITRE. Seems like IBM are the ones that have to issue CVE for their own product, and they are making me wait... I wonder why |
Guys, I have removed all CVE and other TODO-links from these modules to get them ready for merging. I have sent pcaps to your email address. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reviewed module doc.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Code reviewed. If I missed anything, apply comments everywhere they apply.
ok all done! |
Squashed and rebased! |
Update documentation/modules/exploit/linux/http/ibm_drm_rce.md Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com> Update documentation/modules/exploit/linux/http/ibm_drm_rce.md Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com> Update documentation/modules/exploit/linux/http/ibm_drm_rce.md Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com> Update ibm_drm_rce.md Update modules/exploits/linux/http/ibm_drm_rce.rb Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com> Update modules/exploits/linux/http/ibm_drm_rce.rb Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com> Update modules/exploits/linux/http/ibm_drm_rce.rb Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com> Update modules/exploits/linux/http/ibm_drm_rce.rb Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com> Update modules/exploits/linux/http/ibm_drm_rce.rb Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com> Update modules/exploits/linux/http/ibm_drm_rce.rb Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com> Update modules/exploits/linux/http/ibm_drm_rce.rb Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com> make final changes! Update modules/exploits/linux/http/ibm_drm_rce.rb Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com> Update modules/exploits/linux/http/ibm_drm_rce.rb Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com> Update modules/exploits/linux/http/ibm_drm_rce.rb Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com> Update modules/exploits/linux/http/ibm_drm_rce.rb Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com> Update modules/exploits/linux/http/ibm_drm_rce.rb Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com> Update modules/exploits/linux/http/ibm_drm_rce.rb Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com> Update modules/exploits/linux/http/ibm_drm_rce.rb Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com> Update modules/exploits/linux/http/ibm_drm_rce.rb Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com> Update modules/exploits/linux/http/ibm_drm_rce.rb Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com> Update modules/exploits/linux/http/ibm_drm_rce.rb Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com> Update modules/exploits/linux/http/ibm_drm_rce.rb Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com> Update modules/exploits/linux/http/ibm_drm_rce.rb Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com> Update modules/exploits/linux/http/ibm_drm_rce.rb Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com> Update modules/exploits/linux/http/ibm_drm_rce.rb Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com> Update modules/exploits/linux/http/ibm_drm_rce.rb Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com> Update modules/exploits/linux/http/ibm_drm_rce.rb Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com> Update modules/exploits/linux/http/ibm_drm_rce.rb Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com> Update modules/exploits/linux/http/ibm_drm_rce.rb Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com> final final final
Release NotesThis adds a remote root exploit for IBM Data Risk Manager versions 2.0.3 and below. Version 2.0.6 might also be vulnerable. The exploit covers: |
This PR adds an exploit for an unauthenticated remote code execution as root in IBM Data Risk Manager. This is a 0day at the time of this PR, check:
https://github.com/pedrib/PoC/blob/master/advisories/IBM/ibm_drm/ibm_drm_rce.md
See also: #13301 and #13304.