Land rapid7#13770, Update IBM DRM modules with URL and correct versions

documentation/modules/auxiliary/admin/http/ibm_drm_download.md

@@ -4,8 +4,9 @@ IBM Data Risk Manager (IDRM) contains two vulnerabilities that can be chained by
 The first is an unauthenticated bypass, followed by a path traversal.
 This module exploits both vulnerabilities, giving an attacker the ability to download (non-root) files.
 A downloaded file is zipped, and this module also unzips it before storing it in the database.
-By default, this module downloads Tomcat's 1application.properties` files, which contains the database password, amongst other sensitive data.
-At the time of disclosure, this is a 0day. Versions 2.0.3 and 2.0.2 are confirmed to be affected, and the latest 2.0.6 is most likely affected too. Version 2.0.1 is not vulnerable.
+By default, this module downloads Tomcat's application.properties file, which contains the database password, amongst other sensitive data.
+At the time of disclosure, this is was a 0 day, but IBM later patched it and released their advisory. 
+Versions 2.0.2 to 2.0.4 are vulnerable, version 2.0.1 is not.
 
 ### Vulnerability information
 For more information about the vulnerability check the advisory at:

documentation/modules/exploit/linux/http/ibm_drm_rce.md

@@ -3,7 +3,8 @@
 IBM Data Risk Manager (IDRM) contains three vulnerabilities that can be chained by an unauthenticated attacker to achieve remote code execution as root.
 The first is an unauthenticated bypass, followed by a command injection as the server user, and finally abuse of an insecure default password.
 This module exploits all three vulnerabilities, giving the attacker a root shell.
-At the time of disclosure, this is a 0day. Versions 2.0.3 and below are confirmed to be affected, and the latest 2.0.6 is most likely affected too.
+At the time of disclosure this was an 0day, but it was later confirmed and patched by IBM. The authentication bypass works on versions <= 2.0.6.1,
+but the command injection should only work on versions <= 2.0.4 according to IBM.
 
 
 ### Vulnerability information

documentation/modules/exploit/linux/ssh/ibm_drm_a3user.md

@@ -2,7 +2,7 @@
 
 This module abuses a known default password in IBM Data Risk Manager. The 'a3user' has the default password 'idrm' and allows an attacker to log in to the virtual appliance via SSH.
 This can be escalated to full root access, as 'a3user' has `sudo` access with the default password.
-At the time of disclosure, this is a 0day. Versions <= 2.0.3 are confirmed to be affected, and the latest 2.0.6 is most likely affected too.
+At the time of disclosure this was an 0day, but it was later confirmed and patched by IBM. Versions <= 2.0.6.1 are confirmed to be vulnerable.
 
 ### Vulnerability information
 For more information about the vulnerability, check the advisory at:

modules/auxiliary/admin/http/ibm_drm_download.rb

@@ -21,8 +21,8 @@ def initialize(info = {})
           A downloaded file is zipped, and this module also unzips it before storing it in the database.
           By default this module downloads Tomcat's application.properties files, which contains the
           database password, amongst other sensitive data.
-          At the time of disclosure, this is a 0 day. Versions 2.0.3 and 2.0.2 are confirmed to be
-          affected, and the latest 2.0.6 is most likely affected too. Version 2.0.1 is not vulnerable.
+          At the time of disclosure, this is was a 0 day, but IBM later patched it and released their advisory.
+          Versions 2.0.2 to 2.0.4 are vulnerable, version 2.0.1 is not.
         },
         'Author' =>
           [
@@ -38,7 +38,8 @@ def initialize(info = {})
             [ 'CVE', '2020-4427' ], # auth bypass
             [ 'CVE', '2020-4429' ], # insecure default password
             [ 'URL', 'https://github.com/pedrib/PoC/blob/master/advisories/IBM/ibm_drm/ibm_drm_rce.md' ],
-            [ 'URL', 'https://seclists.org/fulldisclosure/2020/Apr/33' ]
+            [ 'URL', 'https://seclists.org/fulldisclosure/2020/Apr/33' ],
+            [ 'URL', 'https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-exist-in-ibm-data-risk-manager-cve-2020-4427-cve-2020-4428-cve-2020-4429-and-cve-2020-4430/']
           ],
         'DisclosureDate' => '2020-04-21',
         'Actions' => [

modules/exploits/linux/http/ibm_drm_rce.rb

@@ -20,8 +20,9 @@ def initialize(info = {})
           The first is an unauthenticated bypass, followed by a command injection as the server user,
           and finally abuse of an insecure default password.
           This module exploits all three vulnerabilities, giving the attacker a root shell.
-          At the time of disclosure, this is a 0day. Versions 2.0.3 and below are confirmed to be
-          affected, and the latest 2.0.6 is most likely affected too.
+          At the time of disclosure this was an 0day, but it was later confirmed and patched by IBM.
+          The authentication bypass works on versions <= 2.0.6.1, but the command injection should only work on
+          versions <= 2.0.4 according to IBM.
         },
         'Author' =>
           [
@@ -34,13 +35,14 @@ def initialize(info = {})
             [ 'CVE', '2020-4428' ], # command injection
             [ 'CVE', '2020-4429' ], # insecure default password
             [ 'URL', 'https://github.com/pedrib/PoC/blob/master/advisories/IBM/ibm_drm/ibm_drm_rce.md' ],
-            [ 'URL', 'https://seclists.org/fulldisclosure/2020/Apr/33' ]
+            [ 'URL', 'https://seclists.org/fulldisclosure/2020/Apr/33' ],
+            [ 'URL', 'https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-exist-in-ibm-data-risk-manager-cve-2020-4427-cve-2020-4428-cve-2020-4429-and-cve-2020-4430/' ]
           ],
         'Platform' => 'linux',
         'Arch' => [ ARCH_X86, ARCH_X64 ],
         'Targets' =>
           [
-            [ 'IBM Data Risk Manager <= 2.0.3 (<= 2.0.6 possibly affected)', {} ]
+            [ 'IBM Data Risk Manager <= 2.0.4', {} ]
           ],
         'Privileged' => true,
         'DefaultOptions' =>

modules/exploits/linux/ssh/ibm_drm_a3user.rb

@@ -17,8 +17,8 @@ def initialize(info = {})
           This module abuses a known default password in IBM Data Risk Manager. The 'a3user'
           has the default password 'idrm' and allows an attacker to log in to the virtual appliance
           via SSH. This can be escalate to full root access, as 'a3user' has sudo access with the default password.
-          At the time of disclosure, this is a 0day. Versions <= 2.0.3 are confirmed to be
-          affected, and the latest 2.0.6 is most likely affected too.
+          At the time of disclosure this was an 0day, but it was later confirmed and patched by IBM.
+          Versions <= 2.0.6.1 are confirmed to be vulnerable.
         },
         'License' => MSF_LICENSE,
         'Author' =>
@@ -29,7 +29,8 @@ def initialize(info = {})
           [
             [ 'CVE', '2020-4429' ], # insecure default password
             [ 'URL', 'https://github.com/pedrib/PoC/blob/master/advisories/IBM/ibm_drm/ibm_drm_rce.md' ],
-            [ 'URL', 'https://seclists.org/fulldisclosure/2020/Apr/33' ]
+            [ 'URL', 'https://seclists.org/fulldisclosure/2020/Apr/33' ],
+            [ 'URL', 'https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-exist-in-ibm-data-risk-manager-cve-2020-4427-cve-2020-4428-cve-2020-4429-and-cve-2020-4430/']
           ],
         'Payload' =>
           {
@@ -42,7 +43,7 @@ def initialize(info = {})
         'Arch' => ARCH_CMD,
         'Targets' =>
           [
-            [ 'IBM Data Risk Manager <= 2.0.3 (<= 2.0.6 possibly affected)', {} ]
+            [ 'IBM Data Risk Manager <= 2.0.6.1', {} ]
           ],
         'Privileged' => true,
         'DefaultTarget' => 0,