CVE-2017-1092
published 2017-05-22CVE-2017-1092: IBM Informix Open Admin Tool 11.5, 11.7, and 12.1 could allow an unauthorized user to execute arbitrary code as system admin on Windows servers. IBM X-Force…
PriorityP278critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
75.77%
99.5th percentile
IBM Informix Open Admin Tool 11.5, 11.7, and 12.1 could allow an unauthorized user to execute arbitrary code as system admin on Windows servers. IBM X-Force ID: 120390.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ibm | informix_open_admin_tool | — | — |
| ibm | informix_open_admin_tool | — | — |
| ibm | informix_open_admin_tool | — | — |
| ibm_corporation | informix_servers | — | — |
Detection & IOCsextracted from sources · hover to see the quote
pathC:\Program Files (x86)\IBM Informix Software Bundle\OAT\Apache_2.2.22\htdocs\openadmin\services\welcome\welcomeService.php↗
pathC:\Program Files (x86)\IBM Informix Software Bundle\OAT\Apache_2.2.22\htdocs\openadmin\services\welcome\welcomeServer.php↗
pathC:\Program Files (x86)\IBM Informix Software Bundle\OAT\Apache_2.2.22\htdocs\openadmin\modules\login.php↗
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS IBM Informix Open Admin PHP RCE Attempt Inbound (CVE-2017-1092)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/welcomeService.php"; http.request_body; content:"new_home_page>|22 3b|"; fast_pattern; reference:cve,2017-1092; classtype:web-application-attack; sid:2061766; rev:1; metadata:attack_target Server, created_at 2025_04_21, cve CVE_2017_1092, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_04_21, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Detect unauthenticated POST requests to /openadmin/services/welcome/welcomeService.php with a SOAPAction header of 'urn:QBEAction' and a body containing 'new_home_page>' followed by a double-quote and semicolon — this is the PHP code injection trigger.
- →Monitor for GET requests to /openadmin/conf/config.php with query parameters (e.g., ?cmd=) — this indicates the backdoor written to config.php is being triggered for RCE. ↗
- →Look for modification of /openadmin/conf/config.php or creation of /openadmin/conf/BAKconfig.php — the exploit writes a PHP backdoor to config.php and backs up the original as BAKconfig.php. ↗
- →Inspect POST bodies to welcomeService.php for the SOAP element 'new_home_page' containing PHP syntax characters such as "; or eval( — these indicate active exploitation of the saveHomePage injection point. ↗
- →The Metasploit module targets /openadmin as the base URI (TARGETURI default). Correlate web logs for sequential POST to welcomeService.php followed by POST to conf/config.php from the same source IP. ↗
- ·The exploit is unauthenticated — no credentials are required to reach the vulnerable SOAP endpoint, so authentication-based controls alone are insufficient. ↗
- ·On Windows targets, the Apache service runs as NT AUTHORITY\SYSTEM, meaning successful exploitation grants full system privileges. On Linux targets the Metasploit module notes it is not privileged. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS IBM Informix Open Admin PHP RCE Attempt Inbound (CVE-2017-1092)
suricata·2025-04-21·CVSS 9.8
CVE-2017-1092 [CRITICAL] ET WEB_SPECIFIC_APPS IBM Informix Open Admin PHP RCE Attempt Inbound (CVE-2017-1092)
ET WEB_SPECIFIC_APPS IBM Informix Open Admin PHP RCE Attempt Inbound (CVE-2017-1092)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS IBM Informix Open Admin PHP RCE Attempt Inbound (CVE-2017-1092)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/welcomeService.php"; http.request_body; content:"new_home_page>|22 3b|"; fast_pattern; reference:cve,2017-1092; classtype:web-application-attack; sid:2061766; rev:1; metadata:attack_target Server, created_at 2025_04_21, cve CVE_2017_1092, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_04_21, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_t
Exploit-DB
IBM OpenAdmin Tool - SOAP welcomeServer PHP Code Execution (Metasploit)
exploitdb·2017-08-22
CVE-2017-1092 IBM OpenAdmin Tool - SOAP welcomeServer PHP Code Execution (Metasploit)
IBM OpenAdmin Tool - SOAP welcomeServer PHP Code Execution (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'IBM OpenAdmin Tool SOAP welcomeServer PHP Code Execution',
'Description' => %q{
This module exploits an unauthenticated remote PHP code execution
vulnerability in IBM OpenAdmin Tool included with IBM Informix
versions 11.5, 11.7, and 12.1.
The 'welcomeServer' SOAP service does not properly validate user input
in the 'new_home_page' parameter of the 'saveHomePage' method allowing
arbitrary PHP code to be written to the config.php file. The config.php
file is executed in most pages within the application, and accessible
directly via the web root, resultin
Exploit-DB
IBM Informix Dynamic Server / Informix Open Admin Tool - DLL Injection / Remote Code Execution / Heap Buffer Overflow
exploitdb·2017-05-30·CVSS 7.5
CVE-2017-1092 [HIGH] IBM Informix Dynamic Server / Informix Open Admin Tool - DLL Injection / Remote Code Execution / Heap Buffer Overflow
IBM Informix Dynamic Server / Informix Open Admin Tool - DLL Injection / Remote Code Execution / Heap Buffer Overflow
---
## Vulnerabilities Summary
The following advisory describes six (6) vulnerabilities found in Informix Dynamic Server and Informix Open Admin Tool.
IBM Informix Dynamic Server Exceptional, low maintenance online transaction processing (OLTP) data server for enterprise and workgroup computing.
IBM Informix Dynamic Server has many features that cater to a variety of user groups, including developers and administrators. One of the strong features of IDS is the low administration cost. IDS is well known for its hands-free administration. To make server administration even easier, a new open source, platform-independent tool called OpenAdmin Tool (OAT) is now available to
Metasploit
IBM OpenAdmin Tool SOAP welcomeServer PHP Code Execution
metasploit
IBM OpenAdmin Tool SOAP welcomeServer PHP Code Execution
IBM OpenAdmin Tool SOAP welcomeServer PHP Code Execution
This module exploits an unauthenticated remote PHP code execution vulnerability in IBM OpenAdmin Tool included with IBM Informix versions 11.5, 11.7, and 12.1. The 'welcomeServer' SOAP service does not properly validate user input in the 'new_home_page' parameter of the 'saveHomePage' method allowing arbitrary PHP code to be written to the config.php file. The config.php file is executed in most pages within the application, and accessible directly via the web root, resulting in code execution. This module has been tested successfully on IBM OpenAdmin Tool 3.14 on Informix 12.10 Developer Edition (SUSE Linux 11) virtual appliance.
No writeups or analysis indexed.
2017-05-22
Published