Vulnerabilities > CVE-2010-4094 - Credentials Management vulnerability in IBM products

CVSS 5.0 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

PARTIAL

Availability impact

NONE

network

low complexity

ibm

CWE-255

nessus

exploit available

metasploit

NVD

Published: 2010-10-26

Updated: 2011-01-11

Summary

The Tomcat server in IBM Rational Quality Manager and Rational Test Lab Manager has a default password for the ADMIN account, which makes it easier for remote attackers to execute arbitrary code by leveraging access to the manager role. NOTE: this might overlap CVE-2009-3548.

Vulnerable Configurations

Part	Description	Count
Application	Ibm IBM Rational Quality Manager * IBM Rational Test LAB Manager *	2

Common Weakness Enumeration (CWE)

CWE-255 - Credentials Management

Exploit-Db

description	Apache Tomcat Manager Application Deployer Authenticated Code Execution. CVE-2009-3548,CVE-2009-3843,CVE-2009-4188,CVE-2009-4189,CVE-2010-0557,CVE-2010-4094....
id	EDB-ID:16317
last seen	2016-02-01
modified	2010-12-14
published	2010-12-14
reporter	metasploit
source	https://www.exploit-db.com/download/16317/
title	Apache Tomcat Manager Application Deployer Authenticated Code Execution

Metasploit

description	This module can be used to execute a payload on Apache Tomcat servers that have an exposed "manager" application. The payload is uploaded as a WAR archive containing a jsp application using a POST request against the /manager/html/upload component. NOTE: The compatible payload sets vary based on the selected target. For example, you must select the Windows target to use native Windows payloads.
id	MSF:EXPLOIT/MULTI/HTTP/TOMCAT_MGR_UPLOAD
last seen	2020-06-10
modified	2018-08-20
published	2014-01-27
references	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3843 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4189 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4188 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0557 http://www-01.ibm.com/support/docview.wss?uid=swg21419179 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4094 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3548 http://tomcat.apache.org/tomcat-5.5-doc/manager-howto.html
reporter	Rapid7
source	https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/tomcat_mgr_upload.rb
title	Apache Tomcat Manager Authenticated Upload Code Execution

description	This module simply attempts to login to a Tomcat Application Manager instance using a specific user/pass.
id	MSF:AUXILIARY/SCANNER/HTTP/TOMCAT_MGR_LOGIN
last seen	2019-11-17
modified	2019-06-27
published	2013-05-29
references	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3843 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4189 http://www.harmonysecurity.com/blog/2009/11/hp-operations-manager-backdoor-account.html https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4188 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0557 http://www-01.ibm.com/support/docview.wss?uid=swg21419179 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4094 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3548 http://tomcat.apache.org/ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0502
reporter	Rapid7
source	https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/http/tomcat_mgr_login.rb
title	Tomcat Application Manager Login Utility

description	This module can be used to execute a payload on Apache Tomcat servers that have an exposed "manager" application. The payload is uploaded as a WAR archive containing a jsp application using a PUT request. The manager application can also be abused using /manager/html/upload, but that method is not implemented in this module. NOTE: The compatible payload sets vary based on the selected target. For example, you must select the Windows target to use native Windows payloads.
id	MSF:EXPLOIT/MULTI/HTTP/TOMCAT_MGR_DEPLOY
last seen	2020-05-21
modified	2018-08-20
published	2013-01-07
references	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3843 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4189 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4188 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0557 http://www-01.ibm.com/support/docview.wss?uid=swg21419179 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4094 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3548 http://tomcat.apache.org/tomcat-5.5-doc/manager-howto.html
reporter	Rapid7
source	https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/tomcat_mgr_deploy.rb
title	Apache Tomcat Manager Application Deployer Authenticated Code Execution

Nessus

NASL family	Web Servers
NASL id	TOMCAT_MANAGER_COMMON_CREDS.NASL
description	Nessus was able to gain access to the Manager web application for the remote Tomcat server using a known set of credentials. A remote attacker can exploit this issue to install a malicious application on the affected server and run arbitrary code with Tomcat
last seen	2020-06-01
modified	2020-06-02
plugin id	34970
published	2008-11-26
reporter	This script is Copyright (C) 2008-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/34970
title	Apache Tomcat Manager Common Administrative Credentials

Packetstorm

data source	https://packetstormsecurity.com/files/download/125021/tomcat_mgr_upload.rb.txt
id	PACKETSTORM:125021
last seen	2016-12-05
published	2014-02-01
reporter	rangercha
source	https://packetstormsecurity.com/files/125021/Apache-Tomcat-Manager-Code-Execution.html
title	Apache Tomcat Manager Code Execution

Saint

bid	44172
description	IBM Rational Quality Manager and Test Lab Manager Policy Bypass
title	ibm_rational_quality_manager_default_credentials
type	remote

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Exploit-Db

Metasploit

Nessus

Packetstorm

Saint

References