Vulnerabilities > CVE-2010-4094 - Credentials Management vulnerability in IBM products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
PARTIAL Availability impact
NONE Summary
The Tomcat server in IBM Rational Quality Manager and Rational Test Lab Manager has a default password for the ADMIN account, which makes it easier for remote attackers to execute arbitrary code by leveraging access to the manager role. NOTE: this might overlap CVE-2009-3548.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 2 |
Common Weakness Enumeration (CWE)
Exploit-Db
description | Apache Tomcat Manager Application Deployer Authenticated Code Execution. CVE-2009-3548,CVE-2009-3843,CVE-2009-4188,CVE-2009-4189,CVE-2010-0557,CVE-2010-4094.... |
id | EDB-ID:16317 |
last seen | 2016-02-01 |
modified | 2010-12-14 |
published | 2010-12-14 |
reporter | metasploit |
source | https://www.exploit-db.com/download/16317/ |
title | Apache Tomcat Manager Application Deployer Authenticated Code Execution |
Metasploit
description This module can be used to execute a payload on Apache Tomcat servers that have an exposed "manager" application. The payload is uploaded as a WAR archive containing a jsp application using a POST request against the /manager/html/upload component. NOTE: The compatible payload sets vary based on the selected target. For example, you must select the Windows target to use native Windows payloads. id MSF:EXPLOIT/MULTI/HTTP/TOMCAT_MGR_UPLOAD last seen 2020-06-10 modified 2018-08-20 published 2014-01-27 references - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3843
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4189
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4188
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0557
- http://www-01.ibm.com/support/docview.wss?uid=swg21419179
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4094
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3548
- http://tomcat.apache.org/tomcat-5.5-doc/manager-howto.html
reporter Rapid7 source https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/tomcat_mgr_upload.rb title Apache Tomcat Manager Authenticated Upload Code Execution description This module simply attempts to login to a Tomcat Application Manager instance using a specific user/pass. id MSF:AUXILIARY/SCANNER/HTTP/TOMCAT_MGR_LOGIN last seen 2019-11-17 modified 2019-06-27 published 2013-05-29 references - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3843
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4189
- http://www.harmonysecurity.com/blog/2009/11/hp-operations-manager-backdoor-account.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4188
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0557
- http://www-01.ibm.com/support/docview.wss?uid=swg21419179
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4094
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3548
- http://tomcat.apache.org/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0502
reporter Rapid7 source https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/http/tomcat_mgr_login.rb title Tomcat Application Manager Login Utility description This module can be used to execute a payload on Apache Tomcat servers that have an exposed "manager" application. The payload is uploaded as a WAR archive containing a jsp application using a PUT request. The manager application can also be abused using /manager/html/upload, but that method is not implemented in this module. NOTE: The compatible payload sets vary based on the selected target. For example, you must select the Windows target to use native Windows payloads. id MSF:EXPLOIT/MULTI/HTTP/TOMCAT_MGR_DEPLOY last seen 2020-05-21 modified 2018-08-20 published 2013-01-07 references - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3843
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4189
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4188
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0557
- http://www-01.ibm.com/support/docview.wss?uid=swg21419179
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4094
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3548
- http://tomcat.apache.org/tomcat-5.5-doc/manager-howto.html
reporter Rapid7 source https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/tomcat_mgr_deploy.rb title Apache Tomcat Manager Application Deployer Authenticated Code Execution
Nessus
NASL family | Web Servers |
NASL id | TOMCAT_MANAGER_COMMON_CREDS.NASL |
description | Nessus was able to gain access to the Manager web application for the remote Tomcat server using a known set of credentials. A remote attacker can exploit this issue to install a malicious application on the affected server and run arbitrary code with Tomcat |
last seen | 2020-06-01 |
modified | 2020-06-02 |
plugin id | 34970 |
published | 2008-11-26 |
reporter | This script is Copyright (C) 2008-2018 Tenable Network Security, Inc. |
source | https://www.tenable.com/plugins/nessus/34970 |
title | Apache Tomcat Manager Common Administrative Credentials |
Packetstorm
data source | https://packetstormsecurity.com/files/download/125021/tomcat_mgr_upload.rb.txt |
id | PACKETSTORM:125021 |
last seen | 2016-12-05 |
published | 2014-02-01 |
reporter | rangercha |
source | https://packetstormsecurity.com/files/125021/Apache-Tomcat-Manager-Code-Execution.html |
title | Apache Tomcat Manager Code Execution |
Saint
bid | 44172 |
description | IBM Rational Quality Manager and Test Lab Manager Policy Bypass |
title | ibm_rational_quality_manager_default_credentials |
type | remote |
References
- http://download4.boulder.ibm.com/sar/CMA/RAA/013m6/0/UpdateLog.txt
- http://osvdb.org/69008
- http://secunia.com/advisories/41784
- http://securitytracker.com/id?1024601
- http://www.securityfocus.com/bid/44172
- http://www.vupen.com/english/advisories/2010/2732
- http://www.zerodayinitiative.com/advisories/ZDI-10-214/