IBM Installation Manager iim URI Handling Code Execution
Added: 10/16/2009CVE: CVE-2009-3518
BID: 36549
OSVDB: 58420
Background
IBM Installation Manager (IIM) is a software tool that helps to install, update, modify, and uninstall packages.Problem
When IIM is installed it registers the application IBMIM.exe as the iim:// scheme handler, so when an iim:// URI is opened, the web browser launches the IIM as the default application. An argument injection vulnerability allows non-privileged command execution when a user loads a page that uses double quotes in the URI to manipulate the -vm argument to IBMIM.exe. The -vm argument allows the specification of an executable to use for the Java virtual machine. A successful attacker can cause a malicious file to be executed from remote locations using Server Message Block (SMB).Resolution
Upgrade to a version of IIM newer than 1.3.2 when it becomes available.References
http://secunia.com/advisories/36906/Limitations
Exploit works on IBM Installation Manager 1.3.2 and requires a user to load the exploit page in Internet Explorer 6, 7, or 8.In order for this exploit to succeed, first download the exploit.exe file from the exploit server and place it on the specified SMB share, which must be accessible by the target.
Platforms
WindowsBack to exploit index