Talos Vulnerability Report

TALOS-2017-0315

Information Builders WebFOCUS Business Intelligence Portal Command Execution Vulnerability

July 19, 2017
CVE Number

CVE-2016-9044

Summary

An exploitable command execution vulnerability exists in Information Builders WebFOCUS Business Intelligence Portal 8.1 . A specially crafted web parameter can cause a command injection. An authenticated attacker can send a crafted web request to trigger this vulnerability.

Tested Versions

Information Builders WebFOCUS Business Intelligence Portal 8.1

Product URLs

http://www.informationbuilders.com/products/intelligence

CVSSv3 Score

8.8 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')

Details

WebFOCUS Business Intelligence Portal 8.1 was found to be vulnerable to an authenticated WebFOCUS code injection attack that resulted in arbitrary command execution on the underlying OS of the host system with the same privileges as those of the web server running the BI portal. To exploit this vulnerability, successful login with a valid user account is required, which has the necessary privileges to access the WebFOCUS Business Intelligence Portal dashboard. Code injection is achieved on the following URL: /ibi_apps/WFServlet

The injection happens on one of the dynamic URL parameters used on this specific URL, a parameter that is directly used within a WebFOCUS language query, which is used by the application to generate dynamic reports. By successfully injecting WebFOCUS code on this URL parameter while properly completing the expected syntax, an attacker can leverage the "! " statement of WebFOCUS which allows for system commands to be executed via the reporting module code. Successfully exploiting this vulnerability results in arbitrary command execution on the underlying Operating System, which in turn can result in full system compromise depending on the level of access the web server is running with.

Mitigation

Restrict access to known, trusted users and hosts.

Timeline

2016-10-31 - Vendor Disclosure
2016-12-20 - Final attempt to contact vendor after no response
2017-07-19 - Public Release

Credit

Discovered by Alfonso Alguacil and Georgios Papakyriakopoulos of Portcullis Computer Security Limited.