Eleytt Research
www.eleytt.com



Overview:
====================
Michal Bucko, Eleytt, www.eleytt.com/michal.bucko
Tomasz Polis, Eleytt


Credit:
====================

Michal Bucko, Eleytt, www.eleytt.com/michal.bucko

Mateusz Jurczyk (in cooperation with Eleytt Research,
for Gadu-Gadu "emots.txt" vulnerability)




Vulnerability Table
===================

1. IBM Tivoli Provisioning Manager Express Multiple Cross-Site
Scripting Vulnerabilities
2. IBM Tivoli Provisioning Manager Express Remote Username
Enumeration Weakness
3. Computer Associates eTrust Threat Management Console
IP Address HTML Injection Weakness
4. Gadu-Gadu Skin Attribute Handling Remote Denial of Service
Vulnerability
5. Gadu-Gadu Remote User Addition Vulnerability



Vulnerability found by Mateusz Jurczyk (j00ru)
working with Eleytt Research
=============================================================

Disclaimer: Eleytt Research cooperates with external security
researchers.


6. Gadu-Gadu "emots.txt" Arbitrary Code Execution Vulnerability








Vulnerability Details
=========================
=========================


1. IBM Tivoli Provisioning Manager Express Multiple Cross-Site
Scripting Vulnerabilities
===========================================================

IBM Tivoli Provisioning Manager Express (http://127.0.0.1/tpmx) is
vulnerable to multiple cross-site scripting vulnerabilities, e.g.
assess modification, user-id etc. are not properly sanitized. This
might lead to remote java script code execution (cookie theft,
redirection, HTML injection etc.) Error processing is also vulnerable
to cross-site scripting.



2. IBM Tivoli Provisioning Manager Express Remote Username
Enumeration Weakness
=======================================================

IBM Tivoli Provisioning Manager Express is vulnerable to
remote username enumeration vulnerability. When trying to
create a new user with 'username' value that already exists,
one receives certain information about the problem. The problem
is even more serious as the login page is not crawler-protected,
thus automated brute-force attacks on certain acccounts might
be possible. This might lead to further attacks based on
the information obtained.


3. Computer Associates eTrust Threat Management Console
IP Address HTML Injection Weakness
====================================================

IP Address (and various other) are prone to HTML injection
weakness. No exploit is required. Further investigation has
not been performed, other weaknesses might also be possible.




4. Gadu-Gadu Skin Attribute Handling Remote Denial of Service
Vulnerability
=========================================================

Improper "skin" attribute handling by the (by default) registered
protocol handler (gadu-gadu protocol "gg") leads to resource
consumption based denial of service conditions. Gadu Gadu cannot
be running on the remote machine, only installed. The vulnerability
might be exploited via a web browser. The attacker should entice
the unaware victim to open a specially crafted link.



More verbose information has been provided directly to Gadu-Gadu.



5. Gadu-Gadu Remote Unspecified User Addition Vulnerability
========================================================

Popular communicator allows remote user addition as the result
of improper protocol handling (protocol handler "gg" is registered
by default). The vulnerability might be exploited via a web browser.
The attacker should lead to unaware victim opening the specially
crafted link. It might be also possible to send gadu-gadu request
from unauthorized users, but this has not been proven nor confirmed
yet.

This vulnerability might also allow to perform denial of service
attacks under certain conditions.


More verbose information has been provided directly to respective
software vendor.






Eleytt Research cooperates with external security researchers!
==============================================================
==============================================================



6. Gadu-Gadu "emots.txt" Arbitrary Code Execution Vulnerability
============================================================

The vulnerability has already been disclosed by a 3rd party
security research team, in cooperation with Eleytt Research.
Mateusz Jurczyk (j00ru) in cooperation with Eleytt Research
is credited with the discovery of the vulnerability.

This vulnerability has already been disclosed and vendor has
been given provided with information.









Meet Our Business Continuity Program!
=====================================

Eleytt offers Eleytt Business Continuity Program. What is it?

- Long-term continous security audits
- Security consulting and training
- Security policy compliance issues

For more information, please refer to eleytt.com, http://www.eleytt.com





Eleytt - Company Information
============================

Eleytt Corporation is specialized in penetration testing, vulnerability
development, advanced reverse engineering and exploitation techniques.
Eleytt provides various security-related services: risk assessment,
security policy, security assurance, incident management, web
application security testing, continuous security assurance programs.
Eleytt provides security audits for financial institutions and e-commerce.
Eleytt provides an in-depth security analysis - experienced security
experts analyze your source code, analyze your application, analyze your
web application. Eleytt runs security programs for financial institutons
and e-commerce.

We have the mission to improve the security level of software and web
applications. It is us who help you implement more secure applications.
We help you understand the risk and deploy security solutions. We help
you avoid costly business disruptions.




These are the questions, which might help you understand how we work:
=====================================================================

Want to get your web site checked for security vulnerabilities?

Your server requires real penetration testing?

Interested in Eleytt Business Continuity Program?

Interested in Eleytt Application Security Program?

For more information, please use:

http://www.eleytt.com








DISCLAIMER
==========

This document and all the information it contains are provided "as is",
for educational purposes only, without warranty of any kind, whether
express or implied.

The authors reserve the right not to be responsible for the topicality,
correctness, completeness or quality of the information provided in
this document. Liability claims regarding damage caused by the use of
any information provided, including any kind of information which is
incomplete or incorrect, will therefore be rejected.