search cancel

UIM - Dr.NimBUS.exe - privilege vulnerability


Article ID: 238569


Updated On:


DX Unified Infrastructure Management (Nimsoft / UIM)


Dr.NimBUS.exe - privilege vulnerability  

Dr.NimBUS.exe is a local thick client application running on the UIM HUB server offering Nimsoft administration functionalities to authorised users. 

During the authentication process on execution, the application checks the Windows-logged-in user's privileges in the "security.cfg" file. If the user exists in the configuration file, the next step for the application is to execute the binary with the privileges identified within the user's <acl> tag in the config file.

If the user is not configured with an "NimBUS" execution role, then the app exits with a "privileges too low" error.

Due to insufficient access controls, testers were able to bypass the authorisation process and execute the binary with Superuser privileges by proxying apps traffic and injecting the Superuser role during execution. 


Although a test user account had no privileges to Launch the Dr.NimBUS application I was able to bypass the authorisation controls as below:

Attack steps:
From the configuration file (security.cfg) I identified the “SuperUser” Nimbus role.

I launched the application and I used the EchoMirage tool to proxy the localhost communication between the different Nimbus components.

I updated my user profile role during execution from “default” to “SuperUser”  (Figure 2) and the Dr.NimBUS executed successfully (Figure3) with SuperUser privileges.


Product Vulnerability


Release : UIM 20.x

Component : UIM - HUB


The implementation of a fix to resolve this is targeted for FY22 Q3 with the feature id "F122964".