ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

UIM - Dr.NimBUS.exe - privilege vulnerability

book

Article ID: 238569

calendar_today

Updated On:

Products

DX Unified Infrastructure Management (Nimsoft / UIM)

Issue/Introduction

Dr.NimBUS.exe - privilege vulnerability  

Dr.NimBUS.exe is a local thick client application running on the UIM HUB server offering Nimsoft administration functionalities to authorised users. 

During the authentication process on execution, the application checks the Windows-logged-in user's privileges in the "security.cfg" file. If the user exists in the configuration file, the next step for the application is to execute the binary with the privileges identified within the user's <acl> tag in the config file.

If the user is not configured with an "NimBUS" execution role, then the app exits with a "privileges too low" error.

Due to insufficient access controls, testers were able to bypass the authorisation process and execute the binary with Superuser privileges by proxying apps traffic and injecting the Superuser role during execution. 

 


DETAILS:
Although a test user account had no privileges to Launch the Dr.NimBUS application I was able to bypass the authorisation controls as below:

 
Attack steps:
From the configuration file (security.cfg) I identified the “SuperUser” Nimbus role.

I launched the application and I used the EchoMirage tool to proxy the localhost communication between the different Nimbus components.

I updated my user profile role during execution from “default” to “SuperUser”  (Figure 2) and the Dr.NimBUS executed successfully (Figure3) with SuperUser privileges.

Cause

Product Vulnerability

Environment

Release : UIM 20.x

Component : UIM - HUB

Resolution

The implementation of a fix to resolve this is targeted for FY22 Q3 with the feature id "F122964".