Full Report
A while back, after some live music and drinks at Railways, I made my way to another city for pleasant weather, some dubious food, the ever-wakeful seagulls, and ultimately – an assessment. After playing around for a few days, Jason and I had obtained access to a system which contained cleartext credentials, namely ihsadmin:ihsadmin. Using these credentials, we were also able to SSH into a management server of sorts. While this was great, there were still several other servers in-scope that we had no access to. After scanning the network for a bit, I found out that a couple of these servers ran HTTP services on port 80, 8008 and 9080.
Analysis Summary
# Incident Report: IBM HTTP Server Administrative Interface Takeover (SAIL Exploitation)
## Executive Summary
During a penetration test assessment, the testers gained initial system access which exposed cleartext credentials (`ihsadmin:ihsadmin`). These credentials were used to access an IBM Administration Server running on port 8008. By reverse-engineering the utilized administrative module (`mod_ibm_admin`), the testers manipulated HTTP headers to issue administrative commands, ultimately achieving the ability to write files to the server. This led to the upload of an SSH key and subsequent escalation to root access by hijacking the `apachectl` utility execution path.
## Incident Details
- **Discovery Date:** Not explicitly stated, but occurred after "playing around for a few days."
- **Incident Date:** Circa May 2022 (based on publication date).
- **Affected Organization:** Not disclosed (Client undergoing an assessment).
- **Sector:** Implied IT/Web Services hosting, given the IBM HTTP Server (IHS) environment.
- **Geography:** Not disclosed ("another city").
## Timeline of Events
### Initial Access
- **Date/Time:** After a few days of initial network engagement.
- **Vector:** Compromised system containing cleartext credentials.
- **Details:** Testers obtained `ihsadmin:ihsadmin` credentials from an in-scope system. These credentials were used to SSH into a management server.
### Reconnaissance & Discovery
- **Date/Time:** Following initial access.
- **Vector:** Internal network scanning.
- **Details:** Testers scanned the network and discovered HTTP services running on ports 80, 8008, and 9080 on other in-scope servers. Accessing port 8008 revealed an "IBM Administration Server" interface protected by basic HTTP authentication, which accepted the already compromised credentials.
### Lateral Movement & Exploitation (Using Port 8008 Interface)
- **Date/Time:** Subsequent to initial credential use.
- **Vector:** Exploitation of the `mod_ibm_admin` module via crafted HTTP requests.
- **Details:**
1. Testers determined the administrative interface expected specific headers (`Command` and `Arguments`, later identified as `SAILCmd` and `SAILArgs`) that were initially unclear.
2. Reverse-engineered the `mod_ibm_admin.so` module from an already compromised server to identify supported commands: `ReadFile`, `WriteFile`, `ServerControl`, `NumberOfLines`, and `ExpandMachine`.
3. Successfully executed `ReadFile` using the `SAILCmd`/`SAILArgs` headers to read `/etc/passwd`.
4. Used the `WriteFile` command (via a GET request with content in the body) to attempt uploading a web shell.
### Privilege Escalation
- **Date/Time:** Following successful file write capability.
- **Vector:** Configuration manipulation and command hijacking via `ServerControl`.
- **Details:**
1. Testers attempted to configure IHS to run as root via a modified configuration file using `WriteFile` and then using `ServerControl` to restart the service. This failed initially.
2. The server was reconfigured to start as a specific user, 'bob', resulting in the CGI web shell executing under the 'bob' user context.
3. Reverse engineering exposed that `ServerControl` caused the root process to execute the Unix `apachectl` command. Since 'bob' owned `apachectl`, the testers swapped the binary with a shell script granting 'bob' root access via `sudo` before attempting another service restart via `ServerControl`.
4. The executed `apachectl` script successfully granted the testers root access via `sudo`.
### Data Exfiltration/Impact
- **Data Access:** Testers gained the ability to read arbitrary files (`/etc/passwd` confirmed) and write arbitrary files to the web server.
- **Final Impact:** Attainment of root-level access on the targeted management server(s).
### Detection & Response
- **Detection:** The activity was not externally detected; it was uncovered by the penetration testers themselves.
- **Response Actions:** As this was an assessment scenario, no formal remediation actions were taken by the client *during* the engagement timeline; the scope was limited to demonstrating successful compromise.
## Attack Methodology
| Stage | Method Used |
| :--- | :--- |
| **Initial Access** | Credential compromise (obtaining cleartext credentials). |
| **Persistence** | Uploading an SSH key via the compromised interface to establish SSH access as user 'bob'. |
| **Privilege Escalation** | Exploitation of the administrative interface logic to invoke system commands (`ServerControl`) which, through owner/permission confusion, led to hijacking the `bob`-owned `apachectl` binary to gain `sudo` root. |
| **Defense Evasion** | Not explicitly detailed, but the technical exploitation relied on deep understanding of the undocumented administrative interface, bypassing standard WAF/IDS controls. |
| **Credential Access** | Direct capture of cleartext credentials (`ihsadmin:ihsadmin`). |
| **Discovery** | Network scanning (ports 80, 8008, 9080) and manual testing against the management port. |
| **Lateral Movement** | Use of valid credentials to SSH into a management server, followed by leveraging the management interface (Port 8008) to pivot to other unaccessed in-scope servers. |
| **Collection** | Used `ReadFile` command to browse sensitive system files (`/etc/passwd`). |
| **Exfiltration** | SSH key upload facilitated future remote access/data collection (though full exfiltration was not detailed). |
| **Impact** | Full control over the IBM HTTP Server process and underlying system via root privileges. |
## Impact Assessment
- **Financial:** Not available/Not disclosed.
- **Data Breach:** Type of data compromised is not specified beyond system configuration files (like the IHS config via attempted writes) and user lists (`/etc/passwd`). Full extent of data access is unknown.
- **Operational:** High impact; the core web service management infrastructure was fully compromised, leading to root control.
- **Reputational:** Not applicable (internal assessment context).
## Indicators of Compromise
- **Network Indicators:** Outbound connections to port 8008 using HTTP authentication (Credentials: `ihsadmin:ihsadmin`).
- **File Indicators:** Modified configuration files for IHS; creation/replacement of the `apachectl` utility with a malicious script.
- **Behavioral Indicators:** Unusual HTTP requests targeting the IBM Administration Server on port 8008 containing non-standard headers for administration (`SAILCmd`, `SAILArgs`, `InstallRoot`, `CfgFile`).
## Response Actions
*Note: As this was a penetration test, the "response" was the testing procedure to achieve the final objective.*
1. **Containment (Initial):** Used valid credentials only on authenticated systems.
2. **Eradication (Simulated):** Identification that the primary method could have been mitigated by proper configuration of the SAIL interface or fixing underlying privilege issues.
3. **Recovery (Simulated):** Revert configuration files and restore the original `apachectl` binary.
## Lessons Learned
- **Cleartext Credentials:** The initial breach vector was the presence of cleartext credentials on an accessible system.
- **Undocumented Functionality:** Administrative interfaces, especially those built on modules like `mod_ibm_admin`, can expose powerful functionality via undocumented mechanisms (custom HTTP headers) that lack robust input validation or protection.
- **Privilege Chaining:** Exploiting weaknesses in the process execution chain (where a high-privilege process calls a lower-privilege binary owned by a different user) is a highly effective escalation technique.
## Recommendations
1. **Credential Security:** Implement mandatory credential recycling and strong password policies; never store cleartext credentials.
2. **Administrative Restriction:** Restrict access to management ports (like 8008) strictly via internal firewalls or VPNs, ideally only accessible from secure jump boxes.
3. **Principle of Least Privilege:** The system processes (IHS) should run under accounts with the absolute minimum permissions necessary. The `bob` user should not have been able to overwrite or be the owner path for a critical system binary like `apachectl` if that binary executes as root.
4. **Configuration Auditing:** Regularly audit sensitive service configuration files and ensure file permissions prevent unauthorized modification.