During some personal security research I discovered a SSRF vulnerability in IBM Datapower which could then be upgraded to RCE. The practical upshot of which is with an authenticated session to the Datapower management WebGUI it was possible to execute code on the underlying Linux host inside the appliance. In the case of docker, code would run as the
drouter user however, on the virtual or physical edition of Datapower the user would be
root. This could be leveraged to extract private keys from the device or be used as a network backdoor / foothold for further attacks.
The Datapower management WebGUI offers a function called “Send a Test Message” to any authenticated session with either a standard or administrator user. This tool is designed to debug connectivity between Datapower and other services. It was discovered however, that it could be used to contact services listening on localhost (127.0.0.1) inside the appliance. One of those services was Redis.
By misusing this tool a SSRF attack is possible where when combined with HTTP request smuggling it is possible to send commands to Redis. This would usually be prevented as Redis is password protected but further researched showed this password was hardcoded.
Finally by combining all of this together with a pre-existing Redis RCE vulnerability it is possible to execute arbitrary code inside the DataPower underlying Linux operating system.
Total time elapsed between initial report and resolution = 139 days (4 months, 16 days)