HP Application Lifecycle Management ActiveX Control Arbitrary File Overwrite

2012-10-09T00:00:00
ID SAINT:48143CEE9CD68F8725FBAE0874969316
Type saint
Reporter SAINT Corporation
Modified 2012-10-09T00:00:00

Description

Added: 10/09/2012
BID: 55272
OSVDB: 85059

Background

HP Application Lifecycle Management (ALM) is a software product designed to manage the application lifecycle from requirements through readiness for delivery from a single repository, providing a consistent user experience and customizable dashboard.

Problem

The XGO.ocx ActiveX control in HP Application Lifecycle Management exposes an insecure method, CopyToFile, which allows an attacker to create and overwrite files on the system of the user invoking the control. A remote attacker who persuades a user to visit a specially crafted web page could execute arbitrary code in the context of the process.

Resolution

Upgrade when HP provides one. In the interim, access to the HP Application Lifecycle Management service should be restricted to trusted machines.

References

<http://www.zerodayinitiative.com/advisories/ZDI-12-170/>

Limitations

This exploit has been tested against HP Lifecycle Management ActiveX 11.50.777.0 on Microsoft Windows XP SP3 English (DEP OptIn).

The user must open the exploit page in Internet Explorer.

The target machine must reboot after the exploit script runs in order to open the shell connection.

Platforms

Windows