SAINT CorporationSAINT:BB8A5008F0A2B1AAC9E17FBB77DDA58FHP LoadRunner Virtual User Generator EmulationAdmin service directory traversal
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.948 High
EPSS
Percentile
99.3%
Added: 12/18/2013
CVE: CVE-2013-4837
BID: 63475
OSVDB: 99231
Background
HP LoadRunner is a software performance testing solution.
Problem
A directory traversal vulnerability in the Virtual User Generator EmulationAdmin service allows remote attackers to upload files to arbitrary locations using the copyFileToServer method. The files could then be executed via an HTTP request.
Resolution
Apply LoadRunnner patch v11.52.1, which can be downloaded from HP Software Support Online (SSO).
References
<https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03969437>
<http://www.zerodayinitiative.com/advisories/ZDI-13-259/>
Limitations
Exploit works on HP LoadRunner 11.52. HP LoadRunner must be installed in the standard installation path.
Platforms
Windows
Related
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.948 High
EPSS
Percentile
99.3%