Lucene search

K
saintSAINT CorporationSAINT:BB8A5008F0A2B1AAC9E17FBB77DDA58F
HistoryDec 18, 2013 - 12:00 a.m.

HP LoadRunner Virtual User Generator EmulationAdmin service directory traversal

2013-12-1800:00:00
SAINT Corporation
download.saintcorporation.com
16

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.948 High

EPSS

Percentile

99.3%

Added: 12/18/2013
CVE: CVE-2013-4837
BID: 63475
OSVDB: 99231

Background

HP LoadRunner is a software performance testing solution.

Problem

A directory traversal vulnerability in the Virtual User Generator EmulationAdmin service allows remote attackers to upload files to arbitrary locations using the copyFileToServer method. The files could then be executed via an HTTP request.

Resolution

Apply LoadRunnner patch v11.52.1, which can be downloaded from HP Software Support Online (SSO).

References

<https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03969437&gt;
<http://www.zerodayinitiative.com/advisories/ZDI-13-259/&gt;

Limitations

Exploit works on HP LoadRunner 11.52. HP LoadRunner must be installed in the standard installation path.

Platforms

Windows

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.948 High

EPSS

Percentile

99.3%