[DSECRG-09-011] HP StorageWorks 1/8 G2 Tape Autoloader - privilege escalation, DOS
A vulnerability was found in Web Administration Interface of device HP StorageWorks 1/8 G2 Tape Autoloader.
Default unprivileged user can escalate privileges to the administrator and execute DOS attack.
Digital Security Research Group [DSecRG] Advisory #DSECRG-09-011
Application: HP StorageWorks 1/8 G2 Tape Autoloader
Versions Affected: firmware v 2.30 and earlier
Vendor URL: http://hp.com/
Bug: Privilege escalation
Exploits: YES
Reported: 30.09.2008
Vendor Response: 30.09.2008
Date of Public Advisory: 11.01.2010
Solution: yes
CVE: CVE-2009-2680
CVSS 2.0: 8.5
Author: Alexandr Polyakov
Digital Security Research Group [DSecRG] (research [at] dsecrg [dot] com)
Description
***********
A vulnerability was found in Web Administration Interface of device HP StorageWorks 1/8 G2 Tape Autoloader.
A default unprivileged user can escalate privileges to the administrator.
Details
*******
An attacker can connect with standard credentials
(username: user and password: user).
After that he can see the cookies like that:
RMU_LEVEL 1
RMU_LOGIN 9999
RMU_SESSION 5
Then if he changes the RMU_LEVEL parameter to 2, he can be authorized as administrator.
After that he can do anything possible using administrative rights.
Solution
********
Install the following patches
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01868405
References
**********
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01868405
http://dsecrg.com/pages/vul/show.php?id=111
About
*****
Digital Security is one of the leading IT security companies in CEMEA, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website.
Contact: research [at] dsecrg [dot] com
http://www.dsecrg.com