HP Release Control Authenticated Privilege Escalation and XXE

2014.05.18
Credit: Brandon Perry
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

Hi, Linked is a gist detailing a few vulnerabilities I found in HP Release Control 9.20.0000, Build 395. You can download it on the On-premise software tab here: http://www8.hp.com/us/en/software-solutions/software.html?compURI=1350467#.U3aJWl5-_8s Basically, the first request an admin makes when on the user configuration page when poplulating the user grid any user can make. Using this, you can find out the admin's ID (and password hash!), which can be used when sending a request to the password change AMF endpoint to change the admin password. After that, you can log in as admin, then exploit an XXE vuln in the dashboard import mechanism. For some reason it always fails to login as the admin the first run. I am not sure if it is a race condition or what, but just rerun it. A sample run is included at the bottom of the module. https://gist.github.com/brandonprry/1ed5633fa7ba18538f02

References:

https://gist.github.com/brandonprry/1ed5633fa7ba18538f02
http://www8.hp.com/us/en/software-solutions/software.html?compURI=1350467#.U3aJWl5-_8s


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top