Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title HP System Management Homepage contains a command injection vulnerability
Informations
Name VU#735364 First vendor Publication 2013-06-11
Vendor VU-CERT Last vendor Modification 2013-06-11
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:S/C:C/I:C/A:C)
Cvss Base Score 9 Attack Range Network
Cvss Impact Score 10 Attack Complexity Low
Cvss Expoit Score 8 Authentication Requires single instance
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#735364

HP System Management Homepage contains a command injection vulnerability

Original Release date: 11 Jun 2013 | Last revised: 11 Jun 2013

Overview

HP System Management Homepage contains a command injection vulnerability (CWE-77) that may result in arbitrary command execution and privilege escalation.

Description

Markus Wulftange from Daimler TSS reports:

      The vulnerability is located in the `ginkgosnmp.inc` PHP file in the `C:\hp\hpsmh\data\smhutil` or `/opt/hp/hpsmh/data/smhutil` directory, respectively. Inside the `ginkgosnmp.inc` script, the last path segment of the current requested URL path is used in a `exec` call without proper escaping:

      $tempfilename = "$sessiondir/" . substr($_SERVER["SCRIPT_URL"], 1 + strrpos($_SERVER["SCRIPT_URL"], '/')) . uniqid(".", true) . time() . ".txt";

      [...]

      if("Linux" == PHP_OS)
      $cmd = "../../webapp-data/webagent/csginkgo -f$tempfilename";
      else
      {
      $windrive = substr( $_SERVER["WINDIR"], 0, 2 );
      $cmd = "$windrive\\hp\\hpsmh\\data\\smhutil\\csginkgo.exe -f$tempfilename";
      }

      exec( $cmd, $out );

      This script is reachable via the URL path `https://<host>:2381/smhutil/snmpchp.php.en`. Due to [Apache’s *MultiViews*] [2] it can also be referenced with any additional path segments after the `snmpchp.php.en` segment: `https://<host>:2381/smhutil/snmpchp.php.en/foo/bar` still triggers `https://<host>:2381/smhutil/snmpchp.php.en` but `$_SERVER["SCRIPT_URL"]` is `https://<host>:2381/smhutil/snmpchp.php.en/foo/bar`. This can be exploited as follows:

      https://<host>:2381/smhutil/snmpchp.php.en/&&<cmd>&&echo (full file name)
      https://<host>:2381/smhutil/snmpchp.php/&&<cmd>&&echo (without "en" language indicator)
      https://<host>:2381/smhutil/snmpchp/&&<cmd>&&echo (without any file name extension)

      Besides the path segment separator `/`, the characters `<`, `>`, and `|` are also not allowed, which makes exploiting this vulnerability a little hard.

      https://<host>:2381/smhutil/snmpchp/&&whoami&&echo

Impact

A remote authenticated user may be able to run arbitrary commands on the HP System Management Homepage server.

Solution

We are currently unaware of a practical solution to this problem. Please consider the following workarounds.

Restrict Network Access
As a general good security practice, only allow connections from trusted hosts and networks. Restricting access would prevent an attacker from connecting to the service from a blocked network location.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Hewlett-Packard CompanyAffected19 Apr 201310 Jun 2013
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

GroupScoreVector
Base9.0AV:N/AC:L/Au:S/C:C/I:C/A:C
Temporal8.5E:H/RL:W/RC:C
Environmental6.4CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

  • http://www.hp.com/go/SMH
  • http://cwe.mitre.org/data/definitions/77.html

Credit

Thanks to Markus Wulftange from Daimler TSS for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

  • CVE IDs:CVE-2013-3576
  • Date Public:10 Jun 2013
  • Date First Published:11 Jun 2013
  • Date Last Updated:11 Jun 2013
  • Document Revision:15

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/735364

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-78 Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection') (CWE/SANS Top 25)

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 1

SAINT Exploits

Description Link
HP System Management Homepage ginkgosnmp.inc Command Injection More info here

Information Assurance Vulnerability Management (IAVM)

Date Description
2013-09-26 IAVM : 2013-B-0109 - HP System Management Homepage (SMH) Command Injection Vulnerability
Severity : Category I - VMSKEY : V0040490

Snort® IPS/IDS

Date Description
2014-01-10 HP System Management arbitrary command injection attempt
RuleID : 27105 - Revision : 6 - Type : SERVER-WEBAPP
2014-01-10 HP System Management arbitrary command injection attempt
RuleID : 27104 - Revision : 6 - Type : SERVER-WEBAPP

Metasploit Database

id Description
2013-06-11 HP System Management Homepage JustGetSNMPQueue Command Injection

Nessus® Vulnerability Scanner

Date Description
2013-09-25 Name : The remote web server is affected by a command injection vulnerability.
File : hpsmh_ginkgosnmp_cmd_injection.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
5
6
Date Informations
2020-05-23 13:17:16
  • Multiple Updates
2014-02-17 12:08:09
  • Multiple Updates
2013-08-08 21:20:47
  • Multiple Updates
2013-07-05 10:07:27
  • Multiple Updates
2013-06-17 17:21:05
  • Multiple Updates
2013-06-15 00:21:07
  • Multiple Updates
2013-06-11 17:18:04
  • First insertion