icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons_061

[R1] HP System Management Homepage (SMH) Multiple Remote Stack Buffer Overflows

High

Synopsis

While developing detection plugins for the vulnerabilities disclosed by HP on 2016-03-15, Tenable discovered two issues that could allow remote code execution.

#1 - mod_smh_config.so /proxy/SetSMHData admin-group Parameter Handling Remote Stack Buffer Overflow

In the code that processes a POST request via the "/proxy/SetSMHData" endpoint, there is a stack buffer overflow condition that can be reached with attacker-supplied data. The prerequisite for exploitation requires a non-default SMH configuration that includes:

  1. TrustedByAll configured
  2. No IP restrictions for the attacker
  3. Kerberos authorization not enabled

#2 - mod_smh_aa.so /Proxy/SSO TKN Parameter Handling Remote Stack Buffer Overflow

A second potential remote code execution vulnerability was found in a function that converts a hex string to binary bytes in mod_smh_aa.so. The exploit doesn't require authentication and can be launched against a SMH target with default configurations. In the relevant code, the sscanf() function is called inside a loop to convert a user-supplied hex string into binary bytes and store the converted bytes in a fixed-size (0x400) buffer on the stack, resulting in a buffer overflow. While this attack works against a default SMH installation, there are a few assumptions:

  • The target SMH is configured with "Trust by Certificate" Trust Mode; this is the default and is the most secure mode.
  • At least one certificate is installed under "Trusted Management Servers" in the SMH Web GUI. The certificates listed there are typically associated with HP Systems Insight Managers (SIM) for managing the system on which SMH is installed. You can manually import a PEM-formatted certificate on the "Trusted Management Servers" page, or you can fetch and import one from a SIM by specifying the host name or IP of the SIM in the "Server Name:" field on that page.
  • Note that a "Trust by Certificate" Trust Mode with at least one configured "Trusted Management Server" may be a likely SMH configuration.

Attack vector: To reach to the vulnerable code, the attacker would need:

  1. Send a POST request to https://[target]:2381/Proxy/SSO
  2. Specify a correct pair of HA and XE parameters in the POST request. HA is the hash algorithm used to compute the fingerprint of a certificate that will be used for SSO (Single-Sign-On) authentication. XE is the fingerprint of the certificate. Together, HA and XE identifies a certificate installed on SMH for a Trusted Management Server. A valid HA and XE can be obtained by sending a GET request to https://[target]:2381/Proxy/GetInstalledSsoCerts without authentication.
  3. Specify an overly long TKN parameter in the POST quest to overflow the 0x400-byte stack buffer.
  4. Specify a KEY parameter that is Unix time of the current time (this may not be required; not tested).
Sample PoC:


[jerboa@scallywag]$ curl -k -i https://192.168.37.19:2381/Proxy/GetInstalledSsoCerts
HTTP/1.1 200 OK
Date: Fri, 08 Apr 2016 18:25:13 GMT
Server: CompaqHTTPServer/9.9 HP System Management Homepage
[..]

Oh come on, surely you didn't expect us to give up the goods! Join one of our technical teams and you get exploits, benefits, and a salary!

Solution

HPE has released version 7.6.0 that resolves these two issues, and many others reported by other researchers.

Disclosure Timeline

2016-04-16 - Issues discovered
2016-04-21 - Submitted to ZDI for consideration, case bmartin0011
2016-04-26 - ZDI offers $1500, we graciously accept
2016-05-09 - Vendor informed by ZDI
2016-10-26 - HP releases fix and HPSBMU03653 advisory

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email advisories@tenable.com