[R1] HP Intelligent Management Center (iMC) Platform /imc/fault/accessMgrServlet Java Deserialization Remote Code Execution

During the process of writing a detection plugin for CVE-2016-4372 / HP c05200601, Tenable discovered this additional issue. CVE-2016-4372 describes the deserialization of Java objects associated with the Apache Commons Collections library leading to remote code execution. There are a few affected HP products, but our interest was in "HPE iMC PLAT before 7.2 E0403P04". We installed and tested "iMC PLAT 7.2 E0403P06" on a Windows 7 box to investigate further. Note that the PoC written for this advisory is Windows-centric. Don't judge us. Additionally, to anyone who ever tries to install iMC in the future: the database has some very specific settings that have to be set, just 34 pages worth.

Exploit Vector: RCE Through The Web Interface

While analyzing remotely reachable code, we were struck by an error in AccessMgrServlet.java. There is a common idiom in this code base to check if the client is logged in, and if not, throw a ‘PlatformException’ error message. AccessMgrServlet does verify if the client is logged in or not, but it ignores the result. Verbatim:

  public void doPost(HttpServletRequest request, HttpServletResponse response)
    throws ServletException, IOException
  {
    HttpSession session = request.getSession();
    OperatorLoginInfo operatorLoginInfo = null;
    try
    {
      operatorLoginInfo = OperatorLoginInfo.getLoginOperator(session);
      if (runLog.isTraceEnabled()) {
        runLog.trace("current operatorLoginInfo is " + operatorLoginInfo.getLoginName());
      }
    }
    catch (PlatformException e) {}
    try
    {
      Map> resources = operatorLoginInfo == null ? null : operatorLoginInfo.getResources();
      ObjectInputStream is = new ObjectInputStream(request.getInputStream());
      Object o = is.readObject();

Notice how immediately after the "user isn’t logged in" exception is ignored we go straight to deserialization of an object. Nice for us! The URL to hit this code is /imc/fault/accessMgrServlet. The web server also has these libraries on the class path:

• Commons-Beanutils (RCE)
• Commons-FileUpload (Remote file manipulation)
• Jython (RCE)
• JSON-lib (RCE)

Unfortunately, we did not find any new gadgets, but did write a PoC named exploit_accessMgrServlet.py, to exercise these vulnerabilities (usage information is available in the header, if you are ZDI or the vendor. Sorry!).