During the process of writing a detection plugin for CVE-2016-4372 / HP c05200601, Tenable discovered this additional issue. CVE-2016-4372 describes the deserialization of Java objects associated with the Apache Commons Collections library leading to remote code execution. There are a few affected HP products, but our interest was in "HPE iMC PLAT before 7.2 E0403P04". We installed and tested "iMC PLAT 7.2 E0403P06" on a Windows 7 box to investigate further. Note that the PoC written for this advisory is Windows-centric. Don't judge us. Additionally, to anyone who ever tries to install iMC in the future: the database has some very specific settings that have to be set, just 34 pages worth.
Exploit Vector: RCE Through The Web Interface
While analyzing remotely reachable code, we were struck by an error in AccessMgrServlet.java
. There is a common idiom in this code base to check if the client is logged in, and if not, throw a ‘PlatformException
’ error message. AccessMgrServlet
does verify if the client is logged in or not, but it ignores the result. Verbatim:
public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException
{
HttpSession session = request.getSession();
OperatorLoginInfo operatorLoginInfo = null;
try
{
operatorLoginInfo = OperatorLoginInfo.getLoginOperator(session);
if (runLog.isTraceEnabled()) {
runLog.trace("current operatorLoginInfo is " + operatorLoginInfo.getLoginName());
}
}
catch (PlatformException e) {}
try
{
Map> resources = operatorLoginInfo == null ? null : operatorLoginInfo.getResources();
ObjectInputStream is = new ObjectInputStream(request.getInputStream());
Object o = is.readObject();
Notice how immediately after the "user isn’t logged in" exception is ignored we go straight to deserialization of an object. Nice for us! The URL to hit this code is /imc/fault/accessMgrServlet
. The web server also has these libraries on the class path:
- Commons-Beanutils (RCE)
- Commons-FileUpload (Remote file manipulation)
- Jython (RCE)
- JSON-lib (RCE)
Unfortunately, we did not find any new gadgets, but did write a PoC named exploit_accessMgrServlet.py
, to exercise these vulnerabilities (usage information is available in the header, if you are ZDI or the vendor. Sorry!).