[R2] HPE Intelligent Management Center Multiple Vulnerabilities

Tenable has discovered multiple vulnerabilities in HPE Intelligent Management Center 7.3 E0605 Standard.

Dbman Opcode 10002 Arbitrary Backup

A remote unauthenticated attacker may trigger a backup of iMC by sending a crafted opcode 10002 message to the dbman service over TCP port 2810. The vulnerability exists within the processing of AsnPlatManualBackupReqContent ASN.1 messages. An attacker may populate the backupDir parameter to specify the destination path to which the backup will be made. In order for an attack to be possible, the Intelligent Deployment Monitoring Agent must have been configured for backups. This scenario is highly likely based on best practices related to performing backups. A successful exploit can be accomplished by setting the backupDir to point to a location on disk that is externally accessible. By default, the iMC web application listens on HTTP port 8080, and the noAuth web directory is externally accessible. Therefore, an attacker could specify the absolute path to the noAuth directory and subsequently download the backup files.

Below is a list of files that are produced by the backup process. Note that the timestamp is subject to change.

• [email protected]_db_imc_aclm_db_20180614_163110_full.db
• plat_20180614_163110.zip
• [email protected]_db_imc_config_db_20180614_163110_full.db
• icc_20180614_163110.zip
• [email protected]_db_imc_inventory_db_20180614_163110_full.db
• [email protected]_db_imc_icc_db_20180614_163110_full.db
• perf_20180614_163110.zip
• [email protected]_db_imc_perf_db_20180614_163110_full.db
• [email protected]_db_imc_monitor_db_20180614_163110_full.db
• report_20180614_163110.zip
• dbman_20180614_163110.conf
• db_catalog_20180614_163110.dat.ok
• db_catalog_20180614_163110.dat
• [email protected]_db_imc_vxlan_db_20180614_163110_full.db
• [email protected]_db_imc_vnm_db_20180614_163110_full.db
• [email protected]_db_vlan_db_20180614_163110_full.db
• [email protected]_db_imc_syslog_db_20180614_163110_full.db
• [email protected]_db_reportplat_db_20180614_163110_full.db

Dbman Opcode 10003 ‘Filename’ Denial of Service

A crafted AsnPlatManualRestoreReqContent ASN.1 message can cause a denial of service condition in the dbman service. These messages contain sequences of the AsnPlatManualRestoreItem type. By sending a restore item with a crafted fileName field value, the service can be forced to restart.

More specifically, the std::basic_string::substr() function is called on this field, and if the value is too small, an unhandled std::out_of_range exception occurs, causing the process to crash. This is due to a calculation that is made, which is then passed as an argument to substr(). Ultimately, when EAX is negative, the exception will occur. See the assembly instructions below:

.text:004201C1                 sub     eax, 17h
.text:004201C4                 push    eax
.text:004201C5                 lea     ecx, [ebp+var_5C]
.text:004201C8                 push    ecx
.text:004201C9                 lea     ecx, [ebp+var_78]
.text:004201CC                 call    ds:[email protected][email protected][email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@Z ; std::basic_string<char,std::char_traits<char>,std::allocator<char>>::substr(uint,uint)

Below is a stack trace generated by WinDbg when the crash occurs:

0189ef28 7321df60 KERNELBASE!RaiseException+0x58
0189ef60 732a4833 MSVCR90!CxxThrowException+0x48
0189efd0 73276344 MSVCP90!std::_String_base::_Xran+0x37
0189efe4 732770df MSVCP90!std::basic_string<char,std::char_traits<char>,std::allocator<char> >::assign+0x1a
0189effc 73277597 MSVCP90!std::basic_string<char,std::char_traits<char>,std::allocator<char> >::basic_string<char,std::char_traits<char>,std::allocator<char> >+0x26
0189f018 004201d2 MSVCP90!std::basic_string<char,std::char_traits<char>,std::allocator<char> >::substr+0x1d
0189f6c4 0046506b dbman+0x201d2
0189ff0c 72901004 dbman+0x6506b
0189ff44 731e3433 ACE_v6!ACE_OS_Thread_Adapter::invoke+0x74
0189ff7c 731e34c7 MSVCR90!endthreadex+0x44
0189ff88 768d33aa MSVCR90!endthreadex+0xd8
0189ff94 76f89f72 KERNEL32!BaseThreadInitThunk+0x12
0189ffd4 76f89f45 ntdll_76f50000!RtlInitializeExceptionChain+0x63
0189ffec 00000000 ntdll_76f50000!RtlInitializeExceptionChain+0x36

JMX Insecure Config Unauthenticated Remote Code Execution

iMC's JMX service, which listens on TCP port 9091 on all interfaces by default is vulnerable to remote code execution. Additionally, the process runs with SYSTEM privileges. This vulnerability can be exploited without authentication.

Specifically, the vulnerability exists due to JMX being configured to start without requiring authentication. The startup configuration is defined in C:\Program Files\iMC\client\bin\startup.bat. JMX is configured to require SSL; however, the client is not authenticated.

The vulnerability can be exploited programmatically in the following manner:

1. Store JMX server certificate in Java keystore. (Note: this can be retrieved remotely)
2. Connect to JMX/RMI over TCP port 9091.
3. A new MBean is registered, instantiating the class javax.management.loading.MLet.
4. Using this MBean, the addURL() method is invoked. A URL pointing to an attacker-controlled JAR file is specified, which contains a custom MBean.
5. Now, the custom MBean defined in the attacker-controlled JAR is able to be instantiated.
6. Attacker MBean is instantiated, and attacker-defined Java code is executed.

Dbman Opcode 10001 Information Disclosure

An information disclosure vulnerability exists within the processing of AsnPlatRemoteDiskDirReqContent ASN.1 messages. By sending these messages, an attacker is able to map out the file system and discover the existence of all files and directories. This is read-only.

An iMC class named RemoteFileChooser is defined within C:\Program Files\iMC\deploy\deploy.jar. This class has implemented a user interface which allows the user to browse a remote file system using the dbman protocol.

A proof of concept (PoC) Java program has been provided below to demonstrate exploitation. Note that the PoC simply makes use of the RemoteFileChooser class. After running the program, a user interface will appear.

package imc_poc;
 
import com.h3c.imc.deploy.dma.RemoteFileChooser;
 
public class Runit {
 
	public static void main(String[] args) {
		RemoteFileChooser chooser = new RemoteFileChooser(null, "192.168.1.192");
		chooser.setPath("C:\\");
		chooser.openRemoteFileChooserDialog();
	}
}

JMX Insecure Configuration Unauthenticated Remote Information Disclosure

An information disclosure vulnerability was discovered in HPE iMC's JMX service, which listens on TCP port 9091 on all interfaces by default. This vulnerability can be exploited remotely, without authentication.

Specifically, the vulnerability exists due to JMX being configured to start without requiring authentication. The startup configuration is defined in C:\Program Files\iMC\client\bin\startup.bat. JMX is configured to require SSL; however, the client is not authenticated. Because of this, an unauthenticated attacker is able to initiate a JConsole session. Sensitive information may be read using this client.

The vulnerability can be exploited in the following manner:

1. Store JMX server certificate in Java keystore. (Note: this can be retrieved remotely)
2. Connect to JMX/RMI over TCP port 9091 using 'jconsole'.
3. A user interface is now available to inspect Java Memory, Threads, Classes, VM Summary, and MBeans.
4. In particular, the startup command listed above can be viewed in the VM Summary tab. Note that this contains the keystore password in plain text.

Dbman Opcode 10014 Unauthenticated 'kill' Denial of Service

The dbman service can be halted by sending a “kill” message. Opcode 10014 messages are processed without authentication. Once this type of message is processed, the dbman.exe process promptly reboots. This appears to be the intended functionality, as no crash occurs. Regardless of the intended behavior, a remote unauthenticated attacker may cause a denial of service.

Below are the log entries written to dbman_debug.log:

2018-07-10 09:44:34 [DEBUG] [My_Accept_Handler::handle_input] Connection established 192.168.1.191
2018-07-10 09:44:34 [DEBUG] [CDataConnStreamQueueT::deal_msg] Receive command code: 10014
2018-07-10 09:44:34 [ERROR] [CDataConnStreamQueueT::deal_msg] reveive kill msg:g_Restoring 0;g_Backupping 0.
2018-07-10 09:44:34 [DEBUG] [CommandMain] Stop CommandMain()
2018-07-10 09:44:34 [INFO] [JoinCommandThread] Begin to join command thread
2018-07-10 09:44:34 [DEBUG] [JoinCommandThread] Join command thread success
2018-07-10 09:44:34 [INFO] [JoinCommandThread] Stop successfully!
2018-07-10 09:44:34 [INFO] [DBMAN] Stop successfully!
2018-07-10 09:44:38 [INFO] [Main] Version: 7.3
2018-07-10 09:44:38 [INFO] [Main] Global directory: C:/Program Files/iMC/dbman
2018-07-10 09:44:38 [INFO] [Main] Listenning on port: 2810
2018-07-10 09:44:38 [DEBUG] [Main] arv count 1
2018-07-10 09:44:38 [DEBUG] [Main] arv 1: dbman.exe
2018-07-10 09:44:38 [INFO] [Client::connect_to_server] Starting connect to 127.0.0.1: 2810
2018-07-10 09:44:39 [DEBUG] [Client::connect_to_server] errno: 10061, strerror: connection refused
2018-07-10 09:44:39 [ERROR] [Client::connect_to_server] Connection failed
2018-07-10 09:44:39 [ERROR] [Client::send_echo_msg] Connect to server fail
2018-07-10 09:44:39 [DEBUG] [CreateCommandThread] Succeed to create command process thread .
2018-07-10 09:44:39 [DEBUG] [CommandMain] Start CommandMain()
2018-07-10 09:44:41 [INFO] [DBMAN] Startup successfully!
2018-07-10 09:44:41 [DEBUG] [NormalRun] Begin excute NormalRun
2018-07-10 09:44:41 [INFO] [NormalRun] MaxLogSize = 10485760
2018-07-10 09:44:41 [INFO] [NormalRun] ServerCount = -1
2018-07-10 09:44:41 [INFO] [NormalRun] Local ip address: 127.0.0.1
2018-07-10 09:44:41 [INFO] [NormalRun] Local ip address: 192.168.1.192
2018-07-10 09:44:41 [INFO] [NormalRun] Local ip address: 127.0.0.1
2018-07-10 09:44:41 [INFO] [NormalRun] Local ip address: fe80::e5d6:4a87:8ba6:ea82%11
2018-07-10 09:44:41 [INFO] [NormalRun] Local ip address: fe80::c3e:32a5:3f57:fe3f%13
2018-07-10 09:44:41 [INFO] [NormalRun] Local ip address: 2001:0:5cf2:8c15:c3e:32a5:3f57:fe3f