Synopsis
Tenable has discovered multiple vulnerabilities in HPE Intelligent Management Center 7.3 E0605 Standard.
Dbman Opcode 10002 Arbitrary Backup
A remote unauthenticated attacker may trigger a backup of iMC by sending a crafted opcode 10002 message to the dbman service over TCP port 2810. The vulnerability exists within the processing of AsnPlatManualBackupReqContent ASN.1 messages. An attacker may populate the backupDir parameter to specify the destination path to which the backup will be made. In order for an attack to be possible, the Intelligent Deployment Monitoring Agent must have been configured for backups. This scenario is highly likely based on best practices related to performing backups. A successful exploit can be accomplished by setting the backupDir to point to a location on disk that is externally accessible. By default, the iMC web application listens on HTTP port 8080, and the noAuth web directory is externally accessible. Therefore, an attacker could specify the absolute path to the noAuth directory and subsequently download the backup files.
Below is a list of files that are produced by the backup process. Note that the timestamp is subject to change.
- [email protected]_db_imc_aclm_db_20180614_163110_full.db
- plat_20180614_163110.zip
- [email protected]_db_imc_config_db_20180614_163110_full.db
- icc_20180614_163110.zip
- [email protected]_db_imc_inventory_db_20180614_163110_full.db
- [email protected]_db_imc_icc_db_20180614_163110_full.db
- perf_20180614_163110.zip
- [email protected]_db_imc_perf_db_20180614_163110_full.db
- [email protected]_db_imc_monitor_db_20180614_163110_full.db
- report_20180614_163110.zip
- dbman_20180614_163110.conf
- db_catalog_20180614_163110.dat.ok
- db_catalog_20180614_163110.dat
- [email protected]_db_imc_vxlan_db_20180614_163110_full.db
- [email protected]_db_imc_vnm_db_20180614_163110_full.db
- [email protected]_db_vlan_db_20180614_163110_full.db
- [email protected]_db_imc_syslog_db_20180614_163110_full.db
- [email protected]_db_reportplat_db_20180614_163110_full.db
Dbman Opcode 10003 ‘Filename’ Denial of Service
A crafted AsnPlatManualRestoreReqContent ASN.1 message can cause a denial of service condition in the dbman service. These messages contain sequences of the AsnPlatManualRestoreItem type. By sending a restore item with a crafted fileName field value, the service can be forced to restart.
More specifically, the std::basic_string::substr() function is called on this field, and if the value is too small, an unhandled std::out_of_range exception occurs, causing the process to crash. This is due to a calculation that is made, which is then passed as an argument to substr(). Ultimately, when EAX is negative, the exception will occur. See the assembly instructions below:
.text:004201C1 sub eax, 17h .text:004201C4 push eax .text:004201C5 lea ecx, [ebp+var_5C] .text:004201C8 push ecx .text:004201C9 lea ecx, [ebp+var_78] .text:004201CC call ds:[email protected][email protected][email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@Z ; std::basic_string<char,std::char_traits<char>,std::allocator<char>>::substr(uint,uint)
Below is a stack trace generated by WinDbg when the crash occurs:
0189ef28 7321df60 KERNELBASE!RaiseException+0x58 0189ef60 732a4833 MSVCR90!CxxThrowException+0x48 0189efd0 73276344 MSVCP90!std::_String_base::_Xran+0x37 0189efe4 732770df MSVCP90!std::basic_string<char,std::char_traits<char>,std::allocator<char> >::assign+0x1a 0189effc 73277597 MSVCP90!std::basic_string<char,std::char_traits<char>,std::allocator<char> >::basic_string<char,std::char_traits<char>,std::allocator<char> >+0x26 0189f018 004201d2 MSVCP90!std::basic_string<char,std::char_traits<char>,std::allocator<char> >::substr+0x1d 0189f6c4 0046506b dbman+0x201d2 0189ff0c 72901004 dbman+0x6506b 0189ff44 731e3433 ACE_v6!ACE_OS_Thread_Adapter::invoke+0x74 0189ff7c 731e34c7 MSVCR90!endthreadex+0x44 0189ff88 768d33aa MSVCR90!endthreadex+0xd8 0189ff94 76f89f72 KERNEL32!BaseThreadInitThunk+0x12 0189ffd4 76f89f45 ntdll_76f50000!RtlInitializeExceptionChain+0x63 0189ffec 00000000 ntdll_76f50000!RtlInitializeExceptionChain+0x36
JMX Insecure Config Unauthenticated Remote Code Execution
iMC's JMX service, which listens on TCP port 9091 on all interfaces by default is vulnerable to remote code execution. Additionally, the process runs with SYSTEM privileges. This vulnerability can be exploited without authentication.
Specifically, the vulnerability exists due to JMX being configured to start without requiring authentication. The startup configuration is defined in C:\Program Files\iMC\client\bin\startup.bat. JMX is configured to require SSL; however, the client is not authenticated.
The vulnerability can be exploited programmatically in the following manner:
- Store JMX server certificate in Java keystore. (Note: this can be retrieved remotely)
- Connect to JMX/RMI over TCP port 9091.
- A new MBean is registered, instantiating the class javax.management.loading.MLet.
- Using this MBean, the addURL() method is invoked. A URL pointing to an attacker-controlled JAR file is specified, which contains a custom MBean.
- Now, the custom MBean defined in the attacker-controlled JAR is able to be instantiated.
- Attacker MBean is instantiated, and attacker-defined Java code is executed.
Dbman Opcode 10001 Information Disclosure
An information disclosure vulnerability exists within the processing of AsnPlatRemoteDiskDirReqContent ASN.1 messages. By sending these messages, an attacker is able to map out the file system and discover the existence of all files and directories. This is read-only.
An iMC class named RemoteFileChooser is defined within C:\Program Files\iMC\deploy\deploy.jar. This class has implemented a user interface which allows the user to browse a remote file system using the dbman protocol.
A proof of concept (PoC) Java program has been provided below to demonstrate exploitation. Note that the PoC simply makes use of the RemoteFileChooser class. After running the program, a user interface will appear.
package imc_poc; import com.h3c.imc.deploy.dma.RemoteFileChooser; public class Runit { public static void main(String[] args) { RemoteFileChooser chooser = new RemoteFileChooser(null, "192.168.1.192"); chooser.setPath("C:\\"); chooser.openRemoteFileChooserDialog(); } }
JMX Insecure Configuration Unauthenticated Remote Information Disclosure
An information disclosure vulnerability was discovered in HPE iMC's JMX service, which listens on TCP port 9091 on all interfaces by default. This vulnerability can be exploited remotely, without authentication.
Specifically, the vulnerability exists due to JMX being configured to start without requiring authentication. The startup configuration is defined in C:\Program Files\iMC\client\bin\startup.bat. JMX is configured to require SSL; however, the client is not authenticated. Because of this, an unauthenticated attacker is able to initiate a JConsole session. Sensitive information may be read using this client.
The vulnerability can be exploited in the following manner:
- Store JMX server certificate in Java keystore. (Note: this can be retrieved remotely)
- Connect to JMX/RMI over TCP port 9091 using 'jconsole'.
- A user interface is now available to inspect Java Memory, Threads, Classes, VM Summary, and MBeans.
- In particular, the startup command listed above can be viewed in the VM Summary tab. Note that this contains the keystore password in plain text.
Dbman Opcode 10014 Unauthenticated 'kill' Denial of Service
The dbman service can be halted by sending a “kill” message. Opcode 10014 messages are processed without authentication. Once this type of message is processed, the dbman.exe process promptly reboots. This appears to be the intended functionality, as no crash occurs. Regardless of the intended behavior, a remote unauthenticated attacker may cause a denial of service.
Below are the log entries written to dbman_debug.log:
2018-07-10 09:44:34 [DEBUG] [My_Accept_Handler::handle_input] Connection established 192.168.1.191 2018-07-10 09:44:34 [DEBUG] [CDataConnStreamQueueT::deal_msg] Receive command code: 10014 2018-07-10 09:44:34 [ERROR] [CDataConnStreamQueueT::deal_msg] reveive kill msg:g_Restoring 0;g_Backupping 0. 2018-07-10 09:44:34 [DEBUG] [CommandMain] Stop CommandMain() 2018-07-10 09:44:34 [INFO] [JoinCommandThread] Begin to join command thread 2018-07-10 09:44:34 [DEBUG] [JoinCommandThread] Join command thread success 2018-07-10 09:44:34 [INFO] [JoinCommandThread] Stop successfully! 2018-07-10 09:44:34 [INFO] [DBMAN] Stop successfully! 2018-07-10 09:44:38 [INFO] [Main] Version: 7.3 2018-07-10 09:44:38 [INFO] [Main] Global directory: C:/Program Files/iMC/dbman 2018-07-10 09:44:38 [INFO] [Main] Listenning on port: 2810 2018-07-10 09:44:38 [DEBUG] [Main] arv count 1 2018-07-10 09:44:38 [DEBUG] [Main] arv 1: dbman.exe 2018-07-10 09:44:38 [INFO] [Client::connect_to_server] Starting connect to 127.0.0.1: 2810 2018-07-10 09:44:39 [DEBUG] [Client::connect_to_server] errno: 10061, strerror: connection refused 2018-07-10 09:44:39 [ERROR] [Client::connect_to_server] Connection failed 2018-07-10 09:44:39 [ERROR] [Client::send_echo_msg] Connect to server fail 2018-07-10 09:44:39 [DEBUG] [CreateCommandThread] Succeed to create command process thread . 2018-07-10 09:44:39 [DEBUG] [CommandMain] Start CommandMain() 2018-07-10 09:44:41 [INFO] [DBMAN] Startup successfully! 2018-07-10 09:44:41 [DEBUG] [NormalRun] Begin excute NormalRun 2018-07-10 09:44:41 [INFO] [NormalRun] MaxLogSize = 10485760 2018-07-10 09:44:41 [INFO] [NormalRun] ServerCount = -1 2018-07-10 09:44:41 [INFO] [NormalRun] Local ip address: 127.0.0.1 2018-07-10 09:44:41 [INFO] [NormalRun] Local ip address: 192.168.1.192 2018-07-10 09:44:41 [INFO] [NormalRun] Local ip address: 127.0.0.1 2018-07-10 09:44:41 [INFO] [NormalRun] Local ip address: fe80::e5d6:4a87:8ba6:ea82%11 2018-07-10 09:44:41 [INFO] [NormalRun] Local ip address: fe80::c3e:32a5:3f57:fe3f%13 2018-07-10 09:44:41 [INFO] [NormalRun] Local ip address: 2001:0:5cf2:8c15:c3e:32a5:3f57:fe3f
Solution
Additional References
Disclosure Timeline
All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.
Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.
For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.
If you have questions or corrections about this advisory, please email [email protected]