search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

HP System Management Homepage contains a command injection vulnerability

Vulnerability Note VU#735364

Original Release Date: 2013-06-11 | Last Revised: 2013-09-24

Overview

HP System Management Homepage contains a command injection vulnerability (CWE-77) that may result in arbitrary command execution and privilege escalation.

Description

Markus Wulftange from Daimler TSS reports:

      The vulnerability is located in the `ginkgosnmp.inc` PHP file in the `C:\hp\hpsmh\data\smhutil` or `/opt/hp/hpsmh/data/smhutil` directory, respectively. Inside the `ginkgosnmp.inc` script, the last path segment of the current requested URL path is used in a `exec` call without proper escaping:

      $tempfilename = "$sessiondir/" . substr($_SERVER["SCRIPT_URL"], 1 + strrpos($_SERVER["SCRIPT_URL"], '/')) . uniqid(".", true) . time() . ".txt";

      [...]

      if("Linux" == PHP_OS)
      $cmd = "../../webapp-data/webagent/csginkgo -f$tempfilename";
      else
      {
      $windrive = substr( $_SERVER["WINDIR"], 0, 2 );
      $cmd = "$windrive\\hp\\hpsmh\\data\\smhutil\\csginkgo.exe -f$tempfilename";
      }

      exec( $cmd, $out );

      This script is reachable via the URL path `https://<host>:2381/smhutil/snmpchp.php.en`. Due to [Apache’s *MultiViews*] [2] it can also be referenced with any additional path segments after the `snmpchp.php.en` segment: `https://<host>:2381/smhutil/snmpchp.php.en/foo/bar` still triggers `https://<host>:2381/smhutil/snmpchp.php.en` but `$_SERVER["SCRIPT_URL"]` is `https://<host>:2381/smhutil/snmpchp.php.en/foo/bar`. This can be exploited as follows:

      https://<host>:2381/smhutil/snmpchp.php.en/&&<cmd>&&echo (full file name)
      https://<host>:2381/smhutil/snmpchp.php/&&<cmd>&&echo (without "en" language indicator)
      https://<host>:2381/smhutil/snmpchp/&&<cmd>&&echo (without any file name extension)

      Besides the path segment separator `/`, the characters `<`, `>`, and `|` are also not allowed, which makes exploiting this vulnerability a little hard.

      https://<host>:2381/smhutil/snmpchp/&&whoami&&echo

Impact

A remote authenticated user may be able to run arbitrary commands on the HP System Management Homepage server.

Solution

Apply an Update
HP System Management Homepage (SMH) version 7.2.2 and later address this vulnerability. If you cannot upgrade for whatever reason, please consider the following workarounds.

Restrict Network Access

As a general good security practice, only allow connections from trusted hosts and networks. Restricting access would prevent an attacker from connecting to the service from a blocked network location.

Vendor Information

735364
 
Expand all

Hewlett-Packard Company Affected

Notified:  April 19, 2013 Updated: June 10, 2013

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.


CVSS Metrics

Group Score Vector
Base 9 AV:N/AC:L/Au:S/C:C/I:C/A:C
Temporal 8.5 E:H/RL:W/RC:C
Environmental 6.4 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

Acknowledgements

Thanks to Markus Wulftange from Daimler TSS for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

CVE IDs: CVE-2013-3576
Date Public: 2013-06-10
Date First Published: 2013-06-11
Date Last Updated: 2013-09-24 14:18 UTC
Document Revision: 19

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis