Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

[R1] HP System Management Homepage (SMH) Multiple Remote Stack Buffer Overflows

High

Synopsis

While developing detection plugins for the vulnerabilities disclosed by HP on 2016-03-15, Tenable discovered two issues that could allow remote code execution.

#1 - mod_smh_config.so /proxy/SetSMHData admin-group Parameter Handling Remote Stack Buffer Overflow

In the code that processes a POST request via the "/proxy/SetSMHData" endpoint, there is a stack buffer overflow condition that can be reached with attacker-supplied data. The prerequisite for exploitation requires a non-default SMH configuration that includes:

  1. TrustedByAll configured
  2. No IP restrictions for the attacker
  3. Kerberos authorization not enabled

#2 - mod_smh_aa.so /Proxy/SSO TKN Parameter Handling Remote Stack Buffer Overflow

A second potential remote code execution vulnerability was found in a function that converts a hex string to binary bytes in mod_smh_aa.so. The exploit doesn't require authentication and can be launched against a SMH target with default configurations. In the relevant code, the sscanf() function is called inside a loop to convert a user-supplied hex string into binary bytes and store the converted bytes in a fixed-size (0x400) buffer on the stack, resulting in a buffer overflow. While this attack works against a default SMH installation, there are a few assumptions:

  • The target SMH is configured with "Trust by Certificate" Trust Mode; this is the default and is the most secure mode.
  • At least one certificate is installed under "Trusted Management Servers" in the SMH Web GUI. The certificates listed there are typically associated with HP Systems Insight Managers (SIM) for managing the system on which SMH is installed. You can manually import a PEM-formatted certificate on the "Trusted Management Servers" page, or you can fetch and import one from a SIM by specifying the host name or IP of the SIM in the "Server Name:" field on that page.
  • Note that a "Trust by Certificate" Trust Mode with at least one configured "Trusted Management Server" may be a likely SMH configuration.

Attack vector: To reach to the vulnerable code, the attacker would need:

  1. Send a POST request to https://[target]:2381/Proxy/SSO
  2. Specify a correct pair of HA and XE parameters in the POST request. HA is the hash algorithm used to compute the fingerprint of a certificate that will be used for SSO (Single-Sign-On) authentication. XE is the fingerprint of the certificate. Together, HA and XE identifies a certificate installed on SMH for a Trusted Management Server. A valid HA and XE can be obtained by sending a GET request to https://[target]:2381/Proxy/GetInstalledSsoCerts without authentication.
  3. Specify an overly long TKN parameter in the POST quest to overflow the 0x400-byte stack buffer.
  4. Specify a KEY parameter that is Unix time of the current time (this may not be required; not tested).
Sample PoC:


[jerboa@scallywag]$ curl -k -i https://192.168.37.19:2381/Proxy/GetInstalledSsoCerts
HTTP/1.1 200 OK
Date: Fri, 08 Apr 2016 18:25:13 GMT
Server: CompaqHTTPServer/9.9 HP System Management Homepage
[..]

Oh come on, surely you didn't expect us to give up the goods! Join one of our technical teams and you get exploits, benefits, and a salary!

Solution

HPE has released version 7.6.0 that resolves these two issues, and many others reported by other researchers.

Disclosure Timeline

2016-04-16 - Issues discovered
2016-04-21 - Submitted to ZDI for consideration, case bmartin0011
2016-04-26 - ZDI offers $1500, we graciously accept
2016-05-09 - Vendor informed by ZDI
2016-10-26 - HP releases fix and HPSBMU03653 advisory

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]

Risk Information

Tenable Advisory ID: TRA-2016-32
Credit:
Tenable Network Security
CVSSv2 Base / Temporal Score:
9.4 / 7.4
CVSSv2 Vector:
(AV:N/AC:L/Au:N/C:N/I:C/A:C/E:POC/RL:OF/RC:C)
Affected Products:
HP System Management Homepage (SMH) 7.5.3.1, 7.5.4.3
Risk Factor:
High
Additional Keywords:
ZDI-CAN-3722, ZDI-CAN-3730, c05320149, HPSBMU03653

Advisory Timeline

2016-10-29 - [R1] Initial Release

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training