CVE-2011-0276
published 2011-02-02CVE-2011-0276: HP OpenView Performance Insight Server 5.2, 5.3, 5.31, 5.4, and 5.41 contains a "hidden account" in the com.trinagy.security.XMLUserManager Java class, which…
PriorityP277critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
82.43%
99.6th percentile
HP OpenView Performance Insight Server 5.2, 5.3, 5.31, 5.4, and 5.41 contains a "hidden account" in the com.trinagy.security.XMLUserManager Java class, which allows remote attackers to execute arbitrary code via the doPost method in the com.trinagy.servlet.HelpManagerServlet class.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hp | openview_performance_insight | — | — |
| hp | openview_performance_insight | — | — |
| hp | openview_performance_insight | — | — |
| hp | openview_performance_insight | — | — |
| hp | openview_performance_insight | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect HTTP POST requests to /reports/helpmanager with Basic Authentication header using the hardcoded backdoor credential 'hch908v:z6t0j$+i' (Base64: aGNoOTA4djp6NnQwaiQraQ==) ↗
- →Detect multipart/form-data POST to /reports/helpmanager — exploitation uploads a JSP payload file to the server via HelpManagerServlet ↗
- →After upload, attacker triggers the JSP payload via HTTP GET to /help/<random_dir>/<random>.jsp — monitor for GET requests to /help/ paths with .jsp extensions following a POST to /reports/helpmanager ↗
- →Server fingerprinting: exploit targets servers returning 'Apache-Coyote' in HTTP response headers — scope detection to HP OpenView Performance Insight servers with this header ↗
- →The backdoor account is hardcoded in the Java class com.trinagy.security.XMLUserManager with username 'hch908v' and encrypted password derived from 'z6t0j$+i' — alert on any authentication using this username ↗
- ·The Metasploit module was only validated against version 5.41.0; exploitation behavior against other affected versions (5.2, 5.3, 5.31, 5.4) may differ ↗
- ·The module targets Windows platforms only (Platform => 'win') with a Java architecture payload; Linux/other OS deployments may not be exploitable via this specific module ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
HP OpenView Performance Insight Server - Backdoor Account Code Execution (Metasploit)
exploitdb·2011-03-15
CVE-2011-0276 HP OpenView Performance Insight Server - Backdoor Account Code Execution (Metasploit)
HP OpenView Performance Insight Server - Backdoor Account Code Execution (Metasploit)
---
##
# $Id: hp_openview_insight_backdoor.rb 11969 2011-03-15 21:56:11Z swtornio $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 [ /Apache-Coyote/ ] }
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'HP OpenView Performance Insight Server Backdoor Account Code Execution',
'Description' => %q{
This module exploits a hidden account in the com.trinagy.security.XMLUserManager Java
class. When using this
Metasploit
HP OpenView Performance Insight Server Backdoor Account Code Execution
metasploit
HP OpenView Performance Insight Server Backdoor Account Code Execution
HP OpenView Performance Insight Server Backdoor Account Code Execution
This module exploits a hidden account in the com.trinagy.security.XMLUserManager Java class. When using this account, an attacker can abuse the com.trinagy.servlet.HelpManagerServlet class and write arbitrary files to the system allowing the execution of arbitrary code. NOTE: This module has only been tested against HP OpenView Performance Insight Server 5.41.0
No writeups or analysis indexed.
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02695453http://osvdb.org/70754http://secunia.com/advisories/43145http://securityreason.com/securityalert/8136http://www.exploit-db.com/exploits/16984http://www.securityfocus.com/archive/1/516093/100/0/threadedhttp://www.securityfocus.com/bid/46079http://www.securitytracker.com/id?1025014http://www.vupen.com/english/advisories/2011/0258http://www.zerodayinitiative.com/advisories/ZDI-11-034https://exchange.xforce.ibmcloud.com/vulnerabilities/65038http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02695453http://osvdb.org/70754http://secunia.com/advisories/43145http://securityreason.com/securityalert/8136http://www.exploit-db.com/exploits/16984http://www.securityfocus.com/archive/1/516093/100/0/threadedhttp://www.securityfocus.com/bid/46079http://www.securitytracker.com/id?1025014http://www.vupen.com/english/advisories/2011/0258http://www.zerodayinitiative.com/advisories/ZDI-11-034https://exchange.xforce.ibmcloud.com/vulnerabilities/65038
2011-02-02
Published