CVE-2011-4166
published 2011-12-27CVE-2011-4166: Directory traversal vulnerability in the MPAUploader.Uploader.1.UploadFiles method in HP Managed Printing Administration before 2.6.4 allows remote attackers…
PriorityP271high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
62.61%
99.1th percentile
Directory traversal vulnerability in the MPAUploader.Uploader.1.UploadFiles method in HP Managed Printing Administration before 2.6.4 allows remote attackers to create arbitrary files via crafted form data.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hp | managed_printing_administration | <= 2.6.3 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect POST requests to /hpmpa/jobAcct/Default.asp with multipart/form-data containing directory traversal sequences (e.g., '..\..') and a null byte (\x00) in the filename field of the upload part. ↗
- →Look for multipart form-data POST requests to /hpmpa/jobAcct/Default.asp with query parameters 'userId' and 'jobId', which are used by the exploit to trigger the vulnerable UploadFiles() function. ↗
- →Detect HTTP responses from /hpmpa/home/Default.asp containing 'HP Managed Printing Administration' and a version string matching 'v' followed by a version number — used by the exploit's check method to fingerprint vulnerable targets. ↗
- →Alert on file creation attempts in wwwroot subdirectories via the MPAUploader.Uploader.1 ActiveX control, particularly .asp files written through null-byte-terminated filenames (e.g., payload.asp\x00.tmp). ↗
- ·Exploitation requires a writable path accessible under the Internet Guest Account (IUSR_*) or Everyone, AND the path must be web-accessible (under wwwroot). Exploitation will fail if neither condition is met. ↗
- ·The exploit cannot overwrite an existing file with the same name as the payload; re-exploitation to the same filename will fail. ↗
- ·The Metasploit module targets HP Managed Printing Administration 2.6.3 and prior on Windows XP SP3 or Server 2003 SP2 specifically. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
HP Managed Printing Administration - jobAcct Remote Command Execution (Metasploit)
exploitdb·2013-07-22
CVE-2011-4166 HP Managed Printing Administration - jobAcct Remote Command Execution (Metasploit)
HP Managed Printing Administration - jobAcct Remote Command Execution (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 'HP Managed Printing Administration jobAcct Remote Command Execution',
'Description' => %q{
This module exploits an arbitrary file upload vulnerability on HP Managed Printing
Administration 2.6.3 (and before). The vulnerability exists in the UploadFiles()
function from the MPAUploader.Uploader.1 control, loaded and used by the server.
The function can be abused via directory traversal and null byte injection in order
to achieve arbi
Metasploit
HP Managed Printing Administration jobAcct Remote Command Execution
metasploit
HP Managed Printing Administration jobAcct Remote Command Execution
HP Managed Printing Administration jobAcct Remote Command Execution
This module exploits an arbitrary file upload vulnerability on HP Managed Printing Administration 2.6.3 and prior versions. The vulnerability exists in the UploadFiles() function from the MPAUploader.Uploader.1 control, loaded and used by the server. The function can be abused via directory traversal and null byte injection in order to achieve arbitrary file upload. In order to exploit successfully, a few conditions must be met. First, a writable location under the context of Internet Guest Account (IUSR_*) or Everyone is required. By default, this module will attempt to write to /hpmpa/userfiles/, but the WRITEWEBFOLDER option can be used to provide another writable path. Second, the writable path must also be readable b
No writeups or analysis indexed.
2011-12-27
Published