CVE-2013-4811
published 2013-09-16CVE-2013-4811: UpdateDomainControllerServlet in the SNAC registration server in HP ProCurve Manager (PCM) 3.20 and 4.0, PCM+ 3.20 and 4.0, and Identity Driven Manager (IDM)…
PriorityP178critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
71.29%
99.3th percentile
UpdateDomainControllerServlet in the SNAC registration server in HP ProCurve Manager (PCM) 3.20 and 4.0, PCM+ 3.20 and 4.0, and Identity Driven Manager (IDM) 4.0 does not properly validate the adCert argument, which allows remote attackers to upload .jsp files and consequently execute arbitrary code via unspecified vectors, aka ZDI-CAN-1743.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hp | identity_driven_manager | — | — |
| hp | procurve_manager | — | — |
| hp | procurve_manager | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect POST requests to the UpdateDomainControllerServlet endpoint with multipart/form-data containing a path traversal sequence in the adCert filename parameter (e.g., '\../' prefix before a .jsp filename). ↗
- →Alert on HTTP responses from /RegWeb/RegWeb/UpdateDomainControllerServlet that do NOT contain 'success:false', as a successful upload returns HTTP 200 without that string. ↗
- →Flag HTTP GET requests to /RegWeb/*.jsp where the JSP filename matches a random alphanumeric pattern (8–15 chars) immediately after a POST to UpdateDomainControllerServlet — this is the webshell execution step. ↗
- →Look for the Apache-Coyote server banner on the target, which is used by the exploit module to fingerprint the vulnerable HP ProCurve SNAC server. ↗
- →Monitor for .jsp files written into the /RegWeb/ web root directory on Windows hosts running HP ProCurve Manager SNAC Server, as the path traversal deposits the payload there. ↗
- ·Binary writes are not permitted by the vulnerable servlet; the exploit payload must be text-safe (ARCH_JAVA is used specifically because Java payloads are text-encodable). ↗
- ·The exploit requires SSL (HTTPS on port 443); plain HTTP traffic to this endpoint would not represent exploitation of this CVE via the known public module. ↗
- ·Authentication bypass is part of the attack chain — the session cookie obtained from /RegWeb/html/snac/index.html is sufficient to reach the upload endpoint without valid credentials. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
HP ProCurve Manager - SNAC UpdateDomainControllerServlet Arbitrary File Upload (Metasploit)
exploitdb·2013-09-17
CVE-2013-4811 HP ProCurve Manager - SNAC UpdateDomainControllerServlet Arbitrary File Upload (Metasploit)
HP ProCurve Manager - SNAC UpdateDomainControllerServlet Arbitrary File Upload (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 [ /Apache-Coyote/ ] }
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'HP ProCurve Manager SNAC UpdateDomainControllerServlet File Upload',
'Description' => %q{
This module exploits a path traversal flaw in the HP ProCurve Manager SNAC Server. The
vulnerability in the UpdateDomainControllerServlet allows an attacker to upload arbitrary
files, just having into account bi
Metasploit
HP ProCurve Manager SNAC UpdateDomainControllerServlet File Upload
metasploit
HP ProCurve Manager SNAC UpdateDomainControllerServlet File Upload
HP ProCurve Manager SNAC UpdateDomainControllerServlet File Upload
This module exploits a path traversal flaw in the HP ProCurve Manager SNAC Server. The vulnerability in the UpdateDomainControllerServlet allows an attacker to upload arbitrary files, just having into account binary writes aren't allowed. Additionally, authentication can be bypassed in order to upload the file. This module has been tested successfully on the SNAC server installed with HP ProCurve Manager 4.0.
http://h20565.www2.hp.com/portal/site/hpsc/template.PAGE/public/kb/docDisplay/?docId=emr_na-c03897409http://secunia.com/advisories/54788http://www.securitytracker.com/id/1029010http://zerodayinitiative.com/advisories/ZDI-13-226/http://h20565.www2.hp.com/portal/site/hpsc/template.PAGE/public/kb/docDisplay/?docId=emr_na-c03897409http://secunia.com/advisories/54788http://www.securitytracker.com/id/1029010http://zerodayinitiative.com/advisories/ZDI-13-226/
2013-09-16
Published