CVE-2013-4812
published 2013-09-16CVE-2013-4812: UpdateCertificatesServlet in the SNAC registration server in HP ProCurve Manager (PCM) 3.20 and 4.0, PCM+ 3.20 and 4.0, and Identity Driven Manager (IDM) 4.0…
PriorityP274critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
51.90%
98.8th percentile
UpdateCertificatesServlet in the SNAC registration server in HP ProCurve Manager (PCM) 3.20 and 4.0, PCM+ 3.20 and 4.0, and Identity Driven Manager (IDM) 4.0 does not properly validate the fileName argument, which allows remote attackers to upload .jsp files and consequently execute arbitrary code via unspecified vectors, aka ZDI-CAN-1743.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hp | identity_driven_manager | — | — |
| hp | procurve_manager | — | — |
| hp | procurve_manager | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect multipart POST requests to /RegWeb/RegWeb/UpdateCertificatesServlet containing a filename parameter with path traversal sequence (e.g., '\../' or '../') and a .jsp extension, indicating an attempted malicious file upload. ↗
- →Monitor for multipart form-data POST requests to /RegWeb/RegWeb/UpdateCertificatesServlet with form fields 'importFile', 'importPasswd', 'cert_data', and 'cert_action=importCertificate', which match the exploit's upload structure. ↗
- →Alert on HTTP GET requests to /RegWeb/*.jsp following a POST to /RegWeb/RegWeb/UpdateCertificatesServlet from the same source IP, indicating payload execution after upload. ↗
- →Fingerprint exploit traffic by checking for the Apache-Coyote server banner, which the Metasploit module uses to identify the target. ↗
- →Check responses from /RegWeb/RegWeb/GetCertificateStatusServlet for the JSON field '"success":"true"' as an indicator of active reconnaissance/check phase of the exploit. ↗
- →A server response body containing 'Certificate import fails' after a POST to UpdateCertificatesServlet paradoxically indicates a successful file upload by the exploit module. ↗
- ·The exploit requires SSL (HTTPS on port 443); detection rules must inspect TLS-decrypted traffic to be effective. ↗
- ·Binary writes are not allowed by the vulnerable servlet; the exploit payload is Java-based (ARCH_JAVA) delivered as a JSP file, not a native binary. ↗
- ·Authentication bypass is part of the attack chain; the exploit first obtains a session cookie from /RegWeb/html/snac/index.html without credentials before uploading the payload. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
HP ProCurve Manager SNAC - UpdateCertificatesServlet Arbitrary File Upload (Metasploit)
exploitdb·2013-09-17
CVE-2013-4812 HP ProCurve Manager SNAC - UpdateCertificatesServlet Arbitrary File Upload (Metasploit)
HP ProCurve Manager SNAC - UpdateCertificatesServlet Arbitrary File Upload (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 [ /Apache-Coyote/ ] }
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'HP ProCurve Manager SNAC UpdateCertificatesServlet File Upload',
'Description' => %q{
This module exploits a path traversal flaw in the HP ProCurve Manager SNAC Server. The
vulnerability in the UpdateCertificatesServlet allows an attacker to upload arbitrary
files, just having into account binary writes
Metasploit
HP ProCurve Manager SNAC UpdateCertificatesServlet File Upload
metasploit
HP ProCurve Manager SNAC UpdateCertificatesServlet File Upload
HP ProCurve Manager SNAC UpdateCertificatesServlet File Upload
This module exploits a path traversal flaw in the HP ProCurve Manager SNAC Server. The vulnerability in the UpdateCertificatesServlet allows an attacker to upload arbitrary files, just having into account binary writes aren't allowed. Additionally, authentication can be bypassed in order to upload the file. This module has been tested successfully on the SNAC server installed with HP ProCurve Manager 4.0.
http://h20565.www2.hp.com/portal/site/hpsc/template.PAGE/public/kb/docDisplay/?docId=emr_na-c03897409http://secunia.com/advisories/54788http://www.securitytracker.com/id/1029010http://zerodayinitiative.com/advisories/ZDI-13-225/http://h20565.www2.hp.com/portal/site/hpsc/template.PAGE/public/kb/docDisplay/?docId=emr_na-c03897409http://secunia.com/advisories/54788http://www.securitytracker.com/id/1029010http://zerodayinitiative.com/advisories/ZDI-13-225/
2013-09-16
Published