CVE-2013-6221
published 2014-06-18CVE-2013-6221: Directory traversal vulnerability in CommunicationServlet in HP Service Virtualization 3.x before 3.50.1, when the AutoPass license server is enabled, allows…
PriorityP275critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
77.94%
99.5th percentile
Directory traversal vulnerability in CommunicationServlet in HP Service Virtualization 3.x before 3.50.1, when the AutoPass license server is enabled, allows remote attackers to create arbitrary files and consequently execute arbitrary code via unspecified vectors, aka ZDI-CAN-2031.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hp | service_virtualization | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unauthenticated HTTP POST requests to the CommunicationServlet endpoint /autopass/cs/pdfupload, which is the upload vector exploited without any authentication check. ↗
- →Detect directory traversal sequences (e.g., '../' or '/..') in the filename field of multipart/form-data uploads to /autopass/cs/pdfupload. ↗
- →Alert on HTTP POST multipart/form-data requests to /autopass/cs/pdfupload containing a form-data field named 'uploadedFile' with a filename containing traversal characters. ↗
- →Detect HTTP 500 responses from HP AutoPass License Server containing both 'java.lang.NullPointerException' and 'com.hp.autopass' as a fingerprinting indicator of a vulnerable instance. ↗
- ·The exploit only works when the AutoPass license server feature is enabled within HP Service Virtualization; installations without this component enabled are not exposed. ↗
- ·The default traversal depth values (INSTALL_DEPTH=4, WEBAPPS_DEPTH=1) are tuned for the default installation path of HP AutoPass License Server 8.01; non-default install paths may require different depths. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
HP AutoPass License Server - Arbitrary File Upload (Metasploit)
exploitdb·2014-06-27
CVE-2013-6221 HP AutoPass License Server - Arbitrary File Upload (Metasploit)
HP AutoPass License Server - Arbitrary File Upload (Metasploit)
---
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 'HP AutoPass License Server File Upload',
'Description' => %q{
This module exploits a code execution flaw in HP AutoPass License Server. It abuses two
weaknesses in order to get its objective. First, the AutoPass application doesn't enforce
authentication in the CommunicationServlet component. On the other hand, it's possible to
abuse a directory traversal when uploading files thorough the same component, allowing to
upload an arbitrary payload embedded in a JSP. The module has been tested successfully on
HP AutoPass License Server 8.01 as installed
Metasploit
HP AutoPass License Server File Upload
metasploit
HP AutoPass License Server File Upload
HP AutoPass License Server File Upload
This module exploits a code execution flaw in HP AutoPass License Server. It abuses two weaknesses in order to get its objective. First, the AutoPass application doesn't enforce authentication in the CommunicationServlet component. Second, it's possible to abuse a directory traversal when uploading files thorough the same component, allowing to upload an arbitrary payload embedded in a JSP. The module has been tested successfully on HP AutoPass License Server 8.01 as installed with HP Service Virtualization 3.50.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/127247/HP-AutoPass-License-Server-File-Upload.htmlhttp://www.exploit-db.com/exploits/33891http://www.osvdb.org/107943http://www.securitytracker.com/id/1030385http://zerodayinitiative.com/advisories/ZDI-14-195/https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/hp_autopass_license_traversal.rbhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04333125http://packetstormsecurity.com/files/127247/HP-AutoPass-License-Server-File-Upload.htmlhttp://www.exploit-db.com/exploits/33891http://www.osvdb.org/107943http://www.securitytracker.com/id/1030385http://zerodayinitiative.com/advisories/ZDI-14-195/https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/hp_autopass_license_traversal.rbhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04333125
2014-06-18
Published