CVE-2017-12557
published 2018-02-15CVE-2017-12557: A Remote Code Execution vulnerability in HPE intelligent Management Center (iMC) PLAT version IMC Plat 7.3 E0504P2 and earlier was found.
PriorityP184critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
80.12%
99.6th percentile
A Remote Code Execution vulnerability in HPE intelligent Management Center (iMC) PLAT version IMC Plat 7.3 E0504P2 and earlier was found.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hewlett_packard_enterprise | intelligent_management_center_plat | — | — |
| hp | intelligent_management_center | <= 7.3 | — |
| hp | intelligent_management_center | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
rO0ABXNyABFqYXZhLnV0aWwuSGFzaE1hcAUH2sHDFmDRAwACRgAKbG9hZEZhY3RvckkACXRocmVzaG9sZHhwP0AAAAAAAAB3CAAAAAIAAAACc3IALWphdmF4Lm1hbmFnZW1lbnQub3Blbm1iZWFuLlRhYnVsYXJEYXRhU3VwcG9ydE9iDqhrlxdDAgACTAAHZGF0YU1hcHQAD0xqYXZhL3V0aWwvTWFwO0wAC3RhYnVsYXJUeXBldAAoTGphdmF4L21hbmFnZW1lbnQvb3Blbm1iZWFuL1RhYnVsYXJUeXBlO3hw
snort
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER HP Intelligent Management Java Deserialization RCE Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/login.jsf"; http.request_body; content:"java.util.HashMap"; content:"javax.management.openmbean.TabularDataSupport"; reference:cve,2017-12557; reference:url,www.exploit-db.com/exploits/45952; classtype:web-application-attack; sid:2026719; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_12_10, cve CVE_2017_12557, deployment Datacenter, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_08_27;)
- →Exploit targets the WebDMDebugServlet endpoint via HTTP POST. Detect POST requests to /imc/topo/WebDMDebugServlet on ports 8080 or 8443. ↗
- →Java deserialization payload bodies will contain the strings 'java.util.HashMap' and 'javax.management.openmbean.TabularDataSupport' in the POST body. Inspect HTTP request bodies for these class names.
- →Serialized Java objects begin with the magic bytes 0xACED0005 (base64: rO0AB). Detect POST requests to WebDMDebugServlet whose body starts with this signature. ↗
- →Vulnerability check uses a time-based blind technique: a synchronous sleep payload is sent and a response delay >= 10 seconds indicates exploitation. Monitor for unusually slow HTTP 500 responses from the iMC server containing 'HPE Intelligent Management Center'. ↗
- →No authentication is required to exploit this vulnerability. Unauthenticated POST requests to the WebDMDebugServlet endpoint should be treated as highly suspicious. ↗
- →Successful exploitation results in code execution as SYSTEM. Monitor for unexpected child processes spawned by the HPE iMC Java process (e.g., cmd.exe, powershell.exe) running as SYSTEM. ↗
- ·The default target URI base path is '/imc'. If the HPE iMC installation uses a non-default context root, the exploit path /imc/topo/WebDMDebugServlet will differ accordingly. ↗
- ·The Metasploit module sets a WfsDelay of 10 seconds to account for the time-based sleep check. Detection rules using response-time thresholds should use >= 10 seconds as the baseline. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SERVER HP Intelligent Management Java Deserialization RCE Attempt
suricata·2018-12-10
CVE-2017-12557 ET WEB_SERVER HP Intelligent Management Java Deserialization RCE Attempt
ET WEB_SERVER HP Intelligent Management Java Deserialization RCE Attempt
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER HP Intelligent Management Java Deserialization RCE Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/login.jsf"; http.request_body; content:"java.util.HashMap"; content:"javax.management.openmbean.TabularDataSupport"; reference:cve,2017-12557; reference:url,www.exploit-db.com/exploits/45952; classtype:web-application-attack; sid:2026719; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_12_10, cve CVE_2017_12557, deployment Datacenter, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_08_27;)
Exploit-DB
HP Intelligent Management - Java Deserialization Remote Code Execution (Metasploit)
exploitdb·2018-12-04
CVE-2017-12557 HP Intelligent Management - Java Deserialization Remote Code Execution (Metasploit)
HP Intelligent Management - Java Deserialization Remote Code Execution (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule "HP Intelligent Management Java Deserialization RCE",
'Description' => %q{
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of
Hewlett Packard Enterprise Intelligent Management Center. Authentication is not required to exploit
this vulnerability.
The specific flaw exists within the WebDMDebugServlet, which listens on TCP ports 8080 and 8443 by
default. The issue results from the lack of proper validation of user-supplied data, which can result
in deserialization of untrusted data. An attacker c
Metasploit
HP Intelligent Management Java Deserialization RCE
metasploit
HP Intelligent Management Java Deserialization RCE
HP Intelligent Management Java Deserialization RCE
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Hewlett Packard Enterprise Intelligent Management Center. Authentication is not required to exploit this vulnerability. The specific flaw exists within the WebDMDebugServlet, which listens on TCP ports 8080 and 8443 by default. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute arbitrary code in the context of SYSTEM.
http://www.securityfocus.com/bid/101152http://www.securitytracker.com/id/1039495https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03778en_ushttps://www.exploit-db.com/exploits/45952/http://www.securityfocus.com/bid/101152http://www.securitytracker.com/id/1039495https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03778en_ushttps://www.exploit-db.com/exploits/45952/
2018-02-15
Published