cbcvebase.
CVE-2017-12557
published 2018-02-15

CVE-2017-12557: A Remote Code Execution vulnerability in HPE intelligent Management Center (iMC) PLAT version IMC Plat 7.3 E0504P2 and earlier was found.

PriorityP184critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
80.12%
99.6th percentile
A Remote Code Execution vulnerability in HPE intelligent Management Center (iMC) PLAT version IMC Plat 7.3 E0504P2 and earlier was found.

Affected

3 ranges
VendorProductVersion rangeFixed in
hewlett_packard_enterpriseintelligent_management_center_plat
hpintelligent_management_center<= 7.3
hpintelligent_management_center

Detection & IOCsextracted from sources · hover to see the quote

port8080
port8443
path/imc/topo/WebDMDebugServlet
path/imc/login.jsf
bytes
rO0ABXNyABFqYXZhLnV0aWwuSGFzaE1hcAUH2sHDFmDRAwACRgAKbG9hZEZhY3RvckkACXRocmVzaG9sZHhwP0AAAAAAAAB3CAAAAAIAAAACc3IALWphdmF4Lm1hbmFnZW1lbnQub3Blbm1iZWFuLlRhYnVsYXJEYXRhU3VwcG9ydE9iDqhrlxdDAgACTAAHZGF0YU1hcHQAD0xqYXZhL3V0aWwvTWFwO0wAC3RhYnVsYXJUeXBldAAoTGphdmF4L21hbmFnZW1lbnQvb3Blbm1iZWFuL1RhYnVsYXJUeXBlO3hw
snort
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER HP Intelligent Management Java Deserialization RCE Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/login.jsf"; http.request_body; content:"java.util.HashMap"; content:"javax.management.openmbean.TabularDataSupport"; reference:cve,2017-12557; reference:url,www.exploit-db.com/exploits/45952; classtype:web-application-attack; sid:2026719; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_12_10, cve CVE_2017_12557, deployment Datacenter, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_08_27;)
  • Exploit targets the WebDMDebugServlet endpoint via HTTP POST. Detect POST requests to /imc/topo/WebDMDebugServlet on ports 8080 or 8443.
  • Java deserialization payload bodies will contain the strings 'java.util.HashMap' and 'javax.management.openmbean.TabularDataSupport' in the POST body. Inspect HTTP request bodies for these class names.
  • Serialized Java objects begin with the magic bytes 0xACED0005 (base64: rO0AB). Detect POST requests to WebDMDebugServlet whose body starts with this signature.
  • Vulnerability check uses a time-based blind technique: a synchronous sleep payload is sent and a response delay >= 10 seconds indicates exploitation. Monitor for unusually slow HTTP 500 responses from the iMC server containing 'HPE Intelligent Management Center'.
  • No authentication is required to exploit this vulnerability. Unauthenticated POST requests to the WebDMDebugServlet endpoint should be treated as highly suspicious.
  • Successful exploitation results in code execution as SYSTEM. Monitor for unexpected child processes spawned by the HPE iMC Java process (e.g., cmd.exe, powershell.exe) running as SYSTEM.
  • ·The default target URI base path is '/imc'. If the HPE iMC installation uses a non-default context root, the exploit path /imc/topo/WebDMDebugServlet will differ accordingly.
  • ·The Metasploit module sets a WfsDelay of 10 seconds to account for the time-based sleep check. Detection rules using response-time thresholds should use >= 10 seconds as the baseline.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.