CVE-2017-5816
published 2018-02-15CVE-2017-5816: A Remote Code Execution vulnerability in HPE Intelligent Management Center (iMC) PLAT version 7.3 E0504P04 was found.
PriorityP184critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
86.47%
99.7th percentile
A Remote Code Execution vulnerability in HPE Intelligent Management Center (iMC) PLAT version 7.3 E0504P04 was found.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hewlett_packard_enterprise | intelligent_management_center_plat | — | — |
| hp | intelligent_management_center | < 7.3 | 7.3 |
| hp | intelligent_management_center | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandopcode 10008 (RestartDB) with unsanitized dbInstance field containing command injection via BER-encoded ASN.1 sequence↗
- →Detect command injection patterns in the dbInstance field of dbman packets: look for shell metacharacters such as double-quote followed by ampersand ("&) within BER-encoded traffic on port 2810. ↗
- →The dbman service responds with the string 'dbman' in its error banner; a probe sending an empty 4-byte opcode 10008 packet ([10008].pack('N')) and receiving a response matching /dbman/i confirms a vulnerable/exposed instance. ↗
- →The exploit runs commands as SYSTEM on Windows; monitor for unexpected child processes spawned by the dbman service (e.g., cmd.exe, powershell.exe) on iMC hosts. ↗
- →The service is unauthenticated; any external TCP connection to port 2810 on an iMC host should be treated as suspicious and investigated. ↗
- ·The PoC hardcodes a test IP and payload; in real attacks the dbIp field is randomized and the payload will differ — do not rely solely on static IP matching for detection. ↗
- ·The Metasploit module enforces a payload length limit of 8000 bytes for PowerShell delivery; payloads exceeding this will fail, so very large command strings in the dbInstance field may indicate a non-Metasploit custom exploit. ↗
- ·The vulnerability affects iMC PLAT versions before 7.3 E0504P04; version 7.2 (E0403) Standard was confirmed tested. Ensure patching to 7.3 E0504P04 or later. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
HPE iMC - dbman 'RestartDB' Remote Command Execution (Metasploit)
exploitdb·2018-01-10
CVE-2017-5816 HPE iMC - dbman 'RestartDB' Remote Command Execution (Metasploit)
HPE iMC - dbman 'RestartDB' Remote Command Execution (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'HPE iMC dbman RestartDB Unauthenticated RCE',
'Description' => %q{
This module exploits a remote command execution vulnerablity in
Hewlett Packard Enterprise Intelligent Management Center before
version 7.3 E0504P04.
The dbman service allows unauthenticated remote users to restart
a user-specified database instance (OpCode 10008), however the
instance ID is not sanitized, allowing execution of arbitrary
operating system commands as SYSTEM. This service listens on
TCP port 2810 by default.
This module has been tested successfully on iMC PLAT v7.2 (E0403)
on
Exploit-DB
HP iMC Plat 7.2 - Remote Code Execution (2)
exploitdb·2017-11-29·CVSS 9.8
CVE-2017-5816 [CRITICAL] HP iMC Plat 7.2 - Remote Code Execution (2)
HP iMC Plat 7.2 - Remote Code Execution (2)
---
#!/opt/local/bin/python2.7
# Exploit Title: HP iMC Plat 7.2 dbman Opcode 10008 Command Injection RCE
# Date: 11-29-2017
# Exploit Author: Chris Lyne (@lynerc)
# Vendor Homepage: www.hpe.com
# Software Link: https://h10145.www1.hpe.com/Downloads/DownloadSoftware.aspx?SoftwareReleaseUId=16759&ProductNumber=JG747AAE&lang=en&cc=us&prodSeriesId=4176535&SaidNumber=
# Version: iMC PLAT v7.2 (E0403) Standard
# Tested on: Windows Server 2008 R2 Enterprise 64-bit
# CVE : CVE-2017-5816
# See Also: http://www.zerodayinitiative.com/advisories/ZDI-17-340/
# note that this PoC will create a file 'C:\10008.txt'
from pyasn1.type.univ import *
from pyasn1.type.namedtype import *
from pyasn1.codec.ber import encoder
import struct
import binascii
import soc
Metasploit
HPE iMC dbman RestartDB Unauthenticated RCE
metasploit
HPE iMC dbman RestartDB Unauthenticated RCE
HPE iMC dbman RestartDB Unauthenticated RCE
This module exploits a remote command execution vulnerablity in Hewlett Packard Enterprise Intelligent Management Center before version 7.3 E0504P04. The dbman service allows unauthenticated remote users to restart a user-specified database instance (OpCode 10008), however the instance ID is not sanitized, allowing execution of arbitrary operating system commands as SYSTEM. This service listens on TCP port 2810 by default. This module has been tested successfully on iMC PLAT v7.2 (E0403) on Windows 7 SP1 (EN).
No writeups or analysis indexed.
http://www.securityfocus.com/bid/100470http://www.securitytracker.com/id/1038478https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03745en_ushttps://www.exploit-db.com/exploits/43198/https://www.exploit-db.com/exploits/43493/http://www.securityfocus.com/bid/100470http://www.securitytracker.com/id/1038478https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03745en_ushttps://www.exploit-db.com/exploits/43198/https://www.exploit-db.com/exploits/43493/
2018-02-15
Published