CVE-2017-5817
published 2018-02-15CVE-2017-5817: A Remote Code Execution vulnerability in HPE Intelligent Management Center (iMC) PLAT version 7.3 E0504P04 was found.
PriorityP183critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
82.88%
99.6th percentile
A Remote Code Execution vulnerability in HPE Intelligent Management Center (iMC) PLAT version 7.3 E0504P04 was found.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hewlett_packard_enterprise | intelligent_management_center_plat | — | — |
| hp | intelligent_management_center | < 7.3 | 7.3 |
| hp | intelligent_management_center | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x00\x00\x27\x17\x00\x00\x00
bytes↗
\x73\x61\x22\x26\x20 (injection prefix bytes preceding injected command)
- →Alert on unauthenticated TCP connections to port 2810 containing the OpCode 10007 (bytes \x00\x00\x27\x17) — this is the RestoreDBase request used for exploitation. ↗
- →Detect dbman service responses containing the string 'dbman' on TCP port 2810 as a fingerprint for a vulnerable/exposed iMC dbman instance. ↗
- →Monitor for processes spawned as SYSTEM by the iMC dbman service, particularly cmd.exe or powershell.exe child processes, indicating successful command injection via the unsanitized database username field. ↗
- →Flag Powershell-encoded payloads exceeding 8000 characters originating from the dbman service process, as the Metasploit module uses Powershell for final payload delivery. ↗
- →Inspect TCP port 2810 traffic for the ASN.1/BER-encoded packet structure with shell metacharacters (& and ") embedded in the database username field, which is the injection vector. ↗
- ·The exploit targets the dbman service only on Windows; the module was tested on iMC PLAT v7.2 (E0403) on Windows 7 SP1 and Windows Server 2008 R2, not Linux deployments. ↗
- ·The vulnerability is pre-authentication — no credentials are required to trigger the command injection, making network-level blocking of port 2810 the primary mitigation. ↗
- ·The WfsDelay is set to 15 seconds in the Metasploit module, meaning detection based on connection duration alone may miss the exploit if tuned for shorter timeouts. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
HPE iMC - dbman 'RestoreDBase' Remote Command Execution (Metasploit)
exploitdb·2018-01-10
CVE-2017-5817 HPE iMC - dbman 'RestoreDBase' Remote Command Execution (Metasploit)
HPE iMC - dbman 'RestoreDBase' Remote Command Execution (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'HPE iMC dbman RestoreDBase Unauthenticated RCE',
'Description' => %q{
This module exploits a remote command execution vulnerablity in
Hewlett Packard Enterprise Intelligent Management Center before
version 7.3 E0504P04.
The dbman service allows unauthenticated remote users to restore
a user-specified database (OpCode 10007), however the database
connection username is not sanitized resulting in command injection,
allowing execution of arbitrary operating system commands as SYSTEM.
This service listens on TCP port 2810 by default.
This module has been tes
Exploit-DB
HP iMC Plat 7.2 - Remote Code Execution
exploitdb·2017-11-28·CVSS 9.8
CVE-2017-5817 [CRITICAL] HP iMC Plat 7.2 - Remote Code Execution
HP iMC Plat 7.2 - Remote Code Execution
---
#!/opt/local/bin/python2.7
# Exploit Title: HP iMC Plat 7.2 dbman Opcode 10007 Command Injection RCE
# Date: 11-28-2017
# Exploit Author: Chris Lyne (@lynerc)
# Vendor Homepage: www.hpe.com
# Software Link: https://h10145.www1.hpe.com/Downloads/DownloadSoftware.aspx?SoftwareReleaseUId=16759&ProductNumber=JG747AAE&lang=en&cc=us&prodSeriesId=4176535&SaidNumber=
# Version: iMC PLAT v7.2 (E0403) Standard
# Tested on: Windows Server 2008 R2 Enterprise 64-bit
# CVE : CVE-2017-5817
# See Also: http://www.zerodayinitiative.com/advisories/ZDI-17-341/
# note that this PoC will create a file 'C:\poc.txt'
import socket, sys
ip = '192.168.1.74'
port = 2810
command = "echo PoC 12345 > C:\\poc.txt" # command to run
sock = socket.socket(socket.AF_INET, s
Metasploit
HPE iMC dbman RestoreDBase Unauthenticated RCE
metasploit
HPE iMC dbman RestoreDBase Unauthenticated RCE
HPE iMC dbman RestoreDBase Unauthenticated RCE
This module exploits a remote command execution vulnerablity in Hewlett Packard Enterprise Intelligent Management Center before version 7.3 E0504P04. The dbman service allows unauthenticated remote users to restore a user-specified database (OpCode 10007), however the database connection username is not sanitized resulting in command injection, allowing execution of arbitrary operating system commands as SYSTEM. This service listens on TCP port 2810 by default. This module has been tested successfully on iMC PLAT v7.2 (E0403) on Windows 7 SP1 (EN).
No writeups or analysis indexed.
http://www.securitytracker.com/id/1038478https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03745en_ushttps://www.exploit-db.com/exploits/43195/https://www.exploit-db.com/exploits/43492/http://www.securitytracker.com/id/1038478https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03745en_ushttps://www.exploit-db.com/exploits/43195/https://www.exploit-db.com/exploits/43492/
2018-02-15
Published