CVE-2017-8982
published 2018-02-15CVE-2017-8982: A Remote Authentication Restriction Bypass vulnerability in HPE Intelligent Management Center (iMC) PLAT version 7.3 E0504P4 was found.
PriorityP264high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
14.48%
96.2th percentile
A Remote Authentication Restriction Bypass vulnerability in HPE Intelligent Management Center (iMC) PLAT version 7.3 E0504P4 was found.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hewlett_packard_enterprise | intelligent_management_center_plat | — | — |
| hp | intelligent_management_center | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandfacesContext.getExternalContext().redirect("".getClass().forName("javax.script.ScriptEngineManager").newInstance().getEngineByName("JavaScript").eval("var proc=new java.lang.ProcessBuilder[\"(java.lang.String[])\"]([\"cmd.exe\",\"/c\",\"<CMD>\")).start();"))↗
- →Successful exploitation results in an HTTP 302 redirect response from the beanName injection endpoint; absence of 302 indicates failed injection. ↗
- →Monitor for unauthenticated GET requests to /imc/login.jsf returning HTTP 200 as a pre-exploitation reconnaissance step used by the Metasploit module's check() function. ↗
- →The exploit spawns cmd.exe /c as SYSTEM via Java ProcessBuilder through JavaScript ScriptEngine; monitor for iMC service processes spawning cmd.exe child processes. ↗
- →The default Metasploit payload used is cmd/windows/reverse_powershell; monitor for outbound PowerShell reverse shell connections originating from the iMC server process on ports 8080/8443. ↗
- ·The exploit targets iMC PLAT versions prior to 7.3 E0504P04; the tested vulnerable version is E0504P02. Detections should be scoped to environments running iMC PLAT 7.3 E0504P02 or earlier on Windows. ↗
- ·The service listens on both TCP 8080 (HTTP) and 8443 (HTTPS) by default; network detection rules must cover both ports. ↗
- ·This exploit chains two CVEs: CVE-2017-8982 (authentication restriction bypass) and CVE-2017-12500 (EL injection). Detection of the beanName EL injection alone may not be sufficient without also accounting for the auth bypass path traversal component. ↗
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://www.securitytracker.com/id/1040283https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03809en_ushttps://www.exploit-db.com/exploits/44648/https://www.zerodayinitiative.com/advisories/ZDI-18-139/http://www.securitytracker.com/id/1040283https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03809en_ushttps://www.exploit-db.com/exploits/44648/
2018-02-15
Published