While developing detection plugins for the vulnerabilities disclosed by HP on 2016-03-15, Tenable discovered two issues that could allow remote code execution.
#1 - mod_smh_config.so /proxy/SetSMHData admin-group Parameter Handling Remote Stack Buffer Overflow
In the code that processes a POST request via the "/proxy/SetSMHData" endpoint, there is a stack buffer overflow condition that can be reached with attacker-supplied data. The prerequisite for exploitation requires a non-default SMH configuration that includes:
- TrustedByAll configured
- No IP restrictions for the attacker
- Kerberos authorization not enabled
#2 - mod_smh_aa.so /Proxy/SSO TKN Parameter Handling Remote Stack Buffer Overflow
A second potential remote code execution vulnerability was found in a function that converts a hex string to binary bytes in mod_smh_aa.so. The exploit doesn't require authentication and can be launched against a SMH target with default configurations. In the relevant code, the sscanf() function is called inside a loop to convert a user-supplied hex string into binary bytes and store the converted bytes in a fixed-size (0x400) buffer on the stack, resulting in a buffer overflow. While this attack works against a default SMH installation, there are a few assumptions:
- The target SMH is configured with "Trust by Certificate" Trust Mode; this is the default and is the most secure mode.
- At least one certificate is installed under "Trusted Management Servers" in the SMH Web GUI. The certificates listed there are typically associated with HP Systems Insight Managers (SIM) for managing the system on which SMH is installed. You can manually import a PEM-formatted certificate on the "Trusted Management Servers" page, or you can fetch and import one from a SIM by specifying the host name or IP of the SIM in the "Server Name:" field on that page.
- Note that a "Trust by Certificate" Trust Mode with at least one configured "Trusted Management Server" may be a likely SMH configuration.
Attack vector: To reach to the vulnerable code, the attacker would need:
- Send a POST request to https://[target]:2381/Proxy/SSO
- Specify a correct pair of
HA and XE parameters in the POST request. HA is the hash algorithm used to compute the fingerprint of a certificate that will be used for SSO (Single-Sign-On) authentication. XE is the fingerprint of the certificate. Together, HA and XE identifies a certificate installed on SMH for a Trusted Management Server. A valid HA and XE can be obtained by sending a GET request to https://[target]:2381/Proxy/GetInstalledSsoCerts without authentication.
- Specify an overly long
TKN parameter in the POST quest to overflow the 0x400-byte stack buffer.
- Specify a
KEY parameter that is Unix time of the current time (this may not be required; not tested).
Sample PoC:
[jerboa@scallywag]$ curl -k -i https://192.168.37.19:2381/Proxy/GetInstalledSsoCerts
HTTP/1.1 200 OK
Date: Fri, 08 Apr 2016 18:25:13 GMT
Server: CompaqHTTPServer/9.9 HP System Management Homepage
[..]
Oh come on, surely you didn't expect us to give up the goods! Join one of our technical teams and you get exploits, benefits, and a salary!