{"vuid":"VU#735364","idnumber":"735364","name":"HP System Management Homepage contains a command injection vulnerability","keywords":["hp","system","management","homepage","command","injection","cwe-77"],"overview":"HP System Management Homepage contains a command injection vulnerability (CWE-77) that may result in arbitrary command execution and privilege escalation.","clean_desc":"Markus Wulftange from Daimler TSS reports: The vulnerability is located in the `ginkgosnmp.inc` PHP file in the `C:\\hp\\hpsmh\\data\\smhutil` or `/opt/hp/hpsmh/data/smhutil` directory, respectively. Inside the `ginkgosnmp.inc` script, the last path segment of the current requested URL path is used in a `exec` call without proper escaping: $tempfilename = \"$sessiondir/\" . substr($_SERVER[\"SCRIPT_URL\"], 1 + strrpos($_SERVER[\"SCRIPT_URL\"], '/')) . uniqid(\".\", true) . time() . \".txt\"; if(\"Linux\" == PHP_OS)\n$cmd = \"../../webapp-data/webagent/csginkgo -f$tempfilename\"; else $windrive = substr( $_SERVER[\"WINDIR\"], 0, 2 ); $cmd = \"$windrive\\\\hp\\\\hpsmh\\\\data\\\\smhutil\\\\csginkgo.exe -f$tempfilename\"; exec( $cmd, $out ); This script is reachable via the URL path `https://:2381/smhutil/snmpchp.php.en`. Due to [Apache’s *MultiViews*] [2] it can also be referenced with any additional path segments after the `snmpchp.php.en` segment: `https://:2381/smhutil/snmpchp.php.en/foo/bar` still triggers `https://:2381/smhutil/snmpchp.php.en` but `$_SERVER[\"SCRIPT_URL\"]` is `https://:2381/smhutil/snmpchp.php.en/foo/bar`. This can be exploited as follows: https://:2381/smhutil/snmpchp.php.en/&&&&echo (full file name)\nhttps://:2381/smhutil/snmpchp.php/&&&&echo (without \"en\" language indicator)\nhttps://:2381/smhutil/snmpchp/&&&&echo (without any file name extension) Besides the path segment separator `/`, the characters `<`, `>`, and `|` are also not allowed, which makes exploiting this vulnerability a little hard. https://:2381/smhutil/snmpchp/&&whoami&&echo","impact":"A remote authenticated user may be able to run arbitrary commands on the HP System Management Homepage server.","resolution":"Apply an Update HP System Management Homepage (SMH) version 7.2.2 and later address this vulnerability. If you cannot upgrade for whatever reason, please consider the following workarounds.","workarounds":"Restrict Network Access As a general good security practice, only allow connections from trusted hosts and networks. Restricting access would prevent an attacker from connecting to the service from a blocked network location.","sysaffected":"","thanks":"Thanks to Markus Wulftange from Daimler TSS for reporting this vulnerability.","author":"This document was written by Jared Allar.","public":["https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03895050","http://www.hp.com/go/SMH","http://cwe.mitre.org/data/definitions/77.html"],"cveids":["CVE-2013-3576"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2013-04-02T17:11:48Z","publicdate":"2013-06-10T00:00:00Z","datefirstpublished":"2013-06-11T11:33:25Z","dateupdated":"2013-09-24T14:18:46Z","revision":19,"vrda_d1_directreport":"1","vrda_d1_population":"3","vrda_d1_impact":"3","cam_widelyknown":"0","cam_exploitation":"0","cam_internetinfrastructure":"0","cam_population":"0","cam_impact":"0","cam_easeofexploitation":"0","cam_attackeraccessrequired":"0","cam_scorecurrent":"0","cam_scorecurrentwidelyknown":"0","cam_scorecurrentwidelyknownexploited":"0","ipprotocol":"","cvss_accessvector":"N","cvss_accesscomplexity":"L","cvss_authentication":null,"cvss_confidentialityimpact":"C","cvss_integrityimpact":"C","cvss_availabilityimpact":"C","cvss_exploitablity":null,"cvss_remediationlevel":"W","cvss_reportconfidence":"C","cvss_collateraldamagepotential":"ND","cvss_targetdistribution":"M","cvss_securityrequirementscr":"ND","cvss_securityrequirementsir":"ND","cvss_securityrequirementsar":"ND","cvss_basescore":"9","cvss_basevector":"AV:N/AC:L/Au:S/C:C/I:C/A:C","cvss_temporalscore":"8.5","cvss_environmentalscore":"6.4","cvss_environmentalvector":"CDP:ND/TD:M/CR:ND/IR:ND/AR:ND","metric":0.0,"vulnote":null}