####################################################################### Luigi Auriemma Application: HP SiteScope http://www8.hp.com/us/en/software/software-product.html?compURI=tcm:245-937086 Versions: <= 11.10 Platforms: Windows and others Bug: full administrator privileges Exploitation: remote, versus server Date: 26 Aug 2011 (found 06 Jul 2011) Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== From vendor's website: "HP SiteScope software monitors IT infrastructure and applications remotely without installing any software on target servers. Collect server and application availability and performance data very quickly, across physical and virtual servers. Easy installation and configuration deliver rapid time to value." ####################################################################### ====== 2) Bug ====== SiteScope has users divided in administrators, normal users and viewers-only but in practice any user can perform the same actions of the administrator without limitations, it's enough to communicate directly with the servlet or modifying the applet to remove the grayed parts. By default SiteScope has the administrator account accessible without password and has a viewer-only user account called integrationViewer. This special user account has a password that is ever "vKm46*sdH$8109#JLSudh:)" (at least here, I reinstalled Sitescope two times to be sure and didn't perform other checks) and can be used to exploit the vulnerability without problems. ####################################################################### =========== 3) The Code =========== - http://aluigi.org/poc/sitescope_2.dat - login in the server with a NON-administrator account and get the JSESSIONID value of the cookie - put the value in the JSESSIONID field of sitescope_2.dat - nc SERVER 8080 < sitescope_2.dat - it will create the user cane with password cane ####################################################################### ====== 4) Fix ====== No fix. #######################################################################