####################################################################### Luigi Auriemma Application: HP SiteScope http://www8.hp.com/us/en/software/software-product.html?compURI=tcm:245-937086 Versions: <= 11.10 Platforms: Windows and others Bug: directory traversal Exploitation: remote, versus server Date: 26 Aug 2011 (found 06 Jul 2011) Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== From vendor's website: "HP SiteScope software monitors IT infrastructure and applications remotely without installing any software on target servers. Collect server and application availability and performance data very quickly, across physical and virtual servers. Easy installation and configuration deliver rapid time to value." ####################################################################### ====== 2) Bug ====== Directory traversal exploitable through "Tools->Common Utility Tools->Log Analysis Tool". By default SiteScope has the administrator account accessible without password by anyone and has a viewer-only user account called integrationViewer. This special user account has a password that is ever "vKm46*sdH$8109#JLSudh:)" (at least here, I reinstalled Sitescope two times to be sure and didn't perform other checks) and has the Tools section grayed but doesn't matter because it can be used to exploit the vulnerability without problems. ####################################################################### =========== 3) The Code =========== - http://aluigi.org/poc/sitescope_1.dat - login on the server (no login needed by default) and get the JSESSIONID value of the cookie - put the value in the JSESSIONID field of sitescope_1.dat - nc SERVER 8080 < sitescope_1.dat - it will get c:\boot.ini ####################################################################### ====== 4) Fix ====== No fix. #######################################################################