#######################################################################

                             Luigi Auriemma

Application:  HP Performance Manager
              http://www8.hp.com/us/en/software/software-product.html?compURI=tcm:245-937022
Versions:     <= 9.0
Platforms:    Windows, Solaris, HP-UX
Bug:          upload directory traversal
Exploitation: remote, versus server
Date:         probably found 30 Jun 2011
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


???


#######################################################################

======
2) Bug
======


On port 8081 runs Apache Tomcat and anyone can access it because there
is no password set.

The "Design Wizard" operation allows to create/edit the available
graphs and saving them using the "Family" tag as name of the file plus
the "txt" extension.

The problem is that there are no checks to avoid directory traversal
attacks and the "txt" extension can be bypassed placing a NULL byte at
the end of this tag.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/hpperman_1.dat

- connect the browser to http://SERVER:8081/OVPM
- get the JSESSIONID value from the cookie of the browser and copy it
  in the hpperman_1.dat proof-of-concept (replace "!!!YOUR_ID_HERE!!!")
- nc SERVER 8081 < hpperman_1.dat
- will be created test.bat in the usual Startup folder of Administrator


#######################################################################

======
4) Fix
======


http://www.zerodayinitiative.com/advisories/ZDI-12-100/


#######################################################################