####################################################################### Luigi Auriemma Application: HP LoadRunner https://h10078.www1.hp.com/cda/hpms/display/main/hpms_content.jsp?zn=bto&cp=1-11-126-17^8_4000_100__ Versions: <= 9.10 Platforms: Windows (tested), Unix, Linux Bug: upload directory traversal in Web Tours Exploitation: remote Date: 12 Apr 2008 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== From vendor's website: "HP LoadRunner can help you prevent costly performance problems in production by detecting bottlenecks before a new system or upgrade is deployed. This software enables you to measure end-to-end performance, diagnose application and system bottlenecks and tune for better performance all from a single point of control." ####################################################################### ====== 2) Bug ====== Web Tours (aka "Mercury Tours") is a sample website running on port 1080 which must be manually started in LoadRunner for performing additional load tests on web applications. I don't think the following bug can be classified as a common security vulnerability because this is not a production service running 24h (but this is just the purpose of LoadRunner since it's a testing platform) anyway I think it's good to be aware of it. This sample site contains a perl script called login.pl which is used to perform the creation and login of example users, so when register.x is defined in the HTTP request login.pl creates a new user's file containing the password and some other informations. This user's file is created in the users folder of the sample website using just the name of the user provided by the client as filename, so passing an username like ../../../../file will allow the creation of the file outside the valid target directory. If the file already exists it cannot be overwritten. Due to the format of the file and the usage of HTTP POST is also possible to create files with custom binary content, but on Windows there is a problem with line-feeds (the byte 0x0a) which on this OS are automatically converted to 0x0d 0x0a avoiding the working of common executables. Naturally there are no problems to upload batch and scripts files so for example a client can upload a .bat file in the StartUp folder of the Windows's user which will be executed at the next reboot or login forcing the downloading of malicious files (for example via ftp) from a specific server. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/willycoyote.zip ####################################################################### ====== 4) Fix ====== No fix #######################################################################