Vulnerabilities > CVE-2011-0276 - Remote Arbitrary Code Execution vulnerability in HP OpenView Performance Insight Server 'doPost()'

047910
CVSS 10.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
hp
critical
nessus
exploit available
metasploit

Summary

HP OpenView Performance Insight Server 5.2, 5.3, 5.31, 5.4, and 5.41 contains a "hidden account" in the com.trinagy.security.XMLUserManager Java class, which allows remote attackers to execute arbitrary code via the doPost method in the com.trinagy.servlet.HelpManagerServlet class.

Exploit-Db

descriptionHP OpenView Performance Insight Server Backdoor Account Code Execution. CVE-2011-0276. Remote exploit for windows platform
fileexploits/windows/remote/16984.rb
idEDB-ID:16984
last seen2016-02-02
modified2011-03-15
platformwindows
port
published2011-03-15
reportermetasploit
sourcehttps://www.exploit-db.com/download/16984/
titleHP OpenView Performance Insight Server Backdoor Account Code Execution
typeremote

Metasploit

descriptionThis module exploits a hidden account in the com.trinagy.security.XMLUserManager Java class. When using this account, an attacker can abuse the com.trinagy.servlet.HelpManagerServlet class and write arbitrary files to the system allowing the execution of arbitrary code. NOTE: This module has only been tested against HP OpenView Performance Insight Server 5.41.0
idMSF:EXPLOIT/WINDOWS/HTTP/HP_OPENVIEW_INSIGHT_BACKDOOR
last seen2020-01-15
modified2018-08-20
published2011-03-15
referenceshttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0276
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/http/hp_openview_insight_backdoor.rb
titleHP OpenView Performance Insight Server Backdoor Account Code Execution

Nessus

NASL familyCGI abuses
NASL idHP_OPENVIEW_PERF_INSIGHT_BACKDOOR.NASL
descriptionNessus was able to log into the remote HP OpenView Performance Insight system using a hidden account. The
last seen2020-06-01
modified2020-06-02
plugin id51850
published2011-02-02
reporterThis script is Copyright (C) 2011-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/51850
titleHP OpenView Performance Insight Server Backdoor Account
code
#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");


if (description)
{
  script_id(51850);
  script_version("1.11");
  script_cvs_date("Date: 2018/11/15 20:50:17");

  script_cve_id("CVE-2011-0276");
  script_bugtraq_id(46079);
  script_xref(name:"EDB-ID", value:"16984");
  script_xref(name:"Secunia", value:"43145");

  script_name(english:"HP OpenView Performance Insight Server Backdoor Account");
  script_summary(english:"Tries to login to the hidden hch908v account");

  script_set_attribute(
    attribute:"synopsis",
    value:
"It is possible to log on the remote web application by using a hidden
account."
  );
  script_set_attribute(
    attribute:"description",
    value:
"Nessus was able to log into the remote HP OpenView Performance Insight
system using a hidden account. The 'hch908v' user, hard-coded in the
'com.trinagy.security.XMLUserManager' class, is hidden and has
administrative privileges.

A remote attacker could exploit this by logging in as the hidden user
and gain administrative access to the Performance Insight
installation.

After gaining administrative access to the web application, escalation
of privileges may be possible. Nessus has not checked for that issue."
  );
  script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-11-034/");
  # http://web.archive.org/web/20130318065946/http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02695453
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?84978b0a"
  );
  script_set_attribute(attribute:"solution", value:"Apply the hotfix referenced in the HP advisory.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
 script_set_attribute(attribute:"metasploit_name", value:'HP OpenView Performance Insight Server Backdoor Account Code Execution');
 script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2011/01/31");
  script_set_attribute(attribute:"patch_publication_date", value:"2011/01/31");
  script_set_attribute(attribute:"plugin_publication_date", value:"2011/02/02");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:hp:openview_performance_insight");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.");

  script_dependencies("hp_openview_perf_insight_detect.nasl");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_keys("www/hp_ovpi");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("webapp_func.inc");


port = get_http_port(default:80);
install = get_install_from_kb(appname:'hp_ovpi', port:port, exit_on_fail:TRUE);

user = 'hch908v';
pass = 'z6t0j$+i';
url = install['dir'] + '/reports/home?context=home&type=header';
res = http_send_recv3(
  method:'GET',
  item:url,
  port:port,
  username:user,
  password:pass,
  exit_on_fail:TRUE
);

if ('Log off ' + user + '</a>' >< res[2])
{
  if (report_verbosity > 0)
  {
    header = 'Nessus accessed the following URL as the hidden user';
    trailer =
      '  Username : ' + user + '\n' +
      '  Password : ' + pass;
    report = get_vuln_report(items:url, port:port, header:header, trailer:trailer);
    security_hole(port:port, extra:report);
  }
  else security_hole(port);
}
else
{
  base_url = build_url(qs:install['dir'], port:port);
  exit(0, 'The HP OVPI install at ' + base_url + ' is not affected.');
}

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/99381/hp_openview_insight_backdoor.rb.txt
idPACKETSTORM:99381
last seen2016-12-05
published2011-03-16
reporterMC
sourcehttps://packetstormsecurity.com/files/99381/HP-OpenView-Performance-Insight-Server-Backdoor-Account-Code-Execution.html
titleHP OpenView Performance Insight Server Backdoor Account Code Execution

Saint

bid46079
descriptionHP OpenView Performance Insight Server Backdoor Account
idweb_prog_cgi_opvipwd
osvdb70754
titlehp_ovpi_server_backdoor
typeremote