Vulnerabilities > CVE-2011-1541 - Remote Unauthorized Access vulnerability in HP System Management Homepage (CVE-2011-1541)

047910
CVSS 10.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
hp
critical
nessus

Summary

Unspecified vulnerability in HP System Management Homepage (SMH) before 6.3 allows remote attackers to bypass intended access restrictions, and consequently execute arbitrary code, via unknown vectors.

Vulnerable Configurations

Part Description Count
Application
Hp
81

Nessus

NASL familyWeb Servers
NASL idHPSMH_6_3_0_22.NASL
descriptionAccording to the web server
last seen2020-06-01
modified2020-06-02
plugin id53532
published2011-04-22
reporterThis script is Copyright (C) 2011-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/53532
titleHP System Management Homepage < 6.3 Multiple Vulnerabilities
code
#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");


if (description)
{
  script_id(53532);
  script_version("1.12");
  script_cvs_date("Date: 2018/11/15 20:50:25");

  script_cve_id(
    "CVE-2010-1917",
    "CVE-2010-2531",
    "CVE-2010-2939",
    "CVE-2010-2950",
    "CVE-2010-3709",
    "CVE-2010-4008",
    "CVE-2010-4156",
    "CVE-2011-1540",
    "CVE-2011-1541"
  );
  script_bugtraq_id(41991, 44718, 44727, 44779, 47507, 47512);

  script_name(english:"HP System Management Homepage < 6.3 Multiple Vulnerabilities");
  script_summary(english:"Does a banner check");

  script_set_attribute(attribute:"synopsis", value:"The remote web server is affected by multiple vulnerabilities.");
  script_set_attribute(
    attribute:"description",
    value:
"According to the web server's banner, the version of HP System
Management Homepage (SMH) hosted on the remote host is earlier than
6.3.  Such versions are reportedly affected by the following
vulnerabilities :

  - An error exists in the function 'fnmatch' in the
    bundled version of PHP that can lead to stack
    exhaustion. (CVE-2010-1917)

  - An information disclosure vulnerability exists in the
    'var_export' function in the bundled version of PHP
    that can be triggered when handling certain error
    conditions. (CVE-2010-2531)

  - A double free vulnerability in the
    'ssl3_get_key_exchange()' function in the third-party
    OpenSSL library could be abused to crash the
    application. (CVE-2010-2939)

  - A format string vulnerability in the phar extension
    in the bundled version of PHP could lead to the
    disclosure of memory contents and possibly allow
    execution of arbitrary code via a specially crafted
    'phar://' URI. (CVE-2010-2950)

  - A NULL pointer dereference in
    'ZipArchive::getArchiveComment' included with the
    bundled version of PHP can be abused to crash the
    application. (CVE-2010-3709)

  - The bundled version of libxml2 may read from invalid
    memory locations when processing malformed XPath
    expressions, resulting in an application crash.
    (CVE-2010-4008)

  - An error in the 'mb_strcut()' function in the bundled
    version of PHP can be exploited by passing a large
    'length' parameter to disclose potentially sensitive
    information from the heap. (CVE-2010-4156)

  - An as-yet unspecified remote code execution
    vulnerability could allow an authenticated user to
    execute arbitrary code with system privileges.
    (CVE-2011-1540)

  - An as-yet unspecified, unauthorized access vulnerability
    could lead to a complete system compromise.
    (CVE-2011-1541)"
  );
  script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/517597/30/0/threaded");
  script_set_attribute(attribute:"solution", value:"Upgrade to HP System Management Homepage 6.3 or later.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2010/05/11");
  script_set_attribute(attribute:"patch_publication_date", value:"2011/04/19");
  script_set_attribute(attribute:"plugin_publication_date", value:"2011/04/22");

  script_set_attribute(attribute:"cpe", value:"cpe:/a:hp:system_management_homepage");
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Web Servers");

  script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.");

  script_dependencies("compaq_wbem_detect.nasl");
  script_require_keys("www/hp_smh");
  script_require_ports("Services/www", 2301, 2381);

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("webapp_func.inc");


port = get_http_port(default:2381, embedded:TRUE);


install = get_install_from_kb(appname:'hp_smh', port:port, exit_on_fail:TRUE);
dir = install['dir'];
version = install['ver'];
prod = get_kb_item_or_exit("www/"+port+"/hp_smh/variant");
if (version == UNKNOWN_VER)
  exit(1, 'The version of '+prod+' installed at '+build_url(port:port, qs:dir+"/")+' is unknown.');

# nb: 'version' can have non-numeric characters in it so we'll create
#     an alternate form and make sure that's safe for use in 'ver_compare()'.
version_alt = ereg_replace(pattern:"[_-]", replace:".", string:version);
if (!ereg(pattern:"^[0-9][0-9.]+$", string:version_alt))
  exit(1, 'The version of '+prod+' installed at '+build_url(port:port, qs:dir+"/")+' does not look valid ('+version+').');

fixed_version = '6.3.0.22';
if (ver_compare(ver:version_alt, fix:fixed_version, strict:FALSE) == -1)
{
  if (report_verbosity > 0)
  {
    source_line = get_kb_item("www/"+port+"/hp_smh/source");

    report = '\n  Product           : ' + prod;
    if (!isnull(source_line))
      report += '\n  Version source    : ' + source_line;
    report +=
      '\n  Installed version : ' + version +
      '\n  Fixed version     : ' + fixed_version + '\n';
    security_hole(port:port, extra:report);
  }
  else security_hole(port);

  exit(0);
}
else exit(0, prod+" "+version+" is listening on port "+port+" and is not affected.");