Vulnerabilities > CVE-2011-4789 - Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in HP Diagnostics
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Stack-based buffer overflow in magentservice.exe in the server in HP LoadRunner 11.00 before patch 4 allows remote attackers to execute arbitrary code via a crafted size value in a packet. NOTE: it was originally reported that the affected product is HP Diagnostics Server, but HP states that "the vulnerable product is actually HP LoadRunner."
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 1 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- Client-side Injection-induced Buffer Overflow This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
- Filter Failure through Buffer Overflow In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
- MIME Conversion An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
Exploit-Db
description | HP Diagnostics Server magentservice.exe overflow. CVE-2011-4789. Remote exploit for windows platform |
id | EDB-ID:18423 |
last seen | 2016-02-02 |
modified | 2012-01-27 |
published | 2012-01-27 |
reporter | metasploit |
source | https://www.exploit-db.com/download/18423/ |
title | HP Diagnostics Server magentservice.exe Overflow |
Metasploit
description | This module exploits a stack buffer overflow in HP Diagnostics Server magentservice.exe service. By sending a specially crafted packet, an attacker may be able to execute arbitrary code. Originally found and posted by AbdulAziz Harir via ZDI. |
id | MSF:EXPLOIT/WINDOWS/MISC/HP_MAGENTSERVICE |
last seen | 2020-06-05 |
modified | 2017-07-24 |
published | 2012-01-25 |
references | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4789 |
reporter | Rapid7 |
source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/misc/hp_magentservice.rb |
title | HP Diagnostics Server magentservice.exe Overflow |
Nessus
NASL family Windows NASL id HP_LOADRUNNER_11_PATCH4_CODE_EXEC.NASL description The version of HP LoadRunner installed on the remote Windows host is potentially affected by a code execution vulnerability. The application fails to properly handle incoming packets with last seen 2020-06-01 modified 2020-06-02 plugin id 59718 published 2012-06-26 reporter This script is Copyright (C) 2012-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/59718 title HP LoadRunner < 11.00 Patch 4 Code Execution Vulnerability code # # (C) Tenable Network Security, Inc. # include('compat.inc'); if (description) { script_id(59718); script_version("1.5"); script_cvs_date("Date: 2018/11/15 20:50:27"); script_cve_id("CVE-2011-4789"); script_bugtraq_id(51398); script_name(english:"HP LoadRunner < 11.00 Patch 4 Code Execution Vulnerability"); script_summary(english:"Checks version of HP Load Runner"); script_set_attribute(attribute:"synopsis", value: "The remote Windows host has a software performance testing application that is affected by a remote code execution vulnerability."); script_set_attribute(attribute:"description", value: "The version of HP LoadRunner installed on the remote Windows host is potentially affected by a code execution vulnerability. The application fails to properly handle incoming packets with '0x00000000' as the first 32-bit value. A remote, unauthenticated attacker, exploiting this flaw, could execute arbitrary code on the remote host subject to the privileges of the user running the affected application."); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-12-016/"); script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/522928/30/0/threaded"); script_set_attribute(attribute:"solution", value:"Upgrade to HP LoadRunner 11.00 Patch 4 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'HP Diagnostics Server magentservice.exe Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2012/01/12"); script_set_attribute(attribute:"patch_publication_date", value:"2012/05/29"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/06/26"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:hp:loadrunner"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc."); script_dependencies("hp_loadrunner_installed.nasl"); script_require_keys("SMB/HP LoadRunner/Version", "SMB/HP LoadRunner/VersionUI", "SMB/HP LoadRunner/Path"); script_require_ports(139, 445); exit(0); } include("global_settings.inc"); include("misc_func.inc"); include("audit.inc"); app = 'HP LoadRunner'; version = get_kb_item_or_exit('SMB/'+app+'/Version'); verui = get_kb_item('SMB/'+app+'/VersionUI'); if (isnull(verui)) { ver = split(version, sep:'.', keep:FALSE); verui = ver[0] + '.' + ver[1] + '.0'; } fix = '11.4.2021.0'; if (ver_compare(ver:version, fix:fix) == -1) { if (report_verbosity > 0) { path = get_kb_item('SMB/'+app+'/Path'); if (isnull(path)) path = 'n/a'; report = '\n Path : ' + path + '\n Installed version : ' + verui + '\n Fixed version : 11.4.0\n'; security_hole(port:get_kb_item('SMB/transport'), extra:report); } else security_hole(get_kb_item('SMB/transport')); exit(0); } audit(AUDIT_INST_VER_NOT_VULN, app, verui);
NASL family Gain a shell remotely NASL id HP_LOADRUNNER_CVE-2011-4789.NASL description The version of HP LoadRunner hosted on the remote Windows host is potentially affected by a code execution vulnerability. The application fails to properly handle incoming packets with last seen 2020-06-01 modified 2020-06-02 plugin id 62902 published 2012-11-13 reporter This script is Copyright (C) 2012-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/62902 title HP LoadRunner < 11.00 Patch 4 Code Execution (intrusive check) code # # (C) Tenable Network Security, Inc. # include('compat.inc'); if (description) { script_id(62902); script_version("1.4"); script_cvs_date("Date: 2018/11/15 20:50:22"); script_cve_id("CVE-2011-4789"); script_bugtraq_id(51398); script_name(english:"HP LoadRunner < 11.00 Patch 4 Code Execution (intrusive check)"); script_summary(english:"Checks response from HP Load Runner Agent"); script_set_attribute(attribute:"synopsis", value: "The remote Windows host has a software performance testing application that is affected by a remote code execution vulnerability."); script_set_attribute(attribute:"description", value: "The version of HP LoadRunner hosted on the remote Windows host is potentially affected by a code execution vulnerability. The application fails to properly handle incoming packets with '0x00000000' as the first 32-bit value. A remote, unauthenticated attacker, exploiting this flaw, could execute arbitrary code on the remote host subject to the privileges of the user running the affected application. This plugin sends crafted packets to the LoadRunner Agent service, which will crash a vulnerable instance. If it is successful, a manual restart of the service is necessary."); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-12-016/"); script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/522928/30/0/threaded"); script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b6425436"); script_set_attribute(attribute:"solution", value:"Upgrade to HP LoadRunner 11.00 Patch 4 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'HP Diagnostics Server magentservice.exe Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2012/01/12"); script_set_attribute(attribute:"patch_publication_date", value:"2012/05/29"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/11/13"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:hp:loadrunner"); script_end_attributes(); script_category(ACT_DESTRUCTIVE_ATTACK); script_family(english:"Gain a shell remotely"); script_copyright(english:"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc."); script_dependencies('loadrunner_agent_detect.nasl', 'ssl_supported_versions.nasl', 'os_fingerprint.nasl'); script_require_keys('SSL/Supported'); script_require_ports('Services/loadrunner_agent', 54345); exit(0); } include('audit.inc'); include('byte_func.inc'); include('global_settings.inc'); include('misc_func.inc'); # # HPSBMU02785 SSRT100526 says only HP LoadRunner running on Windows is affected # if (report_paranoia < 2) { os = get_kb_item_or_exit('Host/OS'); if ('Windows' >!< os) audit(AUDIT_OS_NOT, 'Windows'); } port = get_service(svc:'loadrunner_agent', default:54345, exit_on_fail:TRUE); # # The attack appears to work on SSLv3 only # Check for SSLv3 on remote port ssl3 = 0; list = get_kb_list('SSL/Transport/'+port); if (!isnull(list)) { list = make_list(list); foreach encap (list) { if(encap == ENCAPS_SSLv3) { ssl3 = 1; break; } } } if (!ssl3) exit(0, 'The service listening on port '+port+' does not appear to support SSL 3.0.'); if (!get_port_state(port)) audit(AUDIT_PORT_CLOSED, port, 'TCP'); soc = open_sock_tcp(port, transport: ENCAPS_SSLv3); if (!soc) audit(AUDIT_SOCK_FAIL, port, 'TCP'); send(socket:soc, data:'\x00\x00\x00\x00'); # Wait a bit before closing the socket so that the remote end can read on a still open socket. # Closing the socket immediately after the send may cause SSL_Read() on the remote host to fail # because Nessus has just closed the connection. recv(socket:soc, length:1024); close(soc); # Vulnerable server should be dead now soc = open_sock_tcp(port, transport: ENCAPS_SSLv3); if (!soc) security_hole(port:port); # We should be able to reconnect to the patched server else audit(AUDIT_LISTEN_NOT_VULN, 'HP LoadRunner', port);
Packetstorm
data source | https://packetstormsecurity.com/files/download/109177/hp_magentservice.rb.txt |
id | PACKETSTORM:109177 |
last seen | 2016-12-05 |
published | 2012-01-28 |
reporter | AbdulAziz Hariri |
source | https://packetstormsecurity.com/files/109177/HP-Diagnostics-Server-magentservice.exe-Overflow.html |
title | HP Diagnostics Server magentservice.exe Overflow |
Saint
bid | 51398 |
description | HP Diagnostics Server magentservice.exe Integer Wrap |
osvdb | 78309 |
title | hp_diagnostics_magentservice_intwrap |
type | remote |