Vulnerabilities > CVE-2011-4789 - Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in HP Diagnostics

047910
CVSS 10.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
hp
CWE-119
critical
nessus
exploit available
metasploit

Summary

Stack-based buffer overflow in magentservice.exe in the server in HP LoadRunner 11.00 before patch 4 allows remote attackers to execute arbitrary code via a crafted size value in a packet. NOTE: it was originally reported that the affected product is HP Diagnostics Server, but HP states that "the vulnerable product is actually HP LoadRunner."

Vulnerable Configurations

Part Description Count
Application
Hp
1

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Exploit-Db

descriptionHP Diagnostics Server magentservice.exe overflow. CVE-2011-4789. Remote exploit for windows platform
idEDB-ID:18423
last seen2016-02-02
modified2012-01-27
published2012-01-27
reportermetasploit
sourcehttps://www.exploit-db.com/download/18423/
titleHP Diagnostics Server magentservice.exe Overflow

Metasploit

descriptionThis module exploits a stack buffer overflow in HP Diagnostics Server magentservice.exe service. By sending a specially crafted packet, an attacker may be able to execute arbitrary code. Originally found and posted by AbdulAziz Harir via ZDI.
idMSF:EXPLOIT/WINDOWS/MISC/HP_MAGENTSERVICE
last seen2020-06-05
modified2017-07-24
published2012-01-25
referenceshttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4789
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/misc/hp_magentservice.rb
titleHP Diagnostics Server magentservice.exe Overflow

Nessus

  • NASL familyWindows
    NASL idHP_LOADRUNNER_11_PATCH4_CODE_EXEC.NASL
    descriptionThe version of HP LoadRunner installed on the remote Windows host is potentially affected by a code execution vulnerability. The application fails to properly handle incoming packets with
    last seen2020-06-01
    modified2020-06-02
    plugin id59718
    published2012-06-26
    reporterThis script is Copyright (C) 2012-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/59718
    titleHP LoadRunner < 11.00 Patch 4 Code Execution Vulnerability
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include('compat.inc');
    
    if (description)
    {
      script_id(59718);
      script_version("1.5");
      script_cvs_date("Date: 2018/11/15 20:50:27");
    
      script_cve_id("CVE-2011-4789");
      script_bugtraq_id(51398);
    
      script_name(english:"HP LoadRunner < 11.00 Patch 4 Code Execution Vulnerability");
      script_summary(english:"Checks version of HP Load Runner");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote Windows host has a software performance testing 
    application that is affected by a remote code execution vulnerability.");
      script_set_attribute(attribute:"description", value:
    "The version of HP LoadRunner installed on the remote Windows host is
    potentially affected by a code execution vulnerability.  The
    application fails to properly handle incoming packets with 
    '0x00000000' as the first 32-bit value.  A remote, unauthenticated 
    attacker, exploiting this flaw, could execute arbitrary code on the 
    remote host subject to the privileges of the user running the affected
    application.");
      script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-12-016/");
      script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/522928/30/0/threaded");
      script_set_attribute(attribute:"solution", value:"Upgrade to HP LoadRunner 11.00 Patch 4 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'HP Diagnostics Server magentservice.exe Overflow');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2012/01/12");
      script_set_attribute(attribute:"patch_publication_date", value:"2012/05/29");
      script_set_attribute(attribute:"plugin_publication_date", value:"2012/06/26");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:hp:loadrunner");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows");
    
      script_copyright(english:"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.");
    
      script_dependencies("hp_loadrunner_installed.nasl");
      script_require_keys("SMB/HP LoadRunner/Version", "SMB/HP LoadRunner/VersionUI", "SMB/HP LoadRunner/Path");
      script_require_ports(139, 445);
    
      exit(0);
    }
    
    include("global_settings.inc");
    include("misc_func.inc");
    include("audit.inc");
    
    app = 'HP LoadRunner';
    version = get_kb_item_or_exit('SMB/'+app+'/Version');
    verui = get_kb_item('SMB/'+app+'/VersionUI');
    if (isnull(verui))
    {
      ver = split(version, sep:'.', keep:FALSE);
      verui = ver[0] + '.' + ver[1] + '.0';
    }
    
    fix = '11.4.2021.0';
    if (ver_compare(ver:version, fix:fix) == -1)
    {
      if (report_verbosity > 0)
      {
        path = get_kb_item('SMB/'+app+'/Path');
        if (isnull(path)) path = 'n/a';
        report = 
          '\n  Path              : ' + path +
          '\n  Installed version : ' + verui +
          '\n  Fixed version     : 11.4.0\n';
        security_hole(port:get_kb_item('SMB/transport'), extra:report);
      }
      else security_hole(get_kb_item('SMB/transport'));
      exit(0);
    }
    audit(AUDIT_INST_VER_NOT_VULN, app, verui);
    
  • NASL familyGain a shell remotely
    NASL idHP_LOADRUNNER_CVE-2011-4789.NASL
    descriptionThe version of HP LoadRunner hosted on the remote Windows host is potentially affected by a code execution vulnerability. The application fails to properly handle incoming packets with
    last seen2020-06-01
    modified2020-06-02
    plugin id62902
    published2012-11-13
    reporterThis script is Copyright (C) 2012-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/62902
    titleHP LoadRunner < 11.00 Patch 4 Code Execution (intrusive check)
    code
    
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include('compat.inc');
    
    if (description)
    {
      script_id(62902);
      script_version("1.4");
      script_cvs_date("Date: 2018/11/15 20:50:22");
    
      script_cve_id("CVE-2011-4789");
      script_bugtraq_id(51398);
    
      script_name(english:"HP LoadRunner < 11.00 Patch 4 Code Execution (intrusive check)");
      script_summary(english:"Checks response from HP Load Runner Agent");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote Windows host has a software performance testing application
    that is affected by a remote code execution vulnerability.");
      script_set_attribute(attribute:"description", value:
    "The version of HP LoadRunner hosted on the remote Windows host is
    potentially affected by a code execution vulnerability.  The application
    fails to properly handle incoming packets with '0x00000000' as the first
    32-bit value.  A remote, unauthenticated attacker, exploiting this flaw,
    could execute arbitrary code on the remote host subject to the
    privileges of the user running the affected application. 
    
    This plugin sends crafted packets to the LoadRunner Agent service, which
    will crash a vulnerable instance.  If it is successful, a manual restart
    of the service is necessary.");
      script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-12-016/");
      script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/522928/30/0/threaded");
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b6425436");
      script_set_attribute(attribute:"solution", value:"Upgrade to HP LoadRunner 11.00 Patch 4 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'HP Diagnostics Server magentservice.exe Overflow');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2012/01/12");
      script_set_attribute(attribute:"patch_publication_date", value:"2012/05/29");
      script_set_attribute(attribute:"plugin_publication_date", value:"2012/11/13");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:hp:loadrunner");
      script_end_attributes();
    
      script_category(ACT_DESTRUCTIVE_ATTACK);
      script_family(english:"Gain a shell remotely");
    
      script_copyright(english:"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.");
    
      script_dependencies('loadrunner_agent_detect.nasl', 'ssl_supported_versions.nasl', 'os_fingerprint.nasl');
      script_require_keys('SSL/Supported');
      script_require_ports('Services/loadrunner_agent', 54345);
      
      exit(0);
    }
    
    include('audit.inc');
    include('byte_func.inc');
    include('global_settings.inc');
    include('misc_func.inc');
    
    
    #
    # HPSBMU02785 SSRT100526 says only HP LoadRunner running on Windows is affected
    #
    if (report_paranoia < 2)
    {
      os = get_kb_item_or_exit('Host/OS');
      if ('Windows' >!< os) audit(AUDIT_OS_NOT, 'Windows');
    }
    
    port = get_service(svc:'loadrunner_agent', default:54345, exit_on_fail:TRUE);
    
    # 
    # The attack appears to work on SSLv3 only
    # Check for SSLv3 on remote port
    ssl3 = 0;
    list = get_kb_list('SSL/Transport/'+port);
    if (!isnull(list))
    {
      list = make_list(list);
      foreach encap (list)
      {
        if(encap == ENCAPS_SSLv3)
        {
          ssl3 = 1;
          break;
        }
      }
    }
    
    if (!ssl3) exit(0, 'The service listening on port '+port+' does not appear to support SSL 3.0.'); 
    
    if (!get_port_state(port))  audit(AUDIT_PORT_CLOSED, port, 'TCP');
    
    soc = open_sock_tcp(port, transport: ENCAPS_SSLv3);
    if (!soc) audit(AUDIT_SOCK_FAIL, port, 'TCP');  
    
    
    send(socket:soc, data:'\x00\x00\x00\x00');
    # Wait a bit before closing the socket so that the remote end can read on a still open socket.
    # Closing the socket immediately after the send may cause SSL_Read() on the remote host to fail
    # because Nessus has just closed the connection. 
    recv(socket:soc, length:1024);
    close(soc);
    
    # Vulnerable server should be dead now
    soc = open_sock_tcp(port, transport: ENCAPS_SSLv3);
    if (!soc) security_hole(port:port);
    
    # We should be able to reconnect to the patched server
    else audit(AUDIT_LISTEN_NOT_VULN, 'HP LoadRunner', port);
    

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/109177/hp_magentservice.rb.txt
idPACKETSTORM:109177
last seen2016-12-05
published2012-01-28
reporterAbdulAziz Hariri
sourcehttps://packetstormsecurity.com/files/109177/HP-Diagnostics-Server-magentservice.exe-Overflow.html
titleHP Diagnostics Server magentservice.exe Overflow

Saint

bid51398
descriptionHP Diagnostics Server magentservice.exe Integer Wrap
osvdb78309
titlehp_diagnostics_magentservice_intwrap
typeremote