[R2] HP Intelligent Management Center (iMC) Platform /rptviewer/servlets/redirectviewer Multiple Remote Issues

During the process of writing a detection plugin for CVE-2016-4372 / HP c05200601, Tenable discovered an additional issue. CVE-2016-4372 describes the deserialization of Java objects associated with the Apache Commons Collections library leading to remote code execution. There are a few affected HP products, but our interest was in "HPE iMC PLAT before 7.2 E0403P04". We installed and tested "iMC PLAT 7.2 E0403P06" on a Windows 7 box to investigate further. Note that the PoC written for this advisory is Windows-centric (don't judge us). Additionally, to anyone who ever tries to install iMC in the future: the database has some very specific settings that have to be set, just 34 pages worth.

#1 HP Intelligent Management Center (iMC) Platform /rptviewer/servlets/redirectviewer readObject Call Handling Remote DoS (CVE-2016-8530)

During our investigation, we found that an unauthenticated user could reach a readObject call on a FileInputStream in RedirectServlet.java.

#2 HP Intelligent Management Center (iMC) Platform /rptviewer/servlets/redirectviewer parafile Parameter Path Traversal Remote File Access (CVE-2016-8525)

The caller also has control of the filename read into the FileInputStream via the parafile parameter. It was also neat that very little validation is done on what the user provides in parafile so we can use it to read any file via path traversal (e.g. “../”). Sadly, we were unable to find an unauthenticated way to upload a serialized object in a file, until we remembered that the iMC has anonymous TFTP enabled by default. Unfortunately, the rptviewer (which is where RedirectServlet.java lives) doesn’t have anything useful on the class path. However, we didn’t want this to go unnoticed and wrote a nice deserialization denial of service attack (dos_redirectViewer.py) that exploits the /rptviewer/servlets/redirectviewer endpoint.