exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

ASPR-2007-05-14-1.txt

ASPR-2007-05-14-1.txt
Posted May 21, 2007
Site acrossecurity.com

ACROS Security Problem Report #2007-05-14-1 - There is a session fixation vulnerability in HP Systems Insight Manager 4.2 and 5.0 SP4/5 (IM) that allows an attacker to gain administrative access to IM console. As a result, the attacker can take complete administrative control over all managed systems, upload and execute malicious code on them, extract any information from them and disable them at her will.

tags | advisory
SHA-256 | d39d5adb853db233faf38cc0069a7c6e5065e71f431d97ee7d5b6666e9216a87

ASPR-2007-05-14-1.txt

Change Mirror Download
=====[BEGIN-ACROS-REPORT]=====

PUBLIC

=========================================================================
ACROS Security Problem Report #2007-05-14-1
-------------------------------------------------------------------------
ASPR #2007-05-14-1: Session Fixation Vulnerability in HP SIM 5.0
=========================================================================

Document ID: ASPR #2007-05-14-1-PUB
Vendor: HP (http://www.hp.com)
Target: HP Systems Insight Manager
Impact: A session fixation vulnerability in HP SIM 5.0 SP4/5 can
be exploited to run arbitrary comands on the servers
system
Severity: High
Status: Fixed in SIM 5.1
Discovered by: Luka Treiber and Aljosa Ocepek of ACROS Security

Current version
http://www.acrossecurity.com/aspr/ASPR-2007-05-14-1-PUB.txt


Summary
=======

There is a session fixation vulnerability [1] in HP Systems Insight
Manager 4.2 and 5.0 SP4/5 (IM) that allows an attacker to gain
administrative access to IM console. As a result, the attacker can take
complete administrative control over all managed systems, upload and
execute malicious code on them, extract any information from them and
disable them at her will.


Product Coverage
================

- HP Systems Insight Manager 4.2 - affected
- HP Systems Insight Manager 5.0 SP4 - affected
- HP Systems Insight Manager 5.0 SP5 - affected
- HP Systems Insight Manager 5.1 - not affected


Analysis
========

The Systems Insight Manager web application is using a JSESSIONID session
cookie for maintaining a session with administrator's browser. Apparently,
the console is vulnerable to session fixation [1] and allows an attacker
to obtain the session cookie, fix it on administrator's browser and thus
force him to use that cookie when subsequently logging into the
administration console. Once the administrator is logged in, the attacker
can use the same cookie to enter the already logged-in session and assume
the identity of the administrator.

After gaining administrative rights, an attacker can do anything the
administrator could do, including executing arbitrary commands on all
managed computers. In SIM Service Pack 4, a new cookie JSESSIONIDSSO was
introduced to fix this issue; however, it was possible to bypass checks
for the JSESSIONIDSSO cookie and thus still attack the SIM administrator
with a fixed JSESSIONID cookie.


Solution
========

HP has released a newer version of SIM (SIM 5.1) which fixes this issue.


References
==========

[1] ACROS Security, "Session Fixation Vulnerability in Web-based
Applications"
http://www.acrossecurity.com/papers/session_fixation.pdf

[2] Hewlett-Packard Security Bulletin
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?
objectID=c01049713


Acknowledgments
===============

We would like to acknowledge HP Software Security Response Team (SSRT)
for diligent and professional handling of the identified vulnerability.


Contact
=======

ACROS d.o.o.
Makedonska ulica 113
SI - 2000 Maribor

e-mail: security@acrossecurity.com
web: http://www.acrossecurity.com
phone: +386 2 3000 280
fax: +386 2 3000 282

ACROS Security PGP Key
http://www.acrossecurity.com/pgpkey.asc
[Fingerprint: FE9E 0CFB CE41 36B0 4720 C4F1 38A3 F7DD]

ACROS Security Advisories
http://www.acrossecurity.com/advisories.htm

ACROS Security Papers
http://www.acrossecurity.com/papers.htm

ASPR Notification and Publishing Policy
http://www.acrossecurity.com/asprNotificationAndPublishingPolicy.htm


Disclaimer
==========

The content of this report is purely informational and meant only for the
purpose of education and protection. ACROS d.o.o. shall in no event be
liable for any damage whatsoever, direct or implied, arising from use or
spread of this information. All identifiers (hostnames, IP addresses,
company names, individual names etc.) used in examples and demonstrations
are used only for explanatory purposes and have no connection with any
real host, company or individual. In no event should it be assumed that
use of these names means specific hosts, companies or individuals are
vulnerable to any attacks nor does it mean that they consent to being used
in any vulnerability tests. The use of information in this report is
entirely at user's risk.


Revision History
================

May 14, 2007: Initial release


Copyright
=========

(c) 2007 ACROS d.o.o. Forwarding and publishing of this document is
permitted providing the content between "[BEGIN-ACROS-REPORT]" and
"[END-ACROS-REPORT]" marks remains unchanged.

=====[END-ACROS-REPORT]=====

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    17 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close