HPE Remote Support Tool Vulnerability Let Attackers Execute Arbitrary code – PoC Released
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
A newly disclosed vulnerability in Hewlett Packard Enterprise’s (HPE) Insight Remote Support tool enables unauthenticated attackers to execute arbitrary code on vulnerable systems, with proof-of-concept (PoC) exploit code now publicly available.
Tracked as CVE-2024-53676, this critical remote code execution (RCE) flaw stems from improper validation of user-supplied file paths in the tool’s file upload functionality, allowing attackers to overwrite system files and deploy malicious payloads with SYSTEM-level privileges.
HPE Remote Support Tool Vulnerability
According to the researcher, D4mianWayne (Robin), the vulnerability resides in the processAtatchmentDataStream method of the com.hp.it.sa.helpers.DataPackageReceiverWebSvcHelper Java class.
When handling file attachments submitted via SOAP requests, the application constructs file paths using unvalidated attachmentName parameters from incoming requests.
Attackers can inject directory traversal sequences (e.g., ../../) into these parameters to write files to arbitrary filesystem locations.
As shown in the code snippet, the lack of sanitization for attachmentName enables path traversal attacks.
Exploit Constraints and Attack Surface
While authentication isn’t required to exploit this vulnerability, successful attacks depend on two factors:
Valid Device Registration Credentials: The oosId (device registration ID) and registrationToken parameters must match a device enrolled in the target Insight Remote Support instance.
Web Server File Permissions: The application’s Java process must have write permissions to the directory targeted via path traversal.
Security researchers have published a Python-based PoC demonstrating how to construct malicious SOAP requests:
This script generates a SOAP envelope containing a JSP webshell payload encoded in Base64. However, attempts to execute it against unregistered devices fail with “SenderError 206” due to missing oosId validation.
Mitigations
HPE has not yet released an official patch for CVE-2024-53676. Organizations using Insight Remote Support should:
Isolate Management Interfaces: Restrict access to the DataPackageReceiver service (typically on TCP/7906) using network segmentation.
Monitor File Write Operations: Deploy filesystem auditing tools to detect unauthorized writes to web directories like webapps/ROOT/.
Analyze SOAP Traffic: Use web application firewalls (WAFs) to block requests containing path traversal sequences in FileName parameters.
The vulnerability highlights the risks of improper input sanitization in enterprise management tools.
As researchers refine exploit techniques to bypass the oosId requirement, administrators must assume active exploitation is imminent and implement compensatory controls immediately.
#Cyber_Security_News #Vulnerability #Vulnerability_News #cyber_security #cyber_security_news
Оригинальная версия на сайте:
HPE Remote Support Tool Vulnerability Let Attackers Execute Arbitrary code – PoC Released
Author: Guru BaranA newly disclosed vulnerability in Hewlett Packard Enterprise’s (HPE) Insight Remote Support tool enables unauthenticated attackers to execute arbitrary code on vulnerable systems, with proof-of-concept (PoC) exploit code now publicly available.
Tracked as CVE-2024-53676, this critical remote code execution (RCE) flaw stems from improper validation of user-supplied file paths in the tool’s file upload functionality, allowing attackers to overwrite system files and deploy malicious payloads with SYSTEM-level privileges.
HPE Remote Support Tool Vulnerability
According to the researcher, D4mianWayne (Robin), the vulnerability resides in the processAtatchmentDataStream method of the com.hp.it.sa.helpers.DataPackageReceiverWebSvcHelper Java class.
When handling file attachments submitted via SOAP requests, the application constructs file paths using unvalidated attachmentName parameters from incoming requests.
Attackers can inject directory traversal sequences (e.g., ../../) into these parameters to write files to arbitrary filesystem locations.
As shown in the code snippet, the lack of sanitization for attachmentName enables path traversal attacks.
Exploit Constraints and Attack Surface
While authentication isn’t required to exploit this vulnerability, successful attacks depend on two factors:
Valid Device Registration Credentials: The oosId (device registration ID) and registrationToken parameters must match a device enrolled in the target Insight Remote Support instance.
Web Server File Permissions: The application’s Java process must have write permissions to the directory targeted via path traversal.
Security researchers have published a Python-based PoC demonstrating how to construct malicious SOAP requests:
This script generates a SOAP envelope containing a JSP webshell payload encoded in Base64. However, attempts to execute it against unregistered devices fail with “SenderError 206” due to missing oosId validation.
Mitigations
HPE has not yet released an official patch for CVE-2024-53676. Organizations using Insight Remote Support should:
Isolate Management Interfaces: Restrict access to the DataPackageReceiver service (typically on TCP/7906) using network segmentation.
Monitor File Write Operations: Deploy filesystem auditing tools to detect unauthorized writes to web directories like webapps/ROOT/.
Analyze SOAP Traffic: Use web application firewalls (WAFs) to block requests containing path traversal sequences in FileName parameters.
The vulnerability highlights the risks of improper input sanitization in enterprise management tools.
As researchers refine exploit techniques to bypass the oosId requirement, administrators must assume active exploitation is imminent and implement compensatory controls immediately.
#Cyber_Security_News #Vulnerability #Vulnerability_News #cyber_security #cyber_security_news
Оригинальная версия на сайте:
