SonicWall Security Center
Share: Linkedin Share Facebook Like
Back to SonicALERT


HPE Intelligent Management Center arbitrary file upload vulnerability (Nov 23, 2017)



Description


HPE Intelligent Management Center (IMC) is a popular management system designed to integrate the management of devices, services and users. It provides features and functions that are designed for comprehensive management of the network infrastructure. An arbitrary file upload vulnerability exists in the HPE Intelligent Management Center. The server application that handling the file upload fails to filter the file extension when handling certain HTTP request, causing a arbitrary file upload vulnerability. An attacker could send a crafted HTTP POST request to the server url, uploading malicious scripts and execute them under the privilege of the server process.

HPE IMC's server side is based on the Java servlets. Such servlets include one called FileUploadServlet, which supports the upload of XML files. It is mapped to the following URL:

https://<host>:8443/imc/flexFileUpload

This interface and a method called doPost() will handle the HTTP parameters and execute the file uploading logic. The POST parameter "name" determines the filename on the server side. However, the code doesn't check the file extension carries in this parameter. An attacker could send a malicious request to the server application, renaming the file to a server side executable format, such as jsp or jspx, and get a webshell.

String fileName = s + "/" + URLDecoder.decode(item.getFieldName(), "UTF-8");
log.debug("flex UploadFileName:" + fileName);

//Rename the uploaded file without any filtering
File file = new File(fileName);
if (log.isDebugEnabled()) {
    log.debug("FileItem :" + item.getName() + "size:" + item.getSize() + "isInMemory:" + item.isInMemory());
    log.debug("FileInfo:uploadFileName:" + file.getAbsolutePath());
}

SonicWall Capture Labs Threat Research team has developed the following signature to identify and stop the attacks:

  • IPS 13056: HPE Intelligent Management Center Arbitrary File Upload



Back to top

Back to SonicALERT

Follow: Follow us on Facebook Follow us on Twitter Join the Conversation
#SonicWall
© 2017 SonicWall | Privacy Policy | Conditions for use | Feedback | Live Demo | SonicALERT | Document Library | Report Issues
Version: 13.7 | S2MSW01