CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
AI Score
Confidence
High
EPSS
Percentile
99.2%
The installed version of HP Power Manager is less than 4.2.10, and as such has the following vulnerabilities :
Adequate bounds checking is not performed on the ‘Login’ parameter of the login page, which could lead to a buffer overflow. A remote, unauthenticated attacker could exploit this to execute arbitrary code as SYSTEM.
(CVE-2009-2685)
Adequate bounds checking is not performed on the ‘fileName’ or ‘LogType’ parameters of ‘formExportDataLogs’, which could lead to a buffer overflow. A remote, authenticated attacker could exploit this to execute arbitrary code as SYSTEM. (CVE-2009-3999)
The ‘fileName’ parameter of ‘formExportDataLogs’ has a directory traversal vulnerability. A remote, authenticated attacker could exploit this to overwrite arbitrary files with almost arbitrary data. This could result in a denial of service or arbitrary code execution as SYSTEM.
(CVE-2009-4000)
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(44109);
script_version("1.16");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/06/05");
script_cve_id("CVE-2009-2685", "CVE-2009-3999", "CVE-2009-4000");
script_bugtraq_id(
36933,
37866,
37867,
37873
);
script_xref(name:"EDB-ID", value:"18015");
script_xref(name:"Secunia", value:"37276");
script_xref(name:"Secunia", value:"37280");
script_name(english:"HP Power Manager < 4.2.10");
script_set_attribute(attribute:"synopsis", value:
"The power management application installed on the remote host has
multiple vulnerabilities.");
script_set_attribute(attribute:"description", value:
"The installed version of HP Power Manager is less than 4.2.10, and as
such has the following vulnerabilities :
- Adequate bounds checking is not performed on the
'Login' parameter of the login page, which could lead to
a buffer overflow. A remote, unauthenticated attacker
could exploit this to execute arbitrary code as SYSTEM.
(CVE-2009-2685)
- Adequate bounds checking is not performed on the 'fileName'
or 'LogType' parameters of 'formExportDataLogs', which
could lead to a buffer overflow. A remote, authenticated
attacker could exploit this to execute arbitrary code as
SYSTEM. (CVE-2009-3999)
- The 'fileName' parameter of 'formExportDataLogs' has a
directory traversal vulnerability. A remote, authenticated
attacker could exploit this to overwrite arbitrary files with
almost arbitrary data. This could result in a denial of
service or arbitrary code execution as SYSTEM.
(CVE-2009-4000)");
script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-09-081/");
script_set_attribute(attribute:"see_also", value:"https://secuniaresearch.flexerasoftware.com/secunia_research/2009-47/");
# http://web.archive.org/web/20120111202651/http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01905743
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?cd91a469");
# http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01971741
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?09f023c2");
# http://h18004.www1.hp.com/products/servers/proliantstorage/power-protection/software/power-manager/pm3-dl.html
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?5d601101");
script_set_attribute(attribute:"solution", value:
"Upgrade to HP Power Manager 4.2.10 or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploit_framework_core", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'HP Power Manager "formExportDataLogs" Buffer Overflow');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
script_set_attribute(attribute:"canvas_package", value:"D2ExploitPack");
script_cwe_id(22, 119);
script_set_attribute(attribute:"vuln_publication_date", value:"2009/11/05");
script_set_attribute(attribute:"patch_publication_date", value:"2010/01/19");
script_set_attribute(attribute:"plugin_publication_date", value:"2010/01/21");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:hp:power_manager");
script_set_attribute(attribute:"enable_cgi_scanning", value:"true");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2010-2024 Tenable Network Security, Inc.");
script_dependencies("hp_power_mgr_web_detect.nasl");
script_require_keys("www/hp_power_mgr");
script_exclude_keys("Settings/disable_cgi_scanning");
script_require_ports("Services/www", 80);
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("webapp_func.inc");
port = get_http_port(default:80, embedded:TRUE);
install = get_install_from_kb(appname:'hp_power_mgr', port:port);
if (isnull(install))
exit(1, "No HP Power Manager installs on port "+port+" were found in the KB.");
version = install['ver'];
if (version == UNKNOWN_VER)
exit(1, 'The version of HP Power Manager on port '+port+' is unknown.');
ver = split(version, sep:'.', keep:FALSE);
fix = split('4.2.10', sep:'.', keep:FALSE);
vuln = FALSE;
for (i = 0; i < max_index(ver) && !vuln; i++)
{
if (int(ver[i]) < int(fix[i])) vuln = TRUE;
else if (int(ver[i]) > int(fix[i])) break;
}
if (vuln)
{
if (report_verbosity > 0)
{
report = '\n URL : '+build_url(port:port, qs:install['dir']+"/index.asp")+
'\n Installed Version : '+version+
'\n Fixed Version : 4.2.10\n';
security_hole(port:port, extra:report);
}
else security_hole(port);
}
else exit(0, 'HP Power Manager version '+version+' is listening on port "+port+" and thus not affected.');
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2685
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3999
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4000
www.nessus.org/u?09f023c2
www.nessus.org/u?5d601101
www.nessus.org/u?cd91a469
secuniaresearch.flexerasoftware.com/secunia_research/2009-47/
www.zerodayinitiative.com/advisories/ZDI-09-081/