7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.946 High
EPSS
Percentile
99.3%
Added: 08/29/2013
CVE: CVE-2013-2370
BID: 61441
OSVDB: 95640
HP LoadRunner is a software performance testing solution. HP LoadRunner includes the **lrFileIOService**
ActiveX control.
HP LoadRunner before 11.52 is vulnerable to remote code execution. The **lrFileIOService**
ActiveX control exposes the **WriteFileBinary**
method which accepts a parameter named data without validating the value. A remote attacker who persuades a vulnerable user to visit a malicious web page could execute arbitrary code in the context of the user.
Upgrade to HP LoadRunner 11.52 or higher as indicated in HP Security Bulletin HPSBGN02905 SSRT101083.
<http://www.zerodayinitiative.com/advisories/ZDI-13-182/>
This exploit was tested against HP LoadRunner 11.50 on Windows XP SP3 English (DEP OptIn) and Windows 7 SP1 (DEP OptIn).
The user must open the exploit in Internet Explorer 8 or 9 on the target.
Windows