SAINT CorporationSAINT:5661C2D35A08037763C654F73AD7010EHP LoadRunner Virtual User Generator EmulationAdmin service directory traversal
10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.946 High
EPSS
Percentile
99.3%
Added: 12/18/2013
CVE: CVE-2013-4837
BID: 63475
OSVDB: 99231
Background
HP LoadRunner is a software performance testing solution.
Problem
A directory traversal vulnerability in the Virtual User Generator EmulationAdmin service allows remote attackers to upload files to arbitrary locations using the copyFileToServer method. The files could then be executed via an HTTP request.
Resolution
Apply LoadRunnner patch v11.52.1, which can be downloaded from HP Software Support Online (SSO).
References
<https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03969437>
<http://www.zerodayinitiative.com/advisories/ZDI-13-259/>
Limitations
Exploit works on HP LoadRunner 11.52. HP LoadRunner must be installed in the standard installation path.
Platforms
Windows
Related
10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.946 High
EPSS
Percentile
99.3%