Full Disclosure mailing list archives
HP Release Control Authenticated Privilege Escalation and XXE
From: Brandon Perry <bperry.volatile () gmail com>
Date: Fri, 16 May 2014 17:00:34 -0500
Hi, Linked is a gist detailing a few vulnerabilities I found in HP Release Control 9.20.0000, Build 395. You can download it on the On-premise software tab here: http://www8.hp.com/us/en/software-solutions/software.html?compURI=1350467#.U3aJWl5-_8s Basically, the first request an admin makes when on the user configuration page when poplulating the user grid any user can make. Using this, you can find out the admin's ID (and password hash!), which can be used when sending a request to the password change AMF endpoint to change the admin password. After that, you can log in as admin, then exploit an XXE vuln in the dashboard import mechanism. For some reason it always fails to login as the admin the first run. I am not sure if it is a race condition or what, but just rerun it. A sample run is included at the bottom of the module. https://gist.github.com/brandonprry/1ed5633fa7ba18538f02 _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- HP Release Control Authenticated Privilege Escalation and XXE Brandon Perry (May 16)