Saturday, June 2, 2012

Vulnerable Weekends #8

Vulnerability Report #8: HP LoadRunner magentservice.exe Component Remote Code Execution Vulnerability

Vulnerable Product: Installations of HP LoadRunner prior to version 11 patch 4

CVE ID: CVE-2011-4789

CVSS v2 Score:
Access Vector: REMOTE
Access Complexity: LOW
Authentication: NONE

Confidentiality Impact: COMPLETE
Integrity Impact: COMPLETE
Availability Impact: COMPLETE
Base Score: 10

Exploitability: FUNCTIONAL
Remediation Level: OFFICIAL FIX
Report Confidence: CONFIRMED
Temporal Score: 8.3

HP LoadRunner is vulnerable to a remote code execution vulnerability due to insufficient boundary checks performed on user-supplied input received via its magentservice.exe component.

The vulnerability exists due to an implementation flaw within the affected software. The vulnerable component listens for incoming requests on TCP/23472 and it expects a size value within the first 32bits of user-supplied input. This value is used as-is, without any sanitization, for internal calculations that involve deriving the number of bytes to be copied in to a destination buffer. Due to the insufficient checks, a 32bit value of 0x00000000 could cause an error within the internal calculation logic and trigger a stack-based buffer overflow during a later copy operation. This action could allow a remote attacker to execute arbitrary code with SYSTEM privileges on the targeted system.

HP has confirmed this vulnerability and released a security patch for registered users.

Vulnerability Sources:
Bugtraq ID: 51398
HP Security Bulletin: HPSBMU02785 SSRT100526
Metasploit Module: hp_magentservice
Zero Day Initiative: ZDI-12-016

Generic Sources:
Common Vulnerabilities and Exposures (CVE)
Common Vulnerability Scoring System (CVSS)