Vulnerable Weekends #8: HP LoadRunner RCE
▆▆▁▄▅▄▁█▆▁▁▂▃▆▃█▁▇█▃▄▇▅▃█▃▃▄▂▂▇█▅▂▄▆▃▄█▇███▁▅▃▄▆▆▄▆▄▂▁▅▄██▇▃▃▃▃▆ « 📅 published on 02/Jun/2012 »
🔖 tagged vulnweekends
Vulnerability Report #8: HP LoadRunner magentservice.exe Component Remote Code Execution Vulnerability
Vulnerable Product: Installations of HP LoadRunner prior to version 11 patch 4
CVE ID: CVE-2011-4789
CVSS v2 Score:
Access Vector: REMOTE
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: COMPLETE
Integrity Impact: COMPLETE
Availability Impact: COMPLETE
Base Score: 10
Exploitability: FUNCTIONAL
Remediation Level: OFFICIAL FIX
Report Confidence: CONFIRMED
Temporal Score: 8.3
Details
HP LoadRunner is vulnerable to a remote code execution vulnerability due to insufficient boundary checks performed on user-supplied input received via its magentservice.exe component.
The vulnerability exists due to an implementation flaw within the affected software. The vulnerable component listens for incoming requests on 23472/tcp and it expects a size value within the first 32bits of user-supplied input. This value is used as-is, without any sanitization, for internal calculations that involve deriving the number of bytes to be copied in to a destination buffer. Due to the insufficient checks, a 32bit value of 0x00000000 could cause an error within the internal calculation logic and trigger a stack-based buffer overflow during a later copy operation. This action could allow a remote attacker to execute arbitrary code with SYSTEM privileges on the targeted system.
HP has confirmed this vulnerability and released a security patch for registered users.
Vulnerability Sources
bid:51398
hpsb:HPSBMU02785
metasploit
zdi:12-016
Generic Sources
cve.mitre.org
cvss-guide
cvss-calculator