Multi-stage exploit could leave enterprise networks in tatters
UPDATED A security researcher has chained a trio of serious vulnerabilities in HP Device Manager to achieve unauthenticated remote code execution (RCE) with admin privileges.
Organizations that use HP Device Manager, an application used by IT administrators to manage HP Thin Client devices, have been urged to update their systems after Nick Bloor achieved privilege escalation on a backdoor superuser account.
Bloor, founder of Cognitous Cyber Security, decided to mount deserialization attacks against HP Device Manager after discovering an open port was being used for the Java Remote Method Invocation (RMI) service registry during a network security assessment.
The information security consultant found the backdoor account with superuser privileges – dm_postgres – among a trove of usernames and MD5 password hashes leaked by two ports.
A recursive grep of the username’s installation directory uncovered an authentication failure.
Bloor then cracked the password hash from the Postgres users table with “a full brute-force of 1-8 characters […] followed by some dictionary and rule combinations, before breaking out the big guns with NPK and some EC2 GPU instances”, according to a blog post published yesterday (October 5).
YOU MIGHT ALSO LIKE BitLocker sleep mode vulnerability can bypass Windows’ full disk encryption
Still lacking remote access to the superuser account, he drew on previous research on escalating Postgres SQL injection to RCE by calling Postgres functions, then 2016 research (PDF) into ORM injection, in a bid to develop a workable local privilege escalation exploit via the Postgres database, and to “build a bridge” to the RMI service flaws.
After he “span up a Postgres database, cranked up the log verbosity, and used tail -f to watch the log file on one monitor”, he created a vulnerable Java application with an “identical injection point”.
After testing payloads that returned HQL queries and exceptions in real time, he “successfully smuggled Postgres function calls through a HQL [Hibernate Query Language] injection”.
Bloor’s blog post sets out the multi-stage process exhaustively, complete with the final, step-by-step exploit to gain remote control of the server.
Updates and mitigations
A HP security advisory released on September 25 confirmed that all three vulnerabilities are present in HP Device Manager versions 5.0.3 and below, and 4.7 up to and including service pack 12.
The issues were patched in HP Device Manager 5.0.4, which was rolled out on September 25.
HP’s security team has told The Daily Swig that it has targeted October 23 for the release of version 4.7, service pack 13.
In lieu of an update, HP said “customers can partially mitigate this issue” in the following ways:
- Limit incoming access to Device Manager ports 1099 and 40002 to trusted IPs or localhost only
- Remove the dm_postgres account from the Postgres database; or
- Update the dm_postgres account password within HP Device Manager Configuration Manager; or
- Within Windows Firewall configuration create an inbound rule to configure the PostgreSQL listening port (40006) for localhost access only.
Bloor expanded on this advice in a Twitter thread on September 29.
The Daily Swig has also contacted Bloor for further details.
This article was updated on October 12 with the mooted launch date of HP Device Manager version 4.7, service pack 13.