Attacker Value
Unknown
Shunra Network Virtualization for Hewlett-Packard toServerObject() Remote Code Execution Vulnerability
Attacker Value
Unknown
(1 user assessed)
Exploitability
Unknown
(1 user assessed)User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
Shunra Network Virtualization for Hewlett-Packard toServerObject() Remote Code Execution Vulnerability
(Last updated October 05, 2023) ▾
MITRE ATT&CK
Log in to add MITRE ATT&CK tag
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Description
Directory traversal vulnerability in the toServerObject function in HP Network Virtualization 8.6 (aka Shunra Network Virtualization) allows remote attackers to create files, and consequently execute arbitrary code, via crafted input, aka ZDI-CAN-2024.
Add Assessment
2
Technical Analysis
The specific flaw exists within the toServerObject function. The method does not properly sanitize the input to this function allowing for directory traversal. An attacker can leverage this vulnerability to write files under the context of SYSTEM and achieve remote code execution.
- The URL to access the web service:
public static final String WS_NETWORKEDITOR_TO_SERVER_OBJECT_URI = "/savefile/{filename}";
- The “toServerObject” web service API:
public ShunraClientResponse toServerObject(String s, UIObject uiobject) throws Exception { try { return m_controller.toServerObject(uiobject, s); } catch(Exception exception) { exception.printStackTrace(); m_logger.error(exception.getMessage(), exception); throw exception; } }
Everything is delegated to :
private NetworkEditorController m_controller;
The NetworkEditorControllerImpl toServerObject:
public ShunraClientResponse toServerObject(UIObject uiobject, String s) { m_logger.debug("toServerObject"); FlowValidator flowvalidator = new FlowValidator(); try { uiobject.fileName = s; ShunraClientResponse shunraclientresponse = new ShunraClientResponse(); ErrorMessages errormessages = new ErrorMessages(); if(uiobject.flows.size() == 0) errormessages.generalErrors.add("Currently there are no flows to download"); else errormessages = flowvalidator.ValidateCollisionsBetweenFlows(uiobject.flows); if(errormessages.containsErrors()) { shunraclientresponse.SetFailure(errormessages); } else { ObjectsConverter objectsconverter = new ObjectsConverter(); FilesConverter filesconverter = new FilesConverter(); NtxObjectRepresentation ntxobjectrepresentation = objectsconverter.ConvertFromUIObjectToMultiFlowNtx(uiobject); String s1 = filesconverter.ConvertFromObjectToFile(ntxobjectrepresentation); String s2 = storage.saveTemporaryForDownload(s, s1); shunraclientresponse.SetSuccess(s2); } return shunraclientresponse; } catch(Exception exception) { exception.printStackTrace(); } return null; }
Where “s” is the file path and is user controlled. By default files are saved to “c:\windows\temp\files” (win 2003 sp2).
The attacker controles “s” through the URL, with “..\” sequences is posible to directory traversa.
Unfortunately contents (s1) are JSON converted contents. Example valid JSON:
{ "fileName": "ntxFile", "flows": [{ "wanCloud": { "latency": { "latencyType": "Fixed", "latency": 75 }, "packetLoss": { "packetLossType": "None" }, "bitError": { "isActive": false, "avgFrequency": 0, "min": 0, "max": 0 }, "congestion": { "isActive": false, "avgFrequency": 0, "min": 0, "max": 0, "fixedLatency": { "latencyType": "Fixed", "latency": 0 }, "randomPacketLoss": { "packetLossType": "Random", "chance": 0 } }, "disconnect": { "isActive": false, "avgFrequency": 0, "min": 0, "max": 0 }, "duplicatePackets": { "isActive": false, "chance": 0, "min": 0, "max": 0 }, "fragmentation": { "isActive": false, "chance": 0, "maxTransmitUnit": 0, "behavior": "Ignore" }, "outOfOrder": { "isActive": false, "chance": 0, "min": 0, "max": 0 } }, "clientGateway": { "bandwidth": { "upLink": { "isManual": true, "bandwidth": 330 }, "downLink": { "isManual": true, "bandwidth": 780 } }, "isActiveBucketLimitation": false, "bucketLimitation": null, "isActivePacketOverhead": false, "packetType": null }, "serverGateway": { "bandwidth": { "upLink": { "isManual": true, "bandwidth": 0 }, "downLink": { "isManual": true, "bandwidth": 0 } }, "isActiveBucketLimitation": false, "bucketLimitation": null, "isActivePacketOverhead": false, "packetType": null }, "endpoints": { "serverEndpoint": { "rangeGroups": [{ "includeRange": { "fromIp": "1.0.0.0", "toIp": "255.255.255.255", "protocol": "ALL", "port": 0 }, "excludeRanges": [{ "fromIp": "1.0.0.0", "toIp": "1.0.0.0", "protocol": "ALL", "port": 0 }] }], "rangeDefinition": "custom" }, "clientEndpoint": { "rangeGroups": [{ "includeRange": { "fromIp": "1.0.0.0", "toIp": "1.0.0.0", "protocol": "ALL", "port": 0 }, "excludeRanges": [] }], "rangeDefinition": "custom" } }, "packetList": true, "name": "3G" }] }
It allows to create a File like;
<NETWOR_X ID="Network_Editor" NAME="..\..\..\metasploit2.txt" ORIGIN="Network Editor Multi Flow" CREATED_BY="Network Editor Multi Flow" CREATED_ON_DATE="14-08-27 17:32:41" NETWOR_X_VERSION="2.2" CREATED_ON_HOST_NAME="juan-6ed9db6ca8"> <NET_OBJECTS> <WAN_CLOUD FLOW_ID="FLOWS_1-3G" ID="ID_WAN_CLOUD_FLOWS_1-3G" NAME="Wan" DESCRIPTION="3G"> <FIXED_LATENCY LATENCY="75.0"/> </WAN_CLOUD> <GATEWAY FLOW_ID="FLOWS_1-3G" ID="ID_CLIENT_GW_FLOWS_1-3G" NAME="Clientgateway"> <NICS> <NIC FLOW_ID="FLOWS_1-3G" ID="ID_CLIENT_GW__NIC_1_FLOWS_1-3G" NAME="ClientDownlink" BANDWIDTH="780.0" IN_BW_UTIL="0" OUT_BW_UTIL="0" PACKET_OVERHEAD_BYTES=""/> <NIC FLOW_ID="FLOWS_1-3G" ID="ID_CLIENT_GW__NIC_2_FLOWS_1-3G" NAME="ClientUplink" BANDWIDTH="330.0" IN_BW_UTIL="0" OUT_BW_UTIL="0" PACKET_OVERHEAD_BYTES=""/> </NICS> </GATEWAY> <GATEWAY FLOW_ID="FLOWS_1-3G" ID="ID_SERVER_GW_FLOWS_1-3G" NAME="Servergateway"> <NICS> <NIC FLOW_ID="FLOWS_1-3G" ID="ID_SERVER_GW__NIC_1_FLOWS_1-3G" NAME="ServerUplink" BANDWIDTH="0.0" IN_BW_UTIL="0" OUT_BW_UTIL="0" PACKET_OVERHEAD_BYTES=""/> <NIC FLOW_ID="FLOWS_1-3G" ID="ID_SERVER_GW__NIC_2_FLOWS_1-3G" NAME="ServerDownlink" BANDWIDTH="0.0" IN_BW_UTIL="0" OUT_BW_UTIL="0" PACKET_OVERHEAD_BYTES=""/> </NICS> </GATEWAY> <ENDPOINT FLOW_ID="FLOWS_1-3G" ID="ID_CLIENT_FLOWS_1-3G" NAME="Client"> <INCLUDE_IPS> <IP_RANGE FROM_IP="1.0.0.0" TO_IP="1.0.0.0" PROTOCOL="0" PORT="0" IP_VERSION="4"/> </INCLUDE_IPS> </ENDPOINT> <ENDPOINT FLOW_ID="FLOWS_1-3G" ID="ID_SERVER_FLOWS_1-3G" NAME="Server"> <INCLUDE_IPS> <IP_RANGE FROM_IP="1.0.0.0" TO_IP="255.255.255.255" PROTOCOL="0" PORT="0" IP_VERSION="4"/> </INCLUDE_IPS> <EXCLUDE_IPS> <IP_RANGE FROM_IP="1.0.0.0" TO_IP="1.0.0.0" PROTOCOL="0" PORT="0" IP_VERSION="4"/> </EXCLUDE_IPS> </ENDPOINT> <PACKET_LIST FLOW_ID="FLOWS_1-3G" ID="ID_PACKET_LIST_CLIENT_FLOWS_1-3G" NAME="PACKET_LIST_CLIENT_FLOWS_1-3G"/> </NET_OBJECTS> <LINKS> <LINK TO_OBJECT="ID_PACKET_LIST_CLIENT_FLOWS_1-3G" FROM_OBJECT="ID_CLIENT_FLOWS_1-3G" UNIDIRECTIONAL="false"/> <LINK TO_OBJECT="ID_CLIENT_GW__NIC_1_FLOWS_1-3G" FROM_OBJECT="ID_PACKET_LIST_CLIENT_FLOWS_1-3G" UNIDIRECTIONAL="false"/> <LINK TO_OBJECT="ID_WAN_CLOUD_FLOWS_1-3G" FROM_OBJECT="ID_CLIENT_GW__NIC_2_FLOWS_1-3G" UNIDIRECTIONAL="false"/> <LINK TO_OBJECT="ID_SERVER_GW__NIC_1_FLOWS_1-3G" FROM_OBJECT="ID_WAN_CLOUD_FLOWS_1-3G" UNIDIRECTIONAL="false"/> <LINK TO_OBJECT="ID_SERVER_FLOWS_1-3G" FROM_OBJECT="ID_SERVER_GW__NIC_2_FLOWS_1-3G" UNIDIRECTIONAL="false"/> </LINKS> </NETWOR_X>
Text contents can be controlled. Feasible attack vector: upload a JSP. Problems
- Shunra doesn’t handle JSP directly.
- Use the HP LoadRunner instance, unfortunately it’s not necessary to run it to have Shunra running. So it’s hard to write a reliable
exploit which work son the default conditions.
Maybe there is something I’m forgetting to get reliable code execution with not full controled (text contents) traversal…feedback is welcome.
CVSS V3 Severity and Metrics
Data provided by the National Vulnerability Database (NVD)
Base Score:
None
Impact Score:
Unknown
Exploitability Score:
Unknown
Attack Vector (AV):
Unknown
Attack Complexity (AC):
Unknown
Privileges Required (PR):
Unknown
User Interaction (UI):
Unknown
Scope (S):
Unknown
Confidentiality (C):
Unknown
Integrity (I):
Unknown
Availability (A):
Unknown
General Information
Vendors
Products
