HPE Intelligent Management Center arbitrary file upload vulnerability
HPE Intelligent Management Center (IMC) is a popular management system designed to integrate the management of devices, services and users. It provides features and functions that are designed for comprehensive management of the network infrastructure. An arbitrary file upload vulnerability exists in the HPE Intelligent Management Center. The server application that handling the file upload fails to filter the file extension when handling certain HTTP request, causing a arbitrary file upload vulnerability. An attacker could send a crafted HTTP POST request to the server url, uploading malicious scripts and execute them under the privilege of the server process.
HPE IMC’s server side is based on the Java servlets. Such servlets include one called FileUploadServlet, which supports the upload of XML files. It is mapped to the following URL:
https://:8443/imc/flexFileUpload
This interface and a method called doPost() will handle the HTTP parameters and execute the file uploading logic. The POST parameter “name” determines the filename on the server side. However, the code doesn’t check the file extension carries in this parameter. An attacker could send a malicious request to the server application, renaming the file to a server side executable format, such as jsp or jspx, and get a webshell.
String fileName = s + "/" + URLDecoder.decode(item.getFieldName(), "UTF-8"); log.debug("flex UploadFileName:" + fileName); //Rename the uploaded file without any filtering File file = new File(fileName); if (log.isDebugEnabled()) { log.debug("FileItem :" + item.getName() + "size:" + item.getSize() + "isInMemory:" + item.isInMemory()); log.debug("FileInfo:uploadFileName:" + file.getAbsolutePath()); }
SonicWall Capture Labs Threat Research team has developed the following signature to identify and stop the attacks:
- IPS 13056: HPE Intelligent Management Center Arbitrary File Upload
