Exploiting Untrusted Objects through Deserialization: Analyzing 1 of 100+ HPE Bug Submissions

December 01, 2017 | Vincent Lee

An in-depth analysis on various attack vectors in HPE IMC -- HPE IMC Case Blog Part 1

This is a series of blog posts aimed at discussing different attack vector types that exist within the HPE Intelligent Management Center (IMC). We'll do technical deep dives into various bug classes as HPE patches them out. What makes IMC a great target to talk about is its diversity in bug types: some are classic, some are modern and some are esoteric.

How it all began... Deserialization of untrusted objects in HPE IMC

Back in early March 2017, a few bug submissions on HPE IMC from Steven Seeley (mr_me) were assigned to me for triaging. And the story of how I ended up analyzing more than 100 HPE cases begins...

One of the first bugs I analyzed was ZDI-17-832, which is an unauthenticated Java deserialization RCE bug. This bug class was popularized by a blog post written by Steve Breen and the release of the ysoserial payload generator in 2015. Here’s a quick video of the exploit in action:

In the recently patched ZDI-17-832, a web server starts listening on port 8443 upon installation. One of the listening servlets is WebDMDebugServlet. This servlet is defined in imcweb_dm.jar and accessible through the hxxp://<host>:8443/imc/topo/WebDMDebugServlet URL. Below is its corresponding entry in web.xml:

Following is the decompiled WebDMDebugServlet class:

We can see that both HTTP GET and POST requests are handled by the doPost() method, and the HttpServletRequest object is passed to extractObjectFromHttpRequest() directly. Let's take a look at what this function does:

And bingo! We have found the vulnerable code! The request.getInputStream() function retrieves the body of the HTTP request as binary data and stores it in the in variable. The ObjectInputStream#readObject() method then attempts to deserialize the user-controlled data and do evil things when a malicious payload is passed to this method. A payload that pops calc can be quickly generated with ysoserial using the following command:

        java -jar ysoserial.jar JSON1 "cmd /c calc.exe" > payload.ser

With this payload and the Python script below, an attacker can launch calc.exe with SYSTEM privileges. 

Poking around (and the bear)...

A quick grep for ObjectInputStream in the decompiled source code of the product revealed more uses of Java deserialization and potentially more bugs! Some of these bugs were not reported by mr_me in his first batch of case submissions. Moreover, as I was reviewing the submission details of ZDI-17-833, I found he has accidentally included snippets of an un-submitted bug in the case details. Not wanting to steal bugs from our researchers, we sent him an email somewhere along the lines of:

Hey Steven,

Just out of curiosity, do you have any other bugs in this product? If so, now is probably a good time to send them over. wink wink

And a few days later, we all know how this story ended. ;)

HPE patched this bug along with two other CVEs with the aptly named IMC PLAT 7.3 E0506P03. Check back on the blog for the continuation of this series. My next blog covers how an attempted patch issued by HPE didn’t quite achieve the intended effect. Until then, you can find me on Twitter @TrendyTofu, and follow the team for the latest in exploit techniques and security patches.