TACTICAL CYBER INTELLIGENCE REPORT

Actor Type: II
Serial: TR-18-059-002
Countries: IN, CN
Report Date: 20180224

XXE in HP Project and Portfolio Management Center

Researchers have discovered a 0day vulnerability in Hewlett-Packard (HP) Project and Portfolio Management Center which could allow attackers to read sensitive files and data on the target system and also execute malicious input. These researchers found an XML entity injection vulnerability in the way HP PPM processed import tickets.

XML Entity (XXE) Injection

An XML External Entity attack is a variant attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a poorly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other negative system impacts.[1]

Impact

The vulnerability exists in the XML import feature. On this page a user is able to import several requests into the ticketing system. If the XML processor was not configured properly, it could allow references to external entities.

This feature allowed the inclusion of external entities.  The HP PPM XML import feature has a “test” button functionality. This allows execution of XML without saving it in the database, thus allowing it to execute remote code with a minimum footprint.

Creating a remote XXE-FTP server from code available through Github.[2] This server hosts a malicious external entity, which when submitted with the original discovered payload, will exfiltrate any specified file from the target web server running HP PPM to the attacker-controlled server over FTP. The following code was used to exfiltrate the /etc/passwd file and was submitted as POST data to the endpoint below:

Using the same technique, various information can be revealed regarding the server, which enables attackers to run various commands remotely.[3] This vulnerability is extremely dangerous.

Mitigation and Prevention Strategies

If our member are using HP PPM in their environment, an advisory has been published by HP. Members are advised to follow the advisory at:

https://softwaresupport.softwaregrp.com/document/-/facetsearch/document/KM03014426

and follow the steps are explained to mitigate this issue.

For questions or comments regarding this report, please contact the lab directly by at 603-606-1246, or feedback@wapacklabs.com

 

[1] https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing

[2]  https://github.com/RhinoSecurityLabs/Security-Research/blob/master/tools/python/xxe-server.py

[3] https://rhinosecuritylabs.com/application-security/xxe-zeroday-vulnerability-in-hp-project/

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!