Rapid7 is advising HP SiteScope users to run the tool on Linux rather than Windows servers because of a nasty privilege escalation vulnerability.
The agentless monitoring environment that headlines HP's operational management offerings lets authenticated users run commands with system privilege, the security bods explain.
The problem is that the SiteScope DNS tool also serves as a command injection vector.
In a default installation – and let's not kid ourselves, sysadmins are also prone to running default configs – “any user who can navigate to the SiteScope service [at http://servername:8080/
SiteScope/servlet/Main, as the post explains] may execute arbitrary commands on the underlying operating system. If a password is set, only authenticated users may do so, which is still an unexpected level of operating system access.”
From that console, the attacker can run SiteScope's DNS tool to exploit the command injection vulnerability by appending operating system commands to DNS requests.
A request to resolve Google.com can therefore act as the vector for the command & net user HPpoc QWERty1234 /ADD & net localgroup administrators HPpoc /ADD to drop a new user into the admin group.
If SiteScope is run as a non-root user on Linux, the bypass doesn't work; alternatively, access to the Web app should only be given to users trusted for local system access.
“On Windows, SiteScope appears to require local SYSTEM access in order to perform intended functionality, so account permissions for the application or individual users would not appear to be effective”, the Rapid7 post notes. ®