HP LoadRunner Virtual User Generator EmulationAdmin service directory traversal

Added: 12/18/2013
CVE: CVE-2013-4837
BID: 63475
OSVDB: 99231

Background

HP LoadRunner is a software performance testing solution.

Problem

A directory traversal vulnerability in the Virtual User Generator EmulationAdmin service allows remote attackers to upload files to arbitrary locations using the copyFileToServer method. The files could then be executed via an HTTP request.

Resolution

Apply LoadRunnner patch v11.52.1, which can be downloaded from HP Software Support Online (SSO).

References

https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03969437
http://www.zerodayinitiative.com/advisories/ZDI-13-259/

Limitations

Exploit works on HP LoadRunner 11.52. HP LoadRunner must be installed in the standard installation path.

Platforms

Windows

Back to exploit index