HP Power Manager formExportDataLogs buffer overflow
Added: 01/22/2010CVE: CVE-2009-3999
BID: 37867
OSVDB: 61848
Background
HP Power Manager is a web-based application that enables administrators to manage an HP UPS from a browser-based management console.Problem
A buffer overflow vulnerability HP Power Manager allows remote attackers to execute arbitrary commands by sending an HTTP POST request for the formExportDataLogs program with a specially crafted fileName parameter.Resolution
Upgrade to HP Power Manager 4.2.10 or higher.References
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01971741http://secunia.com/secunia_research/2009-47/
Limitations
Exploit works on HP Power Manager 4.2.9 on Microsoft Windows Server 2003 SP2 with patch KB933729.Platforms
WindowsBack to exploit index