Skip to main content

No-Scoped HP SiteScope

Overview

Recently on an internal penetration test engagement I ran into an installation of HP SiteScope.  Wikipedia defines HP Sitescope as “agentless monitoring software focused on monitoring the availability and performance of distributed IT infrastructures, including servers, network devices and services, applications and application components, operating systems and various IT enterprise components.”

Reading the publicly available configuration manual of HP SiteScope, HP SiteScope will utilize pre-configured credentials to authenticate to remote hosts. As an attacker this seems like a good target as it could provide additional access to other hosts within the environment. This blog post will discuss the discovery and exploitation of HP SiteScope.

Discovery

Nessus first discovered the instance internally with the following result:

1.png

The screenshot above shows Nessus determining the remote instance of HP SiteScope was vulnerable to an arbitrary file download vulnerability. This could be useful to extract sensitive files from the local file system.

Exploitation

Upon further review, I determined Metasploit has an auxiliary module for this exact exploit. I ran the following command to leverage the module:

use auxiliary/scanner/http/hp_sitescope_getfileinternal_fileaccess

Once loaded up we can see the default configurations:

2.png

The following options are required:

  • RFILE (Exact file path to file to retrieve)
  • RHOSTS (The target IP address of the vulnerable HP SiteScope instance)
  • RPORT (TCP port of the HP SiteScope instance)
  • TARGETURI (Web path to HP SiteScope)

Looking into some other posts online, it was determined that HP SiteScope has some configuration files that can contain sensitive credentials to the web interface as well as to the monitored hosts. Typically, the credentials are stored within the “master.config” & “user.config” files. The tricky part is discovering the correct file path to the files.

The examples online show the file path being – <install root>\sitescope\groups\<file> making some guesses I was able to get it on my third try E:\sitescope\groups\<file> as we can see from my configuration and attempt below:

3.png

The file being retrieved utilizing Metasploit –

4.png

The Reward

Taking a look at the downloaded BIN files – we can view them using any text editor –

5.jpg

The below screenshot shows some parameters refenced within the file as defaultAuthPassword, defaultAuthUsername, and defaultMachine. The password within the file is encrypted.

6.png

Looking around GitHub I came across the following repository.  This code will allow anyone to decrypt HP SiteScope passwords since it was using a 3DES algorithm and an static encryption key. Getting the tool downloaded and requirements squared away we can run the decryption tool with the following command:

./decryptor.js -p ‘<encrypted password>’

Here we have decrypted the password in the file:

7.png

Utilizing Metasploit’s SMB login module we can see the credentials are correct by logging into the HP SiteScope host:

8.png

Remediation

HP recommends the following steps to remediate the issue:

  • Update HP SiteScope to the latest version
    • Add the following line to the master.config file
      • disabledOldAPIs=true

For more information in regards to this vulnerability you can refer to the following HP link – https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-c03489683