SERVER-WEBAPP HP LoadRunner Virtual User Generator EmulationAdmin directory traversal attempt

This alert is triggered when detecting an adversary attempt to exploit CVE-2013-4837 a directory traversal vulnerability in the HP LoadRunner, which could allow them to read arbitrary files on the server. HP LoadRunner is a software testing tool from HP. It is used to test applications and to measure system behavior, and performance under load. The rule checks for a specific pattern indicating an attempt at directory traversal, where an attacker tries to access and read files and directories that are stored outside the web root folder.

ID Number

29017

Signature

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP LoadRunner Virtual User Generator EmulationAdmin directory traversal attempt"; flow:to_server,established; content:"/ServiceEmulation/services/EmulationAdmin"; fast_pattern:only; http_uri; content:"|3A|string"; nocase; http_client_body; pcre:"/\x3astring[^>]*?>[^<]*?(\x2e|%2e){2}([\x5c\x2f]|%5c|%2f)/Pi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,63475; reference:cve,2013-4837; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03969437; classtype:attempted-admin; sid:29017; rev:8;)

MITRE ATT&CK Technique

-

Severity

High

Recommendations/Investigative actions

It is recommended to ensure that the HP Intelligent Management Center (IMC) is up-to-date with the latest security patches to mitigate known vulnerabilities. Inspect logs to determine if the attempted exploitation was successful. Look for signs of malicious files or execution of arbitrary code. If possible, block communication Attempts from external networks, or enable access from specific external devices only.