H3C Intelligent Management Center Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in H3C Intelligent Management Center (IMC) versions through E0632H07. The issue resides in the /byod/index.xhtml endpoint, where improper handling of JSF ViewState allows unauthenticated attackers to craft POST requests with forged javax.faces.ViewState parameters. This exploitation could lead to arbitrary command execution on the server. Notably, the vulnerability can be exploited without authentication and without the need for session cookies.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server, with the potential to write backdoors, gain server privileges, and control the entire web server.

Reproduction

To reproduce this vulnerability, access the /byod/index.xhtml endpoint without authentication or session cookies. Once the page is loaded, locate the action parameter and the javax.faces.ViewState parameter. After obtaining the ViewState, craft a POST request to the same endpoint, including the forged ViewState and other necessary parameters. This will execute arbitrary commands on the server.