Functional Testing                             

Find below the details of a vulnerability in the HP Quality Center product (formely Mercury Quality Center). It is referenced as CVE-2007-5289 (VU#898865).

To solve this issue, it is advised to upgrade to version 9.2 of Quality Center and apply the latest patch.

Note that Quality Center 10.0 is vulnerable to this issue.

Introduction

Quality Center (QC) is a web-based QA testing and management tool. It is a product from HP when they took over Mercury Interactive last year.

The front-end of the application is composed of COM components that plug into the web browser. Quality Center provides a customization capability (called workflow) which allow the administrator to modify the default behavior. This workflow is driven by VBScript functions that are called whenever a particular event occurs on the client front-end.

In order to optimize the interaction speed of the application, a cache folder is created on the client machine. By default, this folder is located at %tmp%/TD_80. Whenever a user connects to a Quality Center project, 2 folders are created within the cache folder. One of these folders contain a copy of the workflow scripts used to customize the application. Indeed, those files are required on the client machine because the workflow is execute on the client, not on the server.

There exists 1 VBScript workflow file per feature. Those are:

• Login/Logout (common.tds)
• Defects module (defects.tds)
• Manual Test Execution (manrun.tds)
• Test Requirements module (req.tds)
• Test Lab module (testlab.tds)
• Test Plan module (testplan.tds)

The customization feature of Quality Center is often used for:

• Controlling password compliance (no blank password, more than 8 letters, etc.)
• Chained lists (when a value is selected in a field, another field gets updated with a list relevant to that value)
• Automatic updates to some QC components (Test, Test Set, Defect objects, hidden fields)
• Hidding information depending on the user’s group (used when a project is shared with different vendors)
• Others

The workflow is often driven by using the OTA (Open Test Architecture), the Quality Center API. This API allows the manipulation of any QC object (e.g. Subject folder, Test/Defect objects, Fields, etc.). It also allows the direct manipulation of the database used by Quality Center.

Issue

When a user connects to Quality Center, the cache folder is automatically updated with the latest VBScript workflow files. Those files are then read by the QC front-end only once for the whole session. They are then used by the application whenever the associated events are raised.

There are 2 main points that make this workflow highly vulnerable:

1. Those files are written in plain text;
2. Marking those files as read-only (through the file properties) will prevent Quality Center from overwriting them.

If a user modifies this file and then mark it as read-only, he can execute arbitrary code. As the OTA API allows access to the database, he can also modify the data stored in the database as follows:

• Quality Center 10.0 Patch 1 or below (Tested)
  – Severity High: user has higher capability than defined by their profile
• Quality Center 9.2 (Unconfirmed)
  – Severity High: user has higher capability than defined by their profile;
  – Patch 14 contains the fix, earlier patches is unknown
• Quality Center 9.0 Patch < 17
  - Severity Highly Critical: a user (even with a Viewer profile) can amend the data rendering it useless. He will also have higher capability than defined by their profile
• Quality Center 8.2 / 8.0 (Unconfirmed)
  – Severity Highly Critical: a user (even with a Viewer profile) can amend the data rendering it useless. He will also have higher capability than defined by their profile
• TestDirector (Any Version)
  – TestDirector is the former name of Quality Center
  – Potentially the same issues as for Quality Center 9.0 Patch < 17

Please note that HP has released a patch that fixes this issue, please contact HP support for further details.

Example

This really short example shows how a user can simply change the content of all the defects to some meaningless values:

Please, do not try the following example as it will permanently damage you Quality Center data.

Sub Defects_Bug_MoveTo
Set objCommand = TDConnection.Command
objCommand.CommandText = "UPDATE BUG SET BG_SUMMARY='Useless', BG_DESCRIPTION='Useless'"
objCommand.Execute
End Sub

Notes

You can find your patch level by login into a Quality Center project, selecting the menu option Help > About HP Quality Center Software… and clicking the Additional Information button.

Patches for Quality Center are available at http://support.openview.hp.com/selfsolve/patches (login required).

This entry was posted on Monday, February 23rd, 2009 at 11:45 am and is filed under Quality Center. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.