Find below the details of a vulnerability in the HP Quality Center product (formely Mercury Quality Center).

Introduction
------------------

Quality Center (QC) is a web-based QA testing and management tool. It is a product from HP when they took over Mercury Interactive last year.

The front-end of the application is composed of COM components that plug into the web browser. Quality Center provides a customization capability (called workflow) which allow the administrator to modify the default behavior. This workflow is driven by VBScript functions that are called whenever a particular event occurs on the client front-end.

In order to optimize the interaction speed of the application, a cache folder is created on the client machine. By default, this folder is located at %tmp%/TD_80. Whenever a user connects to a Quality Center project, 2 folders are created within the cache folder. One of these folders contain a copy of the workflow scripts used to customize the application. Indeed, those files are required on the client machine because the workflow is execute on the client, not on the server.

There exists 1 VBScript workflow file per feature. Those are:
    * Login/Logout (common.tds)
    * Defects module (defects.tds)
    * Manual Test Execution (manrun.tds)
    * Test Requirements module (req.tds)
    * Test Lab module (testlab.tds)
    * Test Plan module (testplan.tds)

The customization feature of Quality Center is often used for:
    * Controlling password compliance (no blank password, more than 8 letters, etc.)
    * Chained lists (when a value is selected in a field, another field gets updated with a list relevant to that value)
    * Automatic updates to some QC components (Test, Test Set, Defect objects, hidden fields)
    * Hidding information depending on the user's group (used when a project is shared with different vendors)
    * Others

The workflow is often driven by using the OTA (Open Test Architecture), the Quality Center API. This API allows the manipulation of any QC object (e.g. Subject folder, Test/Defect objects, Fields, etc.). It also allows the direct manipulation of the database used by Quality Center.

Issue
-------

When a user connects to Quality Center, the cache folder is automatically updated with the latest VBScript workflow files. Those files are then read by the QC front-end only once for the whole session. They are then used by the application whenever the associated events are raised.

There are 2 main points that make this workflow highly vulnerable:
    1. Those files are written in plain text;
    2. Marking those files as read-only (through the file properties) will prevent Quality Center from overwriting them.

If a user modifies this file and then mark it as read-only, he can execute arbitrary code. As the OTA API allows access to the database, he can also modify the data stored in the database as follows:
    * Quality Center 9.2 (Unconfirmed)
          - Severity High: user has higher capability than defined by their profile
    * Quality Center 9.0 Patch < 17
          - Severity Highly Critical: a user (even with a Viewer profile) can amend the data rendering it useless. He will also have higher capability than defined by their profile
    * Quality Center 8.2 / 8.0 (Unconfirmed)
          - Severity Highly Critical: a user (even with a Viewer profile) can amend the data rendering it useless. He will also have higher capability than defined by their profile
    * TestDirector (Any Version)
          - TestDirector is the former name of Quality Center
          - Potentially the same issues as for Quality Center 9.0 Patch < 17

Please note that HP has released a patch that fixes this issue, please contact HP support for further details.

Example
------------

This really short example shows how a user can simply change the content of all the defects to some meaningless values:

Sub Defects_Bug_MoveTo
    Set objCommand = TDConnection.Command
    objCommand.CommandText = "UPDATE BUG SET BG_SUMMARY='Useless', BG_DESCRIPTION='Useless'" 
    objCommand.Execute
End Sub

Other Information
-------------------------

Discovered By: Exposit Limited
Internet:            http://www.exposit.co.uk

Exposit Limited is a functional testing consultancy company specialized in HP (formely Mercury) Testing Tools.