[NT] NodeManager Professional Buffer Overflow (%DATA)

From: SecuriTeam (support_at_securiteam.com)
Date: 01/18/05

  • Next message: SecuriTeam: "[UNIX] Gallery Cross Site Scripting Vulnerability" 
    To: list@securiteam.com
Date: 18 Jan 2005 12:47:55 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      NodeManager Professional Buffer Overflow (%DATA)
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.h4.dion.ne.jp/~you4707/NodeManagerPro.html> NodeManager
    Professional is "a network management and monitoring tool. It receives
    SNMPv1 traps and displays them on screen and writes them to a log file".

    NodeManager Professional has been found to contain a stack overflow
    vulnerability that can be exploited by sending a specially crafted SNMPv1
    trap.

    DETAILS

    Vulnerable Systems:
     * NodeManager Professional version 2.00

    Immune Systems:
     * NodeManager Professional version 2.01 or newer

    NodeManager Professional allows the user to use a format string to
    customize how each received SNMPv1 trap is logged. For example, the
    default format string for the LinkDown event is
    "Snmp Trap LinkDown (EnterPrise=%EPRISE ObjectID=%OID Value=%DATA)"

    When a LinkDown-Trap packet is received, the various placeholders (e.g.
    %OID, %DATA) will be replaced with the received values. When the format
    string is parsed, each received value is first copied to a 512-byte local
    stack buffer before it is concatenated to the final string. By sending a
    LinkDown-Trap packet containing an OCTET-STRING of more than 512 bytes in
    the Trap variable-bindings field, it is possible to overflow the stack
    buffer and overwrite the EIP. This happens when the %DATA placeholder is
    processed.

    Solution:
    Upgrade to version 2.01, which fixes this vulnerability.

    Disclosure timeline:
    20 Dec 04 - Vulnerability Discovered
    21 Dec 04 - Initial Author Notification
    22 Dec 04 - Received Author's Reply
    07 Jan 05 - Second Author Notification
    11 Jan 05 - Second Author Reply
    15 Jan 05 - Author Released Fixed Version
    17 Jan 05 - Public Release

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:chewkeong@security.org.sg>
    Tan Chew Keong.
    The original article can be found at:
    <http://www.security.org.sg/vuln/nodemanager200.html>
    http://www.security.org.sg/vuln/nodemanager200.html

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[UNIX] Gallery Cross Site Scripting Vulnerability"

    Relevant Pages