[NT] NodeManager Professional Buffer Overflow (%DATA)
From: SecuriTeam (support_at_securiteam.com)
Date: 01/18/05
- Previous message: SecuriTeam: "[NT] Netegrity SiteMinder smpwservicescgi.exe Target Redirection"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 18 Jan 2005 12:47:55 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
NodeManager Professional Buffer Overflow (%DATA)
------------------------------------------------------------------------
SUMMARY
<http://www.h4.dion.ne.jp/~you4707/NodeManagerPro.html> NodeManager
Professional is "a network management and monitoring tool. It receives
SNMPv1 traps and displays them on screen and writes them to a log file".
NodeManager Professional has been found to contain a stack overflow
vulnerability that can be exploited by sending a specially crafted SNMPv1
trap.
DETAILS
Vulnerable Systems:
* NodeManager Professional version 2.00
Immune Systems:
* NodeManager Professional version 2.01 or newer
NodeManager Professional allows the user to use a format string to
customize how each received SNMPv1 trap is logged. For example, the
default format string for the LinkDown event is
"Snmp Trap LinkDown (EnterPrise=%EPRISE ObjectID=%OID Value=%DATA)"
When a LinkDown-Trap packet is received, the various placeholders (e.g.
%OID, %DATA) will be replaced with the received values. When the format
string is parsed, each received value is first copied to a 512-byte local
stack buffer before it is concatenated to the final string. By sending a
LinkDown-Trap packet containing an OCTET-STRING of more than 512 bytes in
the Trap variable-bindings field, it is possible to overflow the stack
buffer and overwrite the EIP. This happens when the %DATA placeholder is
processed.
Solution:
Upgrade to version 2.01, which fixes this vulnerability.
Disclosure timeline:
20 Dec 04 - Vulnerability Discovered
21 Dec 04 - Initial Author Notification
22 Dec 04 - Received Author's Reply
07 Jan 05 - Second Author Notification
11 Jan 05 - Second Author Reply
15 Jan 05 - Author Released Fixed Version
17 Jan 05 - Public Release
ADDITIONAL INFORMATION
The information has been provided by <mailto:chewkeong@security.org.sg>
Tan Chew Keong.
The original article can be found at:
<http://www.security.org.sg/vuln/nodemanager200.html>
http://www.security.org.sg/vuln/nodemanager200.html
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NT] Netegrity SiteMinder smpwservicescgi.exe Target Redirection"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
