[NEWS] MG-SOFT Net Inspector Multiple Vulnerabilities

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



MG-SOFT Net Inspector Multiple Vulnerabilities
------------------------------------------------------------------------


SUMMARY

" <http://www.mg-soft.com/netinsp.html> MG-SOFT Net Inspector is a
powerful fault management application with alarming subsystem that
complies with the international alarm reporting recommendations (ITU
X.733). The software lets you effectively monitor the status of network
devices and manage alarms associated with devices in the supervised TCP/IP
network." Multiple vulnerabilities have been discovered in MG-SOFT Net
Inspector, these vulnerabilities allow attackers to crash the system, as
well as cause it potentially execute arbitrary code.

DETAILS

Vulnerable systems:
* MG-SOFT Net Inspector version 6.5.0.828

Format string in mghttpd:
mghttpd is a simple HTTP daemon running on port 5228 used to allow the
clients to download the Net Inspector Java Client. This server is affected
by a format string vulnerability located in the function which logs the
clients requests in the log file.

Directory traversal in mghttpd:
This service is also affected by a classical directory traversal
vulnerability using both the slash and backslash plain delimiters which
can be exploited to download files from the disk on which is located the
server.

Crash in MgWTrap3:
The SNMP Trap Service other than binding the local TCP port 8888 and the
UDP 162 for collecting SNMP queries, binds also an additional UDP port
which changes each time the service is executed (uses the first free
available port).

Sending a packet (empty or with any desired content since it's not
important) directly to this port raises an exception which terminates the
service immediately.

This service is the core of almost all the MG-SOFT products which so
result all vulnerable.

Denial of Service in niengine:
The Net Inspector Fault Management server (niengine) can be easily freezed
with CPU at 100% and full memory consumption through a malformed packet.

Exploits:
Format string in mghttpd
GET /%n%n%s%s%n%n%n%s HTTP/1.0

Directory traversal in mghttpd
GET ../../../../boot.ini HTTP/1.0
GET \../..\../..\windows/win.ini HTTP/1.0

Crash in MgWTrap3
echo|nc SERVER PORT -v -v -u

Denial of Service in niengine
echo -n -e \x2a\x45\x67\xf2\x00\x00\x00\x00|nc SERVER 5221 -v -v -w 1


ADDITIONAL INFORMATION

The information has been provided by <mailto:aluigi@xxxxxxxxxxxxx> Luigi
Auriemma.
The original article can be found at:
<http://aluigi.altervista.org/adv/netinsp-adv.txt>
http://aluigi.altervista.org/adv/netinsp-adv.txt



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages