[NT] Hewlett-Packard OVIS Probe Builder Arbitrary Process Termination Vulnerability



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Hewlett-Packard OVIS Probe Builder Arbitrary Process Termination
Vulnerability
------------------------------------------------------------------------


SUMMARY

Hewlett-Packard's <http://www.openview.hp.com/products/ovis/index.html>
Internet Services provides "end-user emulation of major business
applications and a single integrated view of the Internet infrastructure".
Remote exploitation of a denial of service vulnerability in
Hewlett-Packard's Internet Services Probe Builder product allows an
unauthenticated attacker the ability to terminate any process.

DETAILS

Vulnerable Systems:
* HP's Internet Services Probe Builder version 2.2 for Windows

The Probe Builder Service, PBOVISServer.exe, listens by default on TCP
port 32968. This process has a specific opcode that allows a remote
unauthenticated user to terminate any process on the system by supplying a
process ID number.

Analysis:
Exploitation allows an attacker to kill any process, including critical
system processes like services.exe, lsass.exe, csrss.exe. Killing a system
process usually results in a blue screen or a mandatory reboot message. To
exploit this vulnerability, the attacker must know the process ID to
terminate. For a remote attacker, it can brute force process ID and cause
the system to crash.

Workaround:
Employing firewalls to limit access to the affected service will mitigate
exposure to this vulnerability.

Vendor response:
Hewlett-Packard has addressed this vulnerability in the HPSBMA02353
(SSRT080066) security bulletin. For more information, visit the following
URL.
<http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01511225> http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01511225

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1667>
CVE-2008-1667

Disclosure timeline:
04/03/2008 - Initial vendor notification
05/08/2008 - Initial vendor response
07/28/2008 - Coordinated public disclosure


ADDITIONAL INFORMATION

The information has been provided by
<mailto:idlabs-advisories@xxxxxxxxxxxx> iDefense Labs Security Advisories.
The original article can be found at:
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=728>
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=728



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • [NT] Microsoft Windows Graphics Device Interface Integer Overflow Vulnerability (MS08-071)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Microsoft Windows Graphics Device Interface Integer Overflow Vulnerability ... Exploitation allows an attacker to execute arbitrary code with the ... targeted user to view a specially crafted image file. ...
    (Securiteam)
  • [NEWS] @Mail Web Interface Multiple Security Vulnerabilities
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... attacker to point it to mailbox of any registered user in @Mail system. ... Vulnerability 2: SQL database install - Multiple SQL Injection ...
    (Securiteam)
  • [NT] EMC Legato Networker DoS and Multiple Buffer Overflows
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... EMC Legato Networker DoS and Multiple Buffer Overflows ... The vulnerability specifically exists due to improper handling of ... is sent by an attacker, it is possible to overwrite portions of heap ...
    (Securiteam)
  • [UNIX] IBM Informix Dynamic Server DBLANG Directory Traversal Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... IBM Informix Dynamic Server DBLANG Directory Traversal Vulnerability ... Local exploitation of a directory traversal vulnerability in IBM Corp.'s ... attacker can cause set-uid binaries to use Native Language Support ...
    (Securiteam)
  • [NEWS] IBM Lotus Domino IMAP Buffer Overflow Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... IBM Lotus Domino IMAP Buffer Overflow Vulnerability ... Remote exploitation of a buffer overflow vulnerability within IBM Corp.'s ... This allows an attacker to take complete control of the compromised ...
    (Securiteam)