SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Generic)  >   HPE OpenView Network Node Manager Vendors:   HPE
HP OpenView Network Node Manager Input Validation Hole in 'connectedNodes.ovpl' Lets Remote Users Execute Arbitrary Commands
SecurityTracker Alert ID:  1014791
SecurityTracker URL:  http://securitytracker.com/id/1014791
CVE Reference:   CAN-2005-2773   (Links to External Site)
Updated:  Sep 12 2005
Original Entry Date:  Aug 25 2005
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): OpenView Network Node Manager 6.41 and 7.5; possibly other versions
Description:   A vulnerability was reported in OpenView Network Node Manager. A remote user can execute arbitrary commands on the target system.

The 'connectedNodes.ovpl' script does not properly validate user-supplied input before using the input as part of a system command. A remote user can supply a specially crafted URL to execute arbitrary commands on the target system with the privileges of the target web service.

A demonstration exploit URL is provided:

http://[target]:3443/OvCgi/connectedNodes.ovpl?node=a| [your command] |

The greater than ('>') and less than ('<') characters cannot be used.

The cdpView.ovpl, freeIPaddrs.ovpl, and ecscmg.ovpl scripts are also affected.

James Fisher of Portcullis Computer Security Ltd discovered this vulnerability. David Litchfield of NGS Software separately discovered this flaw.

Impact:   A remote user can execute arbitrary commands on the target system with the privileges of the target web service.
Solution:   The vendor has issued the following patches for OV NNM 7.50, available at:

http://support.openview.hp.com/patches/patch_index.jsp

HP-UX B.11.23 OV NNM 7.50 PHSS_33784 or subsequent
Solaris OV NNM 7.50 PSOV_03425 or subsequent
Windows OV NNM 7.50 NNM_01106 or subsequent
Linux OV NNM 7.50 LSOV_00022 or subsequent

The vendor has described a workaround for other versions for which a fix is not yet available. The connectedNodes.ovpl, cdpView.ovpl, and freeIPaddrs.ovpl files can be moved from the cgi-bin directory into another directory. The new destination directory should not have write permissions for non-privileged users.

The workaround is necessary for the following versions:

HP-UX B.11.11 OV NNM 7.01, 6.4, 6.2
HP-UX B.11.00 OV NNM 7.01, 6.4, 6.2
Solaris OV NNM 6.2, 6.4, 7.01
Windows OV NNM 6.2, 6.4, 7.01
Linux RedHatAS2.1 OV NNM 7.01

Vendor URL:  www.hp.com/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  UNIX (HP/UX), UNIX (Solaris - SunOS), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Aug 29 2005 (HP Issues Fix) HP OpenView Network Node Manager Input Validation Hole in 'connectedNodes.ovpl' Lets Remote Users Execute Arbitrary Commands
HP has issued a fix for OpenView.



 Source Message Contents

Subject:  FW: Portcullis Security Advisory 05-014 HP Openview Remote Command

-----Original Message-----
From: James P Fisher 
Sent: Thursday, August 25, 2005 3:28 PM
To: Paul J Docherty
Subject: RE: Portcullis Security Advisory 05-014 HP Openview Remote
Command Execution Vulnerability

That looks good to me

-----Original Message-----
From: Paul J Docherty 
Sent: 25 August 2005 15:26
To: James P Fisher
Subject: Portcullis Security Advisory 05-014 HP Openview Remote Command
Execution Vulnerability

Portcullis Security Advisory 05-014 HP Openview Remote Command Execution
Vulnerability

Vulnerable System: 
HP OpenView Network Node Manager 6.41 and 7.5 running on Solaris 8
(confirmed)
HP OpenView Network Node Manager all version all operating systems
(unconfirmed) 

Vulnerability Title: 
Unauthenticated Remote Command Execution In HP OpenView Network Node
Manager

Vulnerability discovery and development: 
James Fisher of Portcullis Computer Security Ltd discovered this
vulnerability during an network security assessment.  Due to inadequate
input validation by the Network Node Manager application, it was
possible to execute system level commands within the privilege context
of the web server user.

Affected systems: 
It has been confirmed that versions 6.41 and 7.5 are vulnerable on Sun
Solaris 8 (Sparc), however it is highly likely that all versions of the
software on all supported operating systems are likely to be vulnerable,
however this has not been confirmed.

Details: 
It was identified that connectedNodes.ovpl script will take input from a
user and concatenate that input with an existing string.  This resultant
string is then executed as a system command by the web server, without
validating the data sent from the user.  Thus it is possible for an
attacker to inject their own system commands.

Impact: 
An attacker can blindly execute system commands (as no command output is
returned) with the privileges of the web server, by using a pipe command
separator to initiate a new command.   However, the connectedNodes.ovpl
script will error if either of the "<" or ">" characters are included,
thus making commands which redirect input/output fail. Despite this
limitation it was possible to script the binding of a shell to a port as
proved by Paul Docherty (Portcullis Computer Security Ltd) thus
providing a fully interactive remote shell running with the privileges
of the "bin" user account.

Exploit: 
Entering the following URL
"http://[host]:3443/OvCgi/connectedNodes.ovpl?node=a| [your command] |"
to a web browser will exploit the vulnerability.
(Note the square brackets should be removed)
 
Copyright: 
Copyright (c) Portcullis Computer Security Limited 2005. All rights
reserved worldwide.


*************************************************************
The information in this email is confidential and may be
legally privileged. It is intended solely for the addressee.
Any opinions expressed are those of the individual and do not
represent the opinion of the organisation. 
Access to this email by persons other than the intended
recipient is strictly prohibited.
If you are not the intended recipient, any disclosure, copying,
distribution or other action taken or omitted to be taken in
reliance on it, is prohibited and may be unlawful. 
When addressed to our clients any opinions or advice contained
in this email is subject to the terms and conditions expressed
in the applicable Portcullis Computer Security Limited terms
of business.
**************************************************************
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2017, SecurityGlobal.net LLC