HP OpenView Network Node Manager Input Validation Hole in 'connectedNodes.ovpl' Lets Remote Users Execute Arbitrary Commands
SecurityTracker Alert ID: 1014791|
SecurityTracker URL: http://securitytracker.com/id/1014791
(Links to External Site)
Updated: Sep 12 2005|
Original Entry Date: Aug 25 2005
Execution of arbitrary code via network, User access via network|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes |
Version(s): OpenView Network Node Manager 6.41 and 7.5; possibly other versions|
A vulnerability was reported in OpenView Network Node Manager. A remote user can execute arbitrary commands on the target system.|
The 'connectedNodes.ovpl' script does not properly validate user-supplied input before using the input as part of a system command. A remote user can supply a specially crafted URL to execute arbitrary commands on the target system with the privileges of the target web service.
A demonstration exploit URL is provided:
http://[target]:3443/OvCgi/connectedNodes.ovpl?node=a| [your command] |
The greater than ('>') and less than ('<') characters cannot be used.
The cdpView.ovpl, freeIPaddrs.ovpl, and ecscmg.ovpl scripts are also affected.
James Fisher of Portcullis Computer Security Ltd discovered this vulnerability. David Litchfield of NGS Software separately discovered this flaw.
A remote user can execute arbitrary commands on the target system with the privileges of the target web service.|
The vendor has issued the following patches for OV NNM 7.50, available at:|
HP-UX B.11.23 OV NNM 7.50 PHSS_33784 or subsequent
Solaris OV NNM 7.50 PSOV_03425 or subsequent
Windows OV NNM 7.50 NNM_01106 or subsequent
Linux OV NNM 7.50 LSOV_00022 or subsequent
The vendor has described a workaround for other versions for which a fix is not yet available. The connectedNodes.ovpl, cdpView.ovpl, and freeIPaddrs.ovpl files can be moved from the cgi-bin directory into another directory. The new destination directory should not have write permissions for non-privileged users.
The workaround is necessary for the following versions:
HP-UX B.11.11 OV NNM 7.01, 6.4, 6.2
HP-UX B.11.00 OV NNM 7.01, 6.4, 6.2
Solaris OV NNM 6.2, 6.4, 7.01
Windows OV NNM 6.2, 6.4, 7.01
Linux RedHatAS2.1 OV NNM 7.01
Vendor URL: www.hp.com/ (Links to External Site)
Input validation error|
UNIX (HP/UX), UNIX (Solaris - SunOS), Windows (Any)|
This archive entry has one or more follow-up message(s) listed below.|
Source Message Contents
Date: Thu, 25 Aug 2005 15:43:08 +0100|
Subject: FW: Portcullis Security Advisory 05-014 HP Openview Remote Command
From: James P Fisher
Sent: Thursday, August 25, 2005 3:28 PM
To: Paul J Docherty
Subject: RE: Portcullis Security Advisory 05-014 HP Openview Remote
Command Execution Vulnerability
That looks good to me
From: Paul J Docherty
Sent: 25 August 2005 15:26
To: James P Fisher
Subject: Portcullis Security Advisory 05-014 HP Openview Remote Command
Portcullis Security Advisory 05-014 HP Openview Remote Command Execution
HP OpenView Network Node Manager 6.41 and 7.5 running on Solaris 8
HP OpenView Network Node Manager all version all operating systems
Unauthenticated Remote Command Execution In HP OpenView Network Node
Vulnerability discovery and development:
James Fisher of Portcullis Computer Security Ltd discovered this
vulnerability during an network security assessment. Due to inadequate
input validation by the Network Node Manager application, it was
possible to execute system level commands within the privilege context
of the web server user.
It has been confirmed that versions 6.41 and 7.5 are vulnerable on Sun
Solaris 8 (Sparc), however it is highly likely that all versions of the
software on all supported operating systems are likely to be vulnerable,
however this has not been confirmed.
It was identified that connectedNodes.ovpl script will take input from a
user and concatenate that input with an existing string. This resultant
string is then executed as a system command by the web server, without
validating the data sent from the user. Thus it is possible for an
attacker to inject their own system commands.
An attacker can blindly execute system commands (as no command output is
returned) with the privileges of the web server, by using a pipe command
separator to initiate a new command. However, the connectedNodes.ovpl
script will error if either of the "<" or ">" characters are included,
thus making commands which redirect input/output fail. Despite this
limitation it was possible to script the binding of a shell to a port as
proved by Paul Docherty (Portcullis Computer Security Ltd) thus
providing a fully interactive remote shell running with the privileges
of the "bin" user account.
Entering the following URL
"http://[host]:3443/OvCgi/connectedNodes.ovpl?node=a| [your command] |"
to a web browser will exploit the vulnerability.
(Note the square brackets should be removed)
Copyright (c) Portcullis Computer Security Limited 2005. All rights
The information in this email is confidential and may be
legally privileged. It is intended solely for the addressee.
Any opinions expressed are those of the individual and do not
represent the opinion of the organisation.
Access to this email by persons other than the intended
recipient is strictly prohibited.
If you are not the intended recipient, any disclosure, copying,
distribution or other action taken or omitted to be taken in
reliance on it, is prohibited and may be unlawful.
When addressed to our clients any opinions or advice contained
in this email is subject to the terms and conditions expressed
in the applicable Portcullis Computer Security Limited terms