SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   HPE OpenView Network Node Manager Vendors:   HPE
HP OpenView Network Node Manager Unsafe Folder Permissions Lets Local Windows Users Gain Elevated Privileges
SecurityTracker Alert ID:  1017609
SecurityTracker URL:  http://securitytracker.com/id/1017609
CVE Reference:   CVE-2007-0819   (Links to External Site)
Updated:  Aug 18 2009
Original Entry Date:  Feb 8 2007
Impact:   Root access via local system, User access via local system
Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): Remote Console version 7.50, 7.51, 7.53
Description:   A vulnerability was reported in OpenView Network Node Manager. A local user can obtain elevated privileges on Windows-based systems.

The console component installs on Windows-based systems with insecure folder permissions, granting 'Full Control' privileges to the 'Everyone' group for the 'C:\Program Files\HP OpenView' directory and subdirectories. As a result, a local user can modify files in the directory to cause arbitrary code to be executed when the target user runs OpenView. A local user can also modify the HP Open View Shared Trace Service ('C:\Program Files\HP OpenView\bin\ovtrcsvc.exe') to cause arbitrary code to be executed with Local System privileges.

The vendor was notified on September 11, 2006.

3APA3A of SecurityVulns.com reported this vulnerability.
Impact:   A local user can obtain elevated privileges on the target system.
Solution:   No solution was available at the time of this entry.

The vendor recommends that users consider making the NNM Remote Console the sole function of the system and that users avoid web browsing from that system.

The vendor's advisory is available at:

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01817357
Vendor URL:  h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01817357 (Links to External Site)
Cause:   Access control error, Configuration error
Underlying OS:  Windows (XP)

Message History:   None.

 Source Message Contents
Subject:  [Full-disclosure] SecurityVulns.com: HP Network Node Manager remote

Title:  Hewlett-Packard  Network  Node  Manager 7.50 Remote Console weak
        files permissions
Application:  Hewlett-Packard  Network  Node Manager 7.50 Remote Console
        under Microsoft Windows XP SP2.
Vulnerability: Local
Vulnerability Level: High
Impact: privilege escalation of any unprivileged user to Local System or
        another user's account.
Author: 3APA3A <3APA3A@security.nnov.ru>, http://SecurityVulns.com
Advisory URL: http://securityvulns.com/advisories/nnmrc.asp
SecurityVulns news URL: http://securityvulns.com/news/HP/NNM/RC/WP.html
CVE:    CVE-2007-0819

Intro:

NNM  Remote  Console  is  remote administration tool for HP Network Node
Manager (NNM). Unlike the rest of NNM, it's installed on administrator's
workstation.  7.50  is the latest version of NNM Remote Console, because
console installation can not be upgraded to 7.51.

Vulnerability Description:

The bug is very simple: insecure installation folder permissions. During
installation  of HP Open View Network Node Manager Console this commands
is performed:

C:\WINDOWS\system32\cmd.exe /C CALL cacls "C:\Program Files\HP OpenView" /T /C /P Everyone:F < "C:\Program Files\HP OpenView\yes.txt"
 >> "C:\Program Files\HP OpenView\log\setup.log"

This command recursively changes access permissions for

C:\Program Files\HP OpenView

folder to

Everyone:Full Control.

It  makes  it possible for any local user to replace any of HP Open View
executable files or ActiveX components with trojaned/backdoored ones and
gain  permissions of user running any of Open View applications (usually
network administrator user).

And worse: there is service installed into HP Open View folder, namely

HP Open View Shared Trace Service

with executable

C:\Program Files\HP OpenView\bin\ovtrcsvc.exe


It's  executed  with  highest possible Local System account. It makes it
possible  for  any local user to overwrite service executable and obtain
Local System privileges.


Exploit:

1. Rename  ovtrcsvc.exe to ovtrcsvc.old
2. Replace  ovtrcsvc.exe  with  any  application of your choice and
restart system.
3. Reboot (or wait for reboot).

Workaround:

Restore  permission  inheritance  from  parent  folder  for  "C:\Program
Files\HP OpenView\".

Vendor:

September, 11 2006 - Vendor (security-alert@hp.com) informed
September, 11 2006 - Automated response received
September, 12 2006 - Human response received ("We will investigate this
and reply")
September, 29 2006 - Second vendor notification
September, 29 2006 - Vendor replies, patches are scheduled at the end of
October. Vendor asks for coordinated disclosure.
November, 16 2006 - Third vendor notification
November, 16 2006 - "Sorry for the delay.  I have asked the division for
a schedule update.  I will let you know."
February, 07 2007 - non-coordinated public disclosure.



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC