SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   HPE OpenView Network Node Manager Vendors:   HPE
HP OpenView Network Node Manager Input Validation Flaw in 'OpenView5.exe' Lets Remote Users Traverse the Directory
SecurityTracker Alert ID:  1019838
SecurityTracker URL:  http://securitytracker.com/id/1019838
CVE Reference:   CVE-2008-0068   (Links to External Site)
Updated:  May 11 2009
Original Entry Date:  Apr 14 2008
Impact:   Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 7.53 and prior versions
Description:   A vulnerability was reported in HP OpenView Network Node Manager. A remote user can view files on the target system.

The 'OpenView5.exe' script does not properly validate user-supplied input. A remote user can supply a specially crafted request to view files on target system.

A demonstration exploit URL is provided:

http://[target]/OvCgi/OpenView5.exe?Target=Main&Action=../../../../../../windows/win.ini

Luigi Auriemma reported this vulnerability. JJ Reyes of Secunia Research independently reported this vulnerability.

Impact:   A remote user can view files on the target system.
Solution:   The vendor has issued the following fixes.

OV NNM v7.53
Windows
NNM_01193 or subsequent

OV NNM v7.51: (upgrade to 7.53 and apply patch)

OV NNM v7.01
Windows
NNM_01194 or subsequent

The vendor's advisory is available at:

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01496048

Vendor URL:  h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01496048 (Links to External Site)
Cause:   Input validation error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Directory traversal and multiple Denials of Service in HP OpenView


#######################################################################

                             Luigi Auriemma

Application:  HP OpenView Network Node Manager
              http://www.openview.hp.com/products/nnm/
Versions:     <= 7.53
Platforms:    Windows (tested), Solaris, Linux, HP-UX
Bugs:         A] CGIs directory traversal
              B] Denial of Service in ovalarmsrv
              C] NULL pointer in ovalarmsrv
              D] process termination in ovtopmd
Exploitation: remote
Date:         11 Apr 2008
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


>From vendor's website:
OpenView NNM "automates the process of developing a hyper-accurate
topology of your physical network, virtual network services and the
complex relationships between them. It then uses that topology as the
basis for intelligent root cause analysis to enhance network
availability and performance."


#######################################################################

=======
2) Bugs
=======

---------------------------
A] CGIs directory traversal
---------------------------

The CGIs available in NNM use some instructions which filters malicious
chars in the parameters passed by the clients, for example to avoid
directory traversal attacks, XSS and so on.

The path delimiter filtered by these CGIs is the backslash char, so
using the slash will allow an attacker to download the files from the
disk on which is installed NNM.


----------------------------------
B] Denial of Service in ovalarmsrv
----------------------------------

The ovalarmsrv service listening on port 2954 can be easily freezed
with CPU at 100% and without the possibility of handling further
requests on both its ports 2953 and 2954 simply sending an incomplete
multi line request.
In short the last numeric parameters of the requests 25, 45, 46, 47 and
81 is used to specify how much sub-arguments (one per line) will be
sent.
So ovalarmsrv starts a loop which terminates when all the sub arguments
are received; closing the connection or not sending all or part of
these arguments will freeze the entire service.
The following are all the supported requests and their "sscanf" format:

  REQUEST_CONTRIB_EVENTS  (22): "%d %d %s"
  REQUEST_PRINT           (25): "%d %d %d %d %s"
  REQUEST_DETAILS         (33): "%d %d %s"
  REQUEST_EVENT_DELETE    (35): "%d %d %s"
  REQUEST_EVENT_ACK       (36): "%d %d %s"
  REQUEST_RUN_ACTION      (37): "%d %d %s %s"
  REQUEST_SPECDATA        (41):
  REQUEST_EVENT_UNACK     (44): "%d %d %s"
  REQUEST_SAVE            (45): "%d %d %d %d %s"
  REQUEST_CAT_CHANGE      (46): "%d %d %d %[^\n]"
  REQUEST_SEV_CHANGE      (47): "%d %d %d %[^\n]"
  REQUEST_CONF_ACTIONS    (48): "%d %d\n"
  REQUEST_RESTORE_STATE   (62): "%d %[^\n]"
  REQUEST_SAVE_DIR        (63):
  REQUEST_LOCALE          (66): "%d"
  REQUEST_FORMAT_PRINT    (81): "%d %d %d %d %s"
  REQUEST_CONF_RUN_ACTION (??): "%d %d %d %[^\n]"


-----------------------------
C] NULL pointer in ovalarmsrv
-----------------------------

The parameter which specifies the amount of sub-arguments described
above is used to allocate a certain amount of initial dynamic memory
(value * 2) for storing all the sub-arguments which is then
reallocated wheen needed.

Specifying a too big unallocable amount of sub-arguments results in a
NULL pointer which will crash the service.


---------------------------------
D] process termination in ovtopmd
---------------------------------

The ovtopmd service listening on port 2532 uses a special type of
packet (0x36) for forcing the termination of the process ("Exiting due
to request of ovtopmd -k."), so an attacker can use this packet for
causing a Denial of Service.


#######################################################################

===========
3) The Code
===========


A]
http://SERVER/OvCgi/OpenView5.exe?Target=Main&Action=../../../../../../windows/win.ini

B,C,D]
http://aluigi.org/poc/closedviewx.zip

  nc SERVER 2954 -v -v -w 2 < closedviewx1.txt
  nc SERVER 2954 -v -v      < closedviewx2.txt
  nc SERVER 2532 -v -v      < closedviewx3.txt


#######################################################################

======
4) Fix
======


HP has been alerted and is working on a fix


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC