Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Portcullis Security Advisory 05-014 HP Openview Remote Command Execut

from [Paul J Docherty] Network Security [Permanent Link]
Subject: Portcullis Security Advisory 05-014 HP Openview Remote Command Execution Vulnerability
Date: Thu, 25 Aug 2005 16:04:40 +0100 
Portcullis Security Advisory 05-014 HP Openview Remote Command Execution
Vulnerability

Vulnerable System: 
HP OpenView Network Node Manager 6.41 and 7.5 running on Solaris 8
(confirmed) HP OpenView Network Node Manager all version all operating
systems (unconfirmed) 

Vulnerability Title: 
Unauthenticated Remote Command Execution In HP OpenView Network Node
Manager

Vulnerability discovery and development: 
James Fisher of Portcullis Computer Security Ltd discovered this
vulnerability during an network security assessment.  Due to inadequate
input validation by the Network Node Manager application, it was
possible to execute system level commands within the privilege context
of the web server user.

Affected systems: 
It has been confirmed that versions 6.41 and 7.5 are vulnerable on Sun
Solaris 8 (Sparc), however it is highly likely that all versions of the
software on all supported operating systems are likely to be vulnerable,
however this has not been confirmed.

Details: 
It was identified that connectedNodes.ovpl script will take input from a
user and concatenate that input with an existing string.  This resultant
string is then executed as a system command by the web server, without
validating the data sent from the user.  Thus it is possible for an
attacker to inject their own system commands.

Impact: 
An attacker can blindly execute system commands (as no command output is
returned) with the privileges of the web server, by using a pipe command
separator to initiate a new command.   However, the connectedNodes.ovpl
script will error if either of the "<" or ">" characters are included,
thus making commands which redirect input/output fail. Despite this
limitation it was possible to script the binding of a shell to a port as
proved by Paul Docherty (Portcullis Computer Security Ltd) thus
providing a fully interactive remote shell running with the privileges
of the "bin" user account.

Exploit: 
Entering the following URL
"http://[host]:3443/OvCgi/connectedNodes.ovpl?node=a| [your command] |"
to a web browser will exploit the vulnerability.
(Note the square brackets should be removed)
 
Copyright: 
Copyright (c) Portcullis Computer Security Limited 2005. All rights
reserved worldwide.


*************************************************************
The information in this email is confidential and may be
legally privileged. It is intended solely for the addressee.
Any opinions expressed are those of the individual and do not
represent the opinion of the organisation. 
Access to this email by persons other than the intended
recipient is strictly prohibited.
If you are not the intended recipient, any disclosure, copying,
distribution or other action taken or omitted to be taken in
reliance on it, is prohibited and may be unlawful. 
When addressed to our clients any opinions or advice contained
in this email is subject to the terms and conditions expressed
in the applicable Portcullis Computer Security Limited terms
of business.
**************************************************************
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: unload event in ie/mozilla/opera, Drew Haven
Next by Date:  [Full-disclosure] [ GLSA 200508-17 ] libpcre: Heap integer overflow, Stefan Cornelius
Previous by Thread:  [Full-disclosure] MS05_039 Exploitation (different languages), Roman Medina-Heigl Hernandez
Next by Thread:  Re: Portcullis Security Advisory 05-014 HP Openview Remote Command Execution Vulnerability, David Litchfield
Indexes:  [Date] [Thread] [Top] [All Lists]