News & Media
Become a member »
» ESB-2009.1546 - [Win][RedHat][HP-UX][Solaris] HP Ope...
ESB-2009.1546 - [Win][RedHat][HP-UX][Solaris] HP Openview NNM 7.53: Denial of service - Remote/unauthenticated
19 November 2009
Click here for printable version
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2009.1546 HP Openview NNM 7.53 Invalid DB Error Code vulnerability 19 November 2009 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: HP Openview NNM 7.53 Publisher: Core Security Technologies Operating System: HP-UX Solaris Red Hat Windows Impact/Access: Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2009-3840 Original Bulletin: http://www.coresecurity.com/content/openview_nnm_internaldb_dos - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Core Security Technologies - CoreLabs Advisory http://www.coresecurity.com/corelabs/ HP Openview NNM 7.53 Invalid DB Error Code vulnerability 1. *Advisory Information* Title: HP Openview NNM 7.53 Invalid DB Error Code vulnerability Advisory Id: CORE-2009-0814 Advisory URL: http://www.coresecurity.com/content/openview_nnm_internaldb_dos Date published: 2009-11-17 Date of last update: 2009-11-17 Vendors contacted: HP Release mode: Coordinated release 2. *Vulnerability Information* Class: External Initialization of Trusted Variables [CWE-454] Impact: Denial of Service Remotely Exploitable: Yes Locally Exploitable: No Bugtraq ID: N/A CVE Name: CVE-2009-3840 3. *Vulnerability Description* HP Openview Network Node Manager is one of the most widely-deployed network monitoring and management platforms used throughout enterprise organizations today. The platform includes many server and client-side core components with a long list of previously disclosed security bugs. In this case, a remotely exploitable vulnerability was found in the database server core component used by NNM. Exploitation of the bug does not require authentication and will lead to a remotely triggered denial of service of the internal database service. 4. *Vulnerable packages* . HP Openview NNM 7.53 Other versions may be vulnerable but were not tested. Refer to the vendor's security bulletin for a full list. 5. *Non-vulnerable packages* Refer to the vendor's security bulletin. 6. *Vendor Information, Solutions and Workarounds* The vendor issued security bulletin HPSBMA02477 SSRT090177 to address the problem and provide fixes. It is available at http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01926980 The database service of HP Openview Network Node Manager is remotely accessible on port 2690/tcp. Restricting or blocking access to that port will prevent exploitation but may prevent normal operation of Openview NNM. 7. *Credits* This vulnerability was discovered and researched by Damian Frizza from Core Security Technologies. 8. *Technical Description / Proof of Concept Code* 8.1. *HP Openview NNM 7.53 Embedded DB Remote Denial Of Service* HP Openview Network Node Manager includes an embedded database engine service that is enabled by default and accepts remote connections on port 2690/tcp. The service is implemented by the 'ovdbrun.exe' which is started automatically on boot. For certain transactions upon receiving a packet from the network the service will attempt to determine and display an error code string based on an error code number specified in the packet. By sending a specifically crafted packet with an invalid error code number it is possible to remotely trigger an exception that forces abnormal termination of the service. It is unlikely that the bug could be exploited for anything other than a remote denial of service. The following code excerpt explains the problem: /----- 005FED51 MOVZX EDX,BYTE PTR SS:[ESP+2] #FCFF 005FED56 MOVSX ECX,WORD PTR SS:[ESP+3] 005FED5B CMP ECX,-1 005FED5E MOVSX EAX,WORD PTR SS:[ESP+5] #FCFF 005FED63 MOV DWORD PTR DS:[ESI+10],EDX 005FED66 MOV EDX,DWORD PTR SS:[ESP+7] 005FED6A MOV DWORD PTR DS:[ESI+14],ECX 005FED6D MOV DWORD PTR DS:[ESI+18],EAX 005FED70 MOV DWORD PTR DS:[ESI+C],EDX 005FED73 JGE SHORT ovdbrun.005FED7E 005FED75 CMP EAX,-1 005FED78 JGE SHORT ovdbrun.005FED7E 005FED7A CMP ECX,EAX 005FED7C JE SHORT ovdbrun.005FED83 005FED7E MOV EAX,1 005FED83 ADD ESP,0C 005FED86 RETN - - -----/ The code above checks for an error condition based on the value of an Error Code field in the inbound network packet. An error condition is explicitly handled if the Error Code value is less or equal than -1 in which case a MessageBox with a corresponding descriptive error string will be presented to the user. However by crafting a packet with any negative value in the Error Code field different that -1 the lookup for the corresponding error string will fail triggering a non-recoverable error and thus terminating the server process. The following python code can be used to reproduce the bug: /----- #!python import socket import struct a = struct.pack('
2000D41B MOV EAX,ACTIVE~1.2000D4A8 2000D420 CALL
2000D425 SUB ESP,10 2000D428 PUSH EBX 2000D429 PUSH ESI 2000D42A PUSH EDI 2000D42B MOV DWORD PTR SS:[EBP-10],ESP 2000D42E MOV DWORD PTR SS:[EBP-14],ECX 2000D431 XOR EBX,EBX 2000D433 MOV DWORD PTR SS:[EBP-4],EBX 2000D436 LEA ESI,DWORD PTR DS:[ECX+28] 2000D439 MOV ECX,DWORD PTR DS:[ESI] ; ESI = 00038178 2000D43B MOV EAX,DWORD PTR DS:[ECX] ; 2000D43D CALL DWORD PTR DS:[EAX+48] ; - - -----/ The following HTML code can be used to trigger the bug: /-----
Comments? Click here