Hewlett-Packard OVIS Probe Builder Arbitrary Process Termination Vulnerability
1 Aug. 2008
Summary
Hewlett-Packard's Internet Services provides "end-user emulation of major business applications and a single integrated view of the Internet infrastructure". Remote exploitation of a denial of service vulnerability in Hewlett-Packard's Internet Services Probe Builder product allows an unauthenticated attacker the ability to terminate any process.
Vulnerable Systems:
* HP's Internet Services Probe Builder version 2.2 for Windows
The Probe Builder Service, PBOVISServer.exe, listens by default on TCP port 32968. This process has a specific opcode that allows a remote unauthenticated user to terminate any process on the system by supplying a process ID number.
Analysis:
Exploitation allows an attacker to kill any process, including critical system processes like services.exe, lsass.exe, csrss.exe. Killing a system process usually results in a blue screen or a mandatory reboot message. To exploit this vulnerability, the attacker must know the process ID to terminate. For a remote attacker, it can brute force process ID and cause the system to crash.
Workaround:
Employing firewalls to limit access to the affected service will mitigate exposure to this vulnerability.
