|
#######################################################################
Luigi Auriemma
Application: HP OpenView Network Node Manager
http://www.openview.hp.com/products/nnm/
Versions: <= 7.53
Platforms: Windows (tested), Solaris, Linux, HP-UX
Bug: memory corruption in ovspmd
Exploitation: remote
Date: 08 Apr 2008
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
From vendor's website:
OpenView NNM "automates the process of developing a hyper-accurate
topology of your physical network, virtual network services and the
complex relationships between them. It then uses that topology as the
basis for intelligent root cause analysis to enhance network
availability and performance."
#######################################################################
======
2) Bug
======
The protocol used by the ovspmd service running on port 8886 is very
simple, a 32 bit number which specifies the length of the data block
(number included) followed by the data.
The service checks if this length value is lower than 9216 (the size of
the destination buffer) to avoid buffer overflows but this is a signed
comparison so using a negative value between 0x80000000 and 0x80000003
(because recv doesn't handles negative amounts of bytes to receive)
allows the attacker to possibility of exploiting the resulting
overflow.
#######################################################################
===========
3) The Code
===========
http://aluigi.org/poc/closedview.zip
#######################################################################
======
4) Fix
======
No fix
#######################################################################
|
