Computer Security

Advisories: Hewlett-Packard Network Node Manager 7.50 Remote Console weak files permissions

back  news / advisories / software / search / exploits  forward
[EN] securityvulns.ru no-pyccku 




Vendor: Hewlett-Packard
Application:  Network  Node Manager 7.50 Remote Console
	under Microsoft	Windows XP SP2.
Vulnerability: Local
Vulnerability Level: High
Author: 3APA3A <[email protected]>, SecurityVulns.com
Impact: privilege escalation of any unprivileged user to
	Local System or another user's account.



Intro:

NNM  Remote  Console  is  remote  administration  tool  for Network Node
Manager.  Unlike  the  rest  of  NNM  it's  installed on administrator's
workstation.  7.50  is  latest version of NNM Remote Console, because it
can not be upgraded to 7.51.

Vulnerability Description:

The bug is very simple: insecure installation folder permissions. During
installation  of  HP  Open View Network Node Manager Console (and may be
another OV components, not tested) this commands is performed:

C:\WINDOWS\system32\cmd.exe /C CALL cacls "C:\Program Files\HP OpenView"
 /T /C /P Everyone:F < "C:\Program Files\HP OpenView\yes.txt"
 >> "C:\Program Files\HP OpenView\log\setup.log"

This command recursively changes access permissions for

C:\Program Files\HP OpenView

folder to Everyone:Full Control.

It  makes  it possible for any local user to replace any of HP Open View
executable files or ActiveX components with trojaned/backdoored ones and
gain  permissions of user running any of Open View applications (usually
admin user).

And worse: there is a service installed into HP Open View folder,
namely

HP Open View Shared Trace Service installed into
C:\Program Files\HP OpenView\bin\ovtrcsvc.exe


It's  executed  with  highest possible Local System account. It makes it
possible  for  any local user to overwrite service executable and obtain
Local System privileges.


Exploit:

1. Rename  ovtrcsvc.exe to ovtrcsvc.old
2. Replace  ovtrcsvc.exe  with  any  application of your choice and
restart system.

Workaround:

Restore  permission  inheritance  from  parent  folder  for  "C:\Program
Files\HP OpenView\".

Vendor:

September, 11 2006 - Vendor ([email protected]) informed
September, 11 2006 - Automated response received
September, 12  2006 - Human response received (We will investigate this
and reply)
September, 29 2006 - Second vendor notification
September,  29 2006 - Vendor replies patches are scheduled at the end of
October and asks for coordinated disclosure
November, 16 2006 - Third vendor notification
November, 16 2006 - "Sorry for the delay.  I have asked the division for
a schedule update.  I will let you know."
February, 02 2007 - non-coordinated public release.
About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod