Application: Network Node Manager 7.50 Remote Console
under Microsoft Windows XP SP2.
Vulnerability Level: High
Author: 3APA3A <[email protected]>, SecurityVulns.com
Impact: privilege escalation of any unprivileged user to
Local System or another user's account.
NNM Remote Console is remote administration tool for Network Node
Manager. Unlike the rest of NNM it's installed on administrator's
workstation. 7.50 is latest version of NNM Remote Console, because it
can not be upgraded to 7.51.
The bug is very simple: insecure installation folder permissions. During
installation of HP Open View Network Node Manager Console (and may be
another OV components, not tested) this commands is performed:
C:\WINDOWS\system32\cmd.exe /C CALL cacls "C:\Program Files\HP OpenView"
/T /C /P Everyone:F < "C:\Program Files\HP OpenView\yes.txt"
>> "C:\Program Files\HP OpenView\log\setup.log"
This command recursively changes access permissions for
C:\Program Files\HP OpenView
folder to Everyone:Full Control.
It makes it possible for any local user to replace any of HP Open View
executable files or ActiveX components with trojaned/backdoored ones and
gain permissions of user running any of Open View applications (usually
And worse: there is a service installed into HP Open View folder,
HP Open View Shared Trace Service installed into
C:\Program Files\HP OpenView\bin\ovtrcsvc.exe
It's executed with highest possible Local System account. It makes it
possible for any local user to overwrite service executable and obtain
Local System privileges.
1. Rename ovtrcsvc.exe to ovtrcsvc.old
2. Replace ovtrcsvc.exe with any application of your choice and
Restore permission inheritance from parent folder for "C:\Program
September, 11 2006 - Vendor ([email protected]) informed
September, 11 2006 - Automated response received
September, 12 2006 - Human response received (We will investigate this
September, 29 2006 - Second vendor notification
September, 29 2006 - Vendor replies patches are scheduled at the end of
October and asks for coordinated disclosure
November, 16 2006 - Third vendor notification
November, 16 2006 - "Sorry for the delay. I have asked the division for
a schedule update. I will let you know."
February, 02 2007 - non-coordinated public release.