ID CVE-2010-1961 Type cve Reporter NVD Modified 2017-08-16T21:32:33
Description
Buffer overflow in ovutil.dll in ovwebsnmpsrv.exe in HP OpenView Network Node Manager (OV NNM) 7.51 and 7.53 allows remote attackers to execute arbitrary code via unspecified variables to jovgraph.exe, which are not properly handled in a call to the sprintf function.
{"result": {"zdi": [{"id": "ZDI-10-106", "type": "zdi", "title": "Hewlett-Packard OpenView NNM ovutil.dll getProxiedStorageAddress Remote Code Execution Vulnerability", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Hewlett-Packard OpenView Network Node Manager. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the ovutil.dll module which is loaded by the ovwebsnmpsrv.exe process which in turn can be reached remotely through the jovgraph.exe CGI program. By supplying overly large values to variables passed through an HTTP request a sprintf can be made to overflow a static buffer. An attacker can leverage this to execute arbitrary code under the context of the user running the webserver.", "published": "2010-06-08T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://www.zerodayinitiative.com/advisories/ZDI-10-106", "cvelist": ["CVE-2010-1961"], "lastseen": "2016-11-09T00:18:13"}], "seebug": [{"id": "SSV:71519", "type": "seebug", "title": "HP OpenView Network Node Manager ovwebsnmpsrv.exe main Buffer Overflow", "description": "No description provided by source.", "published": "2014-07-01T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.seebug.org/vuldb/ssvid-71519", "cvelist": ["CVE-2010-1961"], "lastseen": "2017-11-19T14:51:57"}], "exploitdb": [{"id": "EDB-ID:17044", "type": "exploitdb", "title": "HP OpenView Network Node Manager ovwebsnmpsrv.exe ovutil Buffer Overflow", "description": "HP OpenView Network Node Manager ovwebsnmpsrv.exe ovutil Buffer Overflow. CVE-2010-1961. Remote exploit for windows platform", "published": "2011-03-23T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/17044/", "cvelist": ["CVE-2010-1961"], "lastseen": "2016-02-02T07:06:06"}], "packetstorm": [{"id": "PACKETSTORM:99676", "type": "packetstorm", "title": "HP OpenView Network Node Manager ovwebsnmpsrv.exe main Buffer Overflow", "description": "", "published": "2011-03-24T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://packetstormsecurity.com/files/99676/HP-OpenView-Network-Node-Manager-ovwebsnmpsrv.exe-main-Buffer-Overflow.html", "cvelist": ["CVE-2010-1964", "CVE-2010-1961"], "lastseen": "2016-12-05T22:14:50"}, {"id": "PACKETSTORM:99677", "type": "packetstorm", "title": "HP OpenView Network Node Manager ovwebsnmpsrv.exe ovutil Buffer Overflow", "description": "", "published": "2011-03-24T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://packetstormsecurity.com/files/99677/HP-OpenView-Network-Node-Manager-ovwebsnmpsrv.exe-ovutil-Buffer-Overflow.html", "cvelist": ["CVE-2010-1964", "CVE-2010-1961"], "lastseen": "2016-12-05T22:25:36"}], "metasploit": [{"id": "MSF:EXPLOIT/WINDOWS/HTTP/HP_NNM_OVWEBSNMPSRV_OVUTIL", "type": "metasploit", "title": "HP OpenView Network Node Manager ovwebsnmpsrv.exe ovutil Buffer Overflow", "description": "This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53 prior to NNM_01203. By specifying a long 'arg' parameter when executing the 'jovgraph.exe' CGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary code. This vulnerability is triggerable via either a GET or POST request. It is interesting to note that this vulnerability cannot be exploited by overwriting SEH, since attempting to would trigger CVE-2010-1964. The vulnerable code is within a sub-function called from \"main\" within \"ovwebsnmpsrv.exe\" with a timestamp prior to April 7th, 2010. This function contains a 256 byte stack buffer which is passed to the \"getProxiedStorageAddress\" function within ovutil.dll. When processing the address results in an error, the buffer is overflowed in a call to sprintf_new. There are no stack cookies present, so exploitation is easily achieved by overwriting the saved return address. There exists some unreliability when running this exploit. It is not completely clear why at this time, but may be related to OVWDB or session management. Also, on some attempts OV NNM may report invalid characters in the URL. It is not clear what is causing this either.", "published": "1976-01-01T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "cvelist": ["CVE-2010-1961", "CVE-2010-1964"], "lastseen": "2018-04-24T10:54:46"}, {"id": "MSF:EXPLOIT/WINDOWS/HTTP/HP_NNM_OVWEBSNMPSRV_MAIN", "type": "metasploit", "title": "HP OpenView Network Node Manager ovwebsnmpsrv.exe main Buffer Overflow", "description": "This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53 prior to NNM_01203. By specifying a long 'arg' parameter when executing the 'jovgraph.exe' CGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary code. This vulnerability is triggerable via either a GET or POST request. The buffer being written to is 1024 bytes in size. It is important to note that this vulnerability must be exploited by overwriting SEH. Otherwise, CVE-2010-1961 is triggered! The vulnerable code is within the \"main\" function within \"ovwebsnmpsrv.exe\" with a timestamp prior to April 7th, 2010. There are no stack cookies, so exploitation is easily achieved by overwriting SEH structures. There exists some unreliability when running this exploit. It is not completely clear why at this time, but may be related to OVWDB or session management. Also, on some attempts OV NNM may report invalid characters in the URL. It is not clear what is causing this either.", "published": "2011-03-23T15:45:48", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "cvelist": ["CVE-2010-1961", "CVE-2010-1964"], "lastseen": "2018-03-17T11:58:34"}], "openvas": [{"id": "OPENVAS:1361412562310902076", "type": "openvas", "title": "HP OpenView Network Node Manager Multiple Vulnerabilities", "description": "This host is running HP OpenView Network Node Manager and\n is prone to multiple vulnerabilities.", "published": "2010-06-22T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310902076", "cvelist": ["CVE-2010-1964", "CVE-2010-3285", "CVE-2010-1961", "CVE-2010-1960"], "lastseen": "2017-07-02T21:09:58"}], "nessus": [{"id": "HPUX_PHSS_40708.NASL", "type": "nessus", "title": "HP-UX PHSS_40708 : s700_800 11.X OV NNM7.53 IA-64 Intermediate Patch 26", "description": "s700_800 11.X OV NNM7.53 IA-64 Intermediate Patch 26 : \n\nThe remote HP-UX host is affected by multiple vulnerabilities :\n\n - Potential security vulnerabilities have been identified with HP OpenView Network Node Manager (OV NNM). These vulnerabilities could be exploited remotely to execute arbitrary code. References: CVE-2010-1550 (SSRT090225, ZDI-CAN-563) CVE-2010-1551 (SSRT090226, ZDI-CAN-564) CVE-2010-1552 (SSRT090227, ZDI-CAN-566) CVE-2010-1553 (SSRT090228, ZDI-CAN-573) CVE-2010-1554 (SSRT090229, ZDI-CAN-574) CVE-2010-1555 (SSRT090230, ZDI-CAN-575).\n (HPSBMA02527 SSRT010098)\n\n - Potential security vulnerabilities have been identified with HP OpenView Network Node Manager (OV NNM). These vulnerabilities could be exploited remotely to execute arbitrary code under the context of the user running the web server. References: CVE-2010-1964 (SSRT100026, ZDI-CAN-683) CVE-2010-1960 (SSRT100027, ZDI-CAN-684) CVE-2010-1961 (SSRT100028, ZDI-CAN-685).\n\n - A potential security vulnerability has been identified with HP OpenView Network Node Manager (OV NNM). The vulnerability could be exploited remotely to execute arbitrary code under the context of the user running the web server.", "published": "2010-05-17T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=46348", "cvelist": ["CVE-2010-1964", "CVE-2010-2709", "CVE-2010-1961", "CVE-2010-1555", "CVE-2010-1552", "CVE-2010-1960", "CVE-2010-1550", "CVE-2010-1554", "CVE-2010-1553", "CVE-2010-1551"], "lastseen": "2017-10-29T13:38:20"}, {"id": "HPUX_PHSS_40707.NASL", "type": "nessus", "title": "HP-UX PHSS_40707 : s700_800 11.X OV NNM7.53 PA-RISC Intermediate Patch 26", "description": "s700_800 11.X OV NNM7.53 PA-RISC Intermediate Patch 26 : \n\nThe remote HP-UX host is affected by multiple vulnerabilities :\n\n - Potential security vulnerabilities have been identified with HP OpenView Network Node Manager (OV NNM). These vulnerabilities could be exploited remotely to execute arbitrary code under the context of the user running the web server. References: CVE-2010-1964 (SSRT100026, ZDI-CAN-683) CVE-2010-1960 (SSRT100027, ZDI-CAN-684) CVE-2010-1961 (SSRT100028, ZDI-CAN-685).\n\n - Potential security vulnerabilities have been identified with HP OpenView Network Node Manager (OV NNM). These vulnerabilities could be exploited remotely to execute arbitrary code. References: CVE-2010-1550 (SSRT090225, ZDI-CAN-563) CVE-2010-1551 (SSRT090226, ZDI-CAN-564) CVE-2010-1552 (SSRT090227, ZDI-CAN-566) CVE-2010-1553 (SSRT090228, ZDI-CAN-573) CVE-2010-1554 (SSRT090229, ZDI-CAN-574) CVE-2010-1555 (SSRT090230, ZDI-CAN-575).\n (HPSBMA02527 SSRT010098)\n\n - A potential security vulnerability has been identified with HP OpenView Network Node Manager (OV NNM). The vulnerability could be exploited remotely to execute arbitrary code under the context of the user running the web server.", "published": "2010-05-17T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=46347", "cvelist": ["CVE-2010-1964", "CVE-2010-2709", "CVE-2010-1961", "CVE-2010-1555", "CVE-2010-1552", "CVE-2010-1960", "CVE-2010-1550", "CVE-2010-1554", "CVE-2010-1553", "CVE-2010-1551"], "lastseen": "2017-10-29T13:45:14"}]}}