DDI1012.txt

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
  
- ----------------------------------------------------------------------------  
Digital Defense Inc. Security Advisory DDI-1012 [email protected]  
http://www.digitaldefense.net/  
- ----------------------------------------------------------------------------  
  
Synopsis : Malformed request causes denial of service in HP Instant TopTools  
Package : HP Instant TopTools  
Type : Denial of service  
Issue date : 03-31-2003  
Versions Affected : < 5.55  
CVE Id : CAN-2003-0169  
  
- ----------------------------------------------------------------------------  
  
  
o Product description:  
HP Instant TopTools is an easy to install software application that enables you to   
remotely view a NetServers' current state and easily access NetServer information to   
assist in troubleshooting. Currently supported on all IPMI NetServers running   
Microsoft NT/2000.  
  
  
o Problem description:  
When the Instant TopTools software is installed, you can easily cause a denial of  
service that effectively brings the entire system to a halt. When you request a  
file from the GoAhead-Webs webserver running on tcp port 280, you will notice it  
doesn't directly serve any files. Most files are requested by a middle-man application  
called hpnst.exe. For instance, if you want to get SrvSystemInfo.html, you request  
this:  
  
/cgi-bin/hpnst.exe?c=p+i=SrvSystemInfo.html  
  
You can easily cause a denial of service against the host by having hpnst.exe  
request itself. If you request this 30-40 times, the system will  
become extremely unstable. The application will continue to loop and call   
itself even once your request has timed out. The only way to fix the loop is  
to kill hpnst.exe in your task manager, or reboot. It is possible to kill  
the process if only a single request has been made. However, the system is not  
usable after several have been made. The exact amount of requests needed  
would greatly depend on the individual system's profile. The actual requested  
resource was:   
  
/cgi-bin/hpnst.exe?c=p+i=hpnst.exe  
  
The Common Vulnerabilities and Exposures (CVE) project has assigned  
the name CAN-2003-0169 to this issue. This is a candidate for  
inclusion in the CVE list (http://cve.mitre.org), which standardizes  
names for security problems.  
  
  
o Testing Environment:  
These tests were done against an HP NetServer LP 1000r.The underlying operating  
system on the host was Windows 2000 Build 2195, SP3. Instant TopTools version  
5.04 build 4.  
  
  
o Solutions and Workarounds:  
Upgrading to the current version of HP TopTools is the best method for  
fixing this vulnerability. You can get version 5.55 for Windows Server  
2003, Windows 2000, and Windows NT4 from:  
http://h20004.www2.hp.com/soar_rnotes/bsdmatrix/matrix50459en_US.html#Utility%20-%20HP%20Instant%20Toptools  
  
As a temporary workaround, disabling the HP TopTools software on each  
host would be an effective method of bypassing this threat. If this  
service is available to the Internet, it is highly recommended that  
you filter tcp port 280 inbound to this host, not only to protect against  
this vulnerability, but also due to the designed capabilities of this  
software.  
  
  
o Revision History:  
03-31-2003 Initial public release  
  
  
o Vendor Contact Information:  
02-17-2003 [email protected] notified  
02-18-2003 Response from HP SOFTWARE SECURITY RESPONSE TEAM  
03-27-2003 Vendor notified Digital Defense that a fix is available  
03-28-2003 Vendor and DDI confirm information, and plan release  
03-31-2003 Initial public release  
  
  
o Thanks to:  
HP Software Security Response Team for quick responses and professional  
handling of this matter.   
  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.2.1 (GNU/Linux)  
  
iD8DBQE+hLyFjB+XO4ZKjSARAkUUAKCL//8oI8okp9WVqcGmBUj4BLysKACfXpBv  
FdK1x9n+BYEa6eLUsvW+l8E=  
=TyyI  
-----END PGP SIGNATURE-----  
  
  
`