[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : BufferOverrun in HP Openview Network Node Manager

Title: BufferOverrun in HP Openview Network Node Manager
Released by: Delphis Consulting Plc
Date: 13th June 2000
Printable version: Click here 
============================================================================

    Delphis Consulting Plc

============================================================================



   Security Team Advisories

       [13/06/2000]



    securityteam@delphisplc.com

  [http://www.delphisplc.com/thinking/whitepapers/]



============================================================================

Adv : DST2K0014

Title : BufferOverrun in HP Openview Network Node Manager

v6.1 (Round2)

Author : DCIST (securityteam@delphisplc.com)

O/S : Microsoft Windows NT v4.0 Server (SP6)

Product : HP Openview Node Manager v6.1

Date : 13/06/2000



I.    Description



II.   Solution



III.  Disclaimer





============================================================================





I. Description

============================================================================



Vendor URL: http://www.openview.hp.com/



Delphis Consulting Internet Security Team (DCIST) discovered the following

vulnerability in HP Openview Node Manager under Windows NT.



Severity: high



By using the OverView5 CGI interface which is shipped and installed by

default with HPOpenView network node manager it is possible to cause a

BufferOverRun in SNMP.EXE. This is done be connecting to port 80 which the

WWW service resides on by default and sending a large GET string. The string



has to be a length of 132 + EIP (4 bytes making a total of 136 bytes). This

will cause the above application to BufferOverRun over writing EIP.



Example: (URL will be wrapped)

http://127.0.0.1/OvCgi/OpenView5.exe?Context=Snmp&Action=Snmp&Host=&Oid=A0B

0C0D0E0F0G0H0I0J0K0L0M0N0O0P0Q0R0S0T0U0V0W0X0Y0a0b0c0d0e0f0g0h0i0j0k0l0m0n

0o0p0q0r0s0t0u0v0w0x0y0A1B1C1D1E1F1G1H1I1J1K1L1M1N1O1P1ZZZZ





II. Solution

============================================================================



Vendor Status: Informed



We are happy to announce a patch for the above advisory:



HPID: HPSBUX0009-121   Sec. Vulnerability OpenView NNM Object IDs



URL: http://ovweb.external.hp.com/cpe/patches/



We would like to take this opportunity to thank everyone at HP on how

responsive they have been to our research over the past 3 months.



III. Disclaimer

============================================================================

THE INFORMATION CONTAINED IN THIS ADVISORY IS BELIEVED TO BE ACCURATE AT

THE TIME OF PRINTING, BUT NO REPRESENTATION OR WARRANTY IS GIVEN, EXPRESS OR

IMPLIED, AS TO ITS ACCURACY OR COMPLETENESS.  NEITHER THE AUTHOR NOR THE

PUBLISHER ACCEPTS ANY LIABILITY WHATSOEVER FOR ANY DIRECT, INDIRECT OR

CONSEQUENTIAL LOSS OR DAMAGE ARISING IN ANY WAY FROM ANY USE OF, OR RELIANCE

PLACED ON, THIS INFORMATION FOR ANY PURPOSE.

============================================================================






(C) 1999-2000 All rights reserved.