Tried, Tested and Proven

Security Advisory 05 – 014 – Unauthenticated Remote Command Execution In HP OpenView Network Node Manager

Vulnerable System:

HP OpenView Network Node Manager 6.41 and 7.5 running on Solaris 8
(confirmed) HP OpenView Network Node Manager all version all operating systems (unconfirmed)

Vulnerability discovery and development:

James Fisher of Portcullis Computer Security Ltd discovered this vulnerability during an network security assessment. Due to inadequate input validation by the Network Node Manager application, it was possible to execute system level commands within the privilege context of the web server user.

Affected Systems:

It has been confirmed that versions 6.41 and 7.5 are vulnerable on Sun Solaris 8 (Sparc), however it is highly likely that all versions of the software on all supported operating systems are likely to be vulnerable, however this has not been confirmed.

Details:

It was identified that connectedNodes.ovpl script will take input from a user and concatenate that input with an existing string. This resultant string is then executed as a system command by the web server, without validating the data sent from the user. Thus it is possible for an attacker to inject their own system commands.

Impact:

An attacker can blindly execute system commands (as no command output is returned) with the privileges of the web server, by using a pipe command separator to initiate a new command. However, the connectedNodes.ovpl script will error if either of the less than or greater than characters are included, thus making commands which redirect input/output fail. Despite this limitation it was possible to script the binding of a shell to a port as proved by Paul Docherty (Portcullis Computer Security Ltd) thus providing a fully interactive remote shell running with the privileges of the “bin” user account.

Exploit:

Entering the following URL

"http://[host]:3443/OvCgi/connectedNodes.ovpl?node=a| [your command] |"

to a web browser will exploit the vulnerability. (Note the square brackets should be removed)

Copyright:

Copyright © Portcullis Computer Security Limited 2005, All rights reserved worldwide.
Permission is hereby granted for the electronic redistribution of this information.
It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.

Disclaimer:

The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user’s risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.