-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


- ----------------------------------------------------------------------------
Digital Defense Inc. Security Advisory DDI-1012      labs@digitaldefense.net
http://www.digitaldefense.net/
- ----------------------------------------------------------------------------

Synopsis          : Malformed request causes denial of service in HP Instant TopTools
Package           : HP Instant TopTools
Type              : Denial of service
Issue date        : 03-31-2003
Versions Affected : < 5.55
CVE Id            : CAN-2003-0169

- ----------------------------------------------------------------------------


o Product description:
   HP Instant TopTools is an easy to install software application that enables you to 
   remotely view a NetServers' current state and easily access NetServer information to 
   assist in troubleshooting. Currently supported on all IPMI NetServers running 
   Microsoft NT/2000.


o Problem description:
   When the Instant TopTools software is installed, you can easily cause a denial of
   service that effectively brings the entire system to a halt. When you request a
   file from the GoAhead-Webs webserver running on tcp port 280, you will notice it
   doesn't directly serve any files. Most files are requested by a middle-man application
   called hpnst.exe. For instance, if you want to get SrvSystemInfo.html, you request
   this:

   /cgi-bin/hpnst.exe?c=p+i=SrvSystemInfo.html

   You can easily cause a denial of service against the host by having hpnst.exe
   request itself. If you request this 30-40 times, the system will
   become extremely unstable. The application will continue to loop and call 
   itself even once your request has timed out. The only way to fix the loop is
   to kill hpnst.exe in your task manager, or reboot. It is possible to kill
   the process if only a single request has been made. However, the system is not
   usable after several have been made. The exact amount of requests needed
   would greatly depend on the individual system's profile. The actual requested
   resource was: 

   /cgi-bin/hpnst.exe?c=p+i=hpnst.exe

   The Common Vulnerabilities and Exposures (CVE) project has assigned
   the name CAN-2003-0169 to this issue. This is a candidate for
   inclusion in the CVE list (http://cve.mitre.org), which standardizes
   names for security problems.


o Testing Environment:
   These tests were done against an HP NetServer LP 1000r.The underlying operating
   system on the host was Windows 2000 Build 2195, SP3. Instant TopTools version
   5.04 build 4.


o Solutions and Workarounds:
   Upgrading to the current version of HP TopTools is the best method for
   fixing this vulnerability. You can get version 5.55 for Windows Server
   2003, Windows 2000, and Windows NT4 from:
   http://h20004.www2.hp.com/soar_rnotes/bsdmatrix/matrix50459en_US.html#Utility%20-%20HP%20Instant%20Toptools

   As a temporary workaround, disabling the HP TopTools software on each
   host would be an effective method of bypassing this threat. If this
   service is available to the Internet, it is highly recommended that
   you filter tcp port 280 inbound to this host, not only to protect against
   this vulnerability, but also due to the designed capabilities of this
   software.


o Revision History:
   03-31-2003     Initial public release


o Vendor Contact Information:
   02-17-2003     security-alert@hp.com notified
   02-18-2003     Response from HP SOFTWARE SECURITY RESPONSE TEAM
   03-27-2003     Vendor notified Digital Defense that a fix is available
   03-28-2003     Vendor and DDI confirm information, and plan release
   03-31-2003     Initial public release


o Thanks to:
   HP Software Security Response Team for quick responses and professional
   handling of this matter. 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+hLyFjB+XO4ZKjSARAkUUAKCL//8oI8okp9WVqcGmBUj4BLysKACfXpBv
FdK1x9n+BYEa6eLUsvW+l8E=
=TyyI
-----END PGP SIGNATURE-----