CVE-2010-1960

Related Files

HP OpenView Network Node Manager ovwebsnmpsrv.exe Unrecognized Option Buffer Overflow

Posted Mar 24, 2011

Authored by jduck | Site metasploit.com

This Metasploit module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53 prior to NNM_01203. By specifying a long 'arg' parameter when executing the 'jovgraph.exe' CGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary code. The vulnerable code is within the option parsing function within "ovwebsnmpsrv.exe" with a timestamp prior to April 7th, 2010. Reaching the vulnerable code requires a 'POST' request with an 'arg' parameter that, when combined with a some static text, exceeds 10240 bytes. The parameter must begin with a dash. It is important to note that this vulnerability must be exploited by overwriting SEH. This is since overflowing the buffer with controllable data always triggers an access violation when attempting to write static text beyond the end of the stack. Exploiting this issue is a bit tricky due to a restrictive character set. In order to accomplish arbitrary code execution, a double-backward jump is used in combination with the Alpha2 encoder.

tags | exploit, overflow, arbitrary, cgi, code execution

advisories | CVE-2010-1960, OSVDB-65427

SHA-256 | 776b4fe0d9851d0c1cbfd43336360be9b50d1f85d6ab691a9d9e621ecb22aa34

Download | Favorite | View

Zero Day Initiative Advisory 10-105

Posted Jun 9, 2010

Authored by Tipping Point | Site zerodayinitiative.com

Zero Day Initiative Advisory 10-105 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Hewlett-Packard OpenView Network Node Manager. Authentication is not required to exploit this vulnerability. The specific flaw exists within the ovwebsnmpsrv.exe process which can be reached remotely through the jovgraph.exe CGI program. When the ovwebsnmpsrv.exe process is started a function responsible for parsing command line arguments does not properly handle unrecognized options. By supplying an overly large unrecognized option through an HTTP request the error handling functionality can be made to overflow a static buffer while creating the error message. An attacker can leverage this to execute arbitrary code under the context of the user running the webserver.

tags | advisory, remote, web, overflow, arbitrary, cgi

advisories | CVE-2010-1960

SHA-256 | 0c1a2b2d17574aa829d3fc97e050a16f7382be3ff7d6ac10bd8e37e2a78b3a82

Download | Favorite | View

HP Security Bulletin HPSBMA02537 SSRT010027

Posted Jun 9, 2010

Authored by Hewlett Packard | Site hp.com

HP Security Bulletin - Potential security vulnerabilities have been identified with HP OpenView Network Node Manager (OV NNM). These vulnerabilities could be exploited remotely to execute arbitrary code under the context of the user running the web server.

tags | advisory, web, arbitrary, vulnerability

advisories | CVE-2010-1960, CVE-2010-1961

SHA-256 | 67cc3884d88a4fd6c68a1313fd79231d9a98d7e3061f3a85a03061cda3779f04

Download | Favorite | View