CVE-2010-1961

Related Files

HP OpenView Network Node Manager ovwebsnmpsrv.exe ovutil Buffer Overflow

Posted Mar 24, 2011

Authored by jduck | Site metasploit.com

This Metasploit module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53 prior to NNM_01203. By specifying a long 'arg' parameter when executing the 'jovgraph.exe' CGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary code. This vulnerability is triggerable via either a GET or POST request. It is interesting to note that this vulnerability cannot be exploited by overwriting SEH, since attempting to would trigger CVE-2010-1964. The vulnerable code is within a sub-function called from "main" within "ovwebsnmpsrv.exe" with a timestamp prior to April 7th, 2010. This function contains a 256 byte stack buffer which is passed to the "getProxiedStorageAddress" function within ovutil.dll. When processing the address results in an error, the buffer is overflowed in a call to sprintf_new. There are no stack cookies present, so exploitation is easily achieved by overwriting the saved return address. There exists some unreliability when running this exploit. It is not completely clear why at this time, but may be related to OVWDB or session management. Also, on some attempts OV NNM may report invalid characters in the URL. It is not clear what is causing this either.

tags | exploit, overflow, arbitrary, cgi

advisories | CVE-2010-1961, OSVDB-65428

SHA-256 | 5582013e7dde303149edfe7da48c08313b51ded046619d9bfba33ef02981baa8

Download | Favorite | View

Zero Day Initiative Advisory 10-106

Posted Jun 9, 2010

Authored by Tipping Point | Site zerodayinitiative.com

Zero Day Initiative Advisory 10-106 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Hewlett-Packard OpenView Network Node Manager. Authentication is not required to exploit this vulnerability. The specific flaw exists within the ovutil.dll module which is loaded by the ovwebsnmpsrv.exe process which in turn can be reached remotely through the jovgraph.exe CGI program. By supplying overly large values to variables passed through an HTTP request a sprintf can be made to overflow a static buffer. An attacker can leverage this to execute arbitrary code under the context of the user running the webserver.

tags | advisory, remote, web, overflow, arbitrary, cgi

advisories | CVE-2010-1961

SHA-256 | 6349a1bd3060c2050d441e1c279af5abec002cec2544760f646399fe43d792a9

Download | Favorite | View

HP Security Bulletin HPSBMA02537 SSRT010027

Posted Jun 9, 2010

Authored by Hewlett Packard | Site hp.com

HP Security Bulletin - Potential security vulnerabilities have been identified with HP OpenView Network Node Manager (OV NNM). These vulnerabilities could be exploited remotely to execute arbitrary code under the context of the user running the web server.

tags | advisory, web, arbitrary, vulnerability

advisories | CVE-2010-1960, CVE-2010-1961

SHA-256 | 67cc3884d88a4fd6c68a1313fd79231d9a98d7e3061f3a85a03061cda3779f04

Download | Favorite | View