OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
[Full-disclosure] SecurityVulns.com: HP Network Node Manager remote console weak files permissions

From: 3APA3A (3APA3ASECURITY.NNOV.RU)
Date: Thu Feb 08 2007 - 04:22:49 CST


Title: Hewlett-Packard Network Node Manager 7.50 Remote Console weak
        files permissions
Application: Hewlett-Packard Network Node Manager 7.50 Remote Console
        under Microsoft Windows XP SP2.
Vulnerability: Local
Vulnerability Level: High
Impact: privilege escalation of any unprivileged user to Local System or
        another user's account.
Author: 3APA3A <3APA3Asecurity.nnov.ru>, http://SecurityVulns.com
Advisory URL: http://securityvulns.com/advisories/nnmrc.asp
SecurityVulns news URL: http://securityvulns.com/news/HP/NNM/RC/WP.html
CVE: CVE-2007-0819

Intro:

NNM Remote Console is remote administration tool for HP Network Node
Manager (NNM). Unlike the rest of NNM, it's installed on administrator's
workstation. 7.50 is the latest version of NNM Remote Console, because
console installation can not be upgraded to 7.51.

Vulnerability Description:

The bug is very simple: insecure installation folder permissions. During
installation of HP Open View Network Node Manager Console this commands
is performed:

C:\WINDOWS\system32\cmd.exe /C CALL cacls "C:\Program Files\HP OpenView" /T /C /P Everyone:F < "C:\Program Files\HP OpenView\yes.txt" >> "C:\Program Files\HP OpenView\log\setup.log"

This command recursively changes access permissions for

C:\Program Files\HP OpenView

folder to

Everyone:Full Control.

It makes it possible for any local user to replace any of HP Open View
executable files or ActiveX components with trojaned/backdoored ones and
gain permissions of user running any of Open View applications (usually
network administrator user).

And worse: there is service installed into HP Open View folder, namely

HP Open View Shared Trace Service

with executable

C:\Program Files\HP OpenView\bin\ovtrcsvc.exe

It's executed with highest possible Local System account. It makes it
possible for any local user to overwrite service executable and obtain
Local System privileges.

Exploit:

1. Rename ovtrcsvc.exe to ovtrcsvc.old
2. Replace ovtrcsvc.exe with any application of your choice and
restart system.
3. Reboot (or wait for reboot).

Workaround:

Restore permission inheritance from parent folder for "C:\Program
Files\HP OpenView\".

Vendor:

September, 11 2006 - Vendor (security-alerthp.com) informed
September, 11 2006 - Automated response received
September, 12 2006 - Human response received ("We will investigate this
and reply")
September, 29 2006 - Second vendor notification
September, 29 2006 - Vendor replies, patches are scheduled at the end of
October. Vendor asks for coordinated disclosure.
November, 16 2006 - Third vendor notification
November, 16 2006 - "Sorry for the delay. I have asked the division for
a schedule update. I will let you know."
February, 07 2007 - non-coordinated public disclosure.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/