####################################################################### Luigi Auriemma Application: HP OpenView Network Node Manager http://www.openview.hp.com/products/nnm/ Versions: <= 7.53 Platforms: Windows (tested), Solaris, Linux, HP-UX Bug: memory corruption in ovspmd Exploitation: remote Date: 08 Apr 2008 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== From vendor's website: OpenView NNM "automates the process of developing a hyper-accurate topology of your physical network, virtual network services and the complex relationships between them. It then uses that topology as the basis for intelligent root cause analysis to enhance network availability and performance." ####################################################################### ====== 2) Bug ====== The protocol used by the ovspmd service running on port 8886 is very simple, a 32 bit number which specifies the length of the data block (number included) followed by the data. The service checks if this length value is lower than 9216 (the size of the destination buffer) to avoid buffer overflows but this is a signed comparison so using a negative value between 0x80000000 and 0x80000003 (because recv doesn't handles negative amounts of bytes to receive) allows the attacker to possibility of exploiting the resulting overflow. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/closedview.zip ####################################################################### ====== 4) Fix ====== No fix #######################################################################