From securityteam@DELPHISPLC.COM Mon Jul 10 02:43:36 2000 From: Security Team To: BUGTRAQ@SECURITYFOCUS.COM Date: Thu, 8 Jun 2000 14:21:02 +0100 Subject: DST2K0012: BufferOverrun in HP Openview Network Node Manager v6.1 [The following text is in the "iso-8859-1" character set] [Your display is set for the "US-ASCII" character set] [Some characters may be displayed incorrectly] > ========================================================================== > ====== > Delphis Consulting Plc > ========================================================================== > ====== > > Security Team Advisories > [06/06/2000] > > > securityteam@delphisplc.com > [http://www.delphisplc.com/thinking/whitepapers/] > > ========================================================================== > ====== > Adv : DST2K0012 > Title : BufferOverrun in HP Openview Network Node Manager v6.1 > Author : DCIST (securityteam@delphisplc.com) > O/S : Microsoft Windows NT v4.0 Workstation (SP6) > Product : HP Openview Network Node Manager v6.1 > Date : 06/06/2000 > > I. Description > > II. Solution > > III. Disclaimer > > > ========================================================================== > ====== > > > I. Description > ========================================================================== > ====== > > Vendor URL: http://www.openview.hp.com/ > > Delphis Consulting Internet Security Team (DCIST) discovered the following > vulnerability in HP Openview Node Manager under Windows NT. > > Severity: high > > By using the Alarm service which is shipped and installed by default with > HP > openview network node manager it is possible to cause a Buffer overrun in > OVALARMSRV overwriting the EIP allowing the execution of arbitry code. > This > is done be connecting to post 2345 which the port resides on by default > and > sending a large string. The string has to be a length of 4064 + EIP (4 > bytes) > making a total of 4068 bytes. > > > II. Solution > ========================================================================== > ====== > > Vendor Status: Informed > > Currently there is no vendor patch available but the following are > preventative > measures Delphis Consulting Internet Security Team would advise users > running > this service to implement. > > o Access list port 2345 on the next hop router for only allowed hosts. > > III. Disclaimer > ========================================================================== > ====== > THE INFORMATION CONTAINED IN THIS ADVISORY IS BELIEVED TO BE ACCURATE AT > THE TIME OF PRINTING, BUT NO REPRESENTATION OR WARRANTY IS GIVEN, EXPRESS > OR > IMPLIED, AS TO ITS ACCURACY OR COMPLETENESS. NEITHER THE AUTHOR NOR THE > PUBLISHER ACCEPTS ANY LIABILITY WHATSOEVER FOR ANY DIRECT, INDIRECT OR > CONSEQUENTIAL LOSS OR DAMAGE ARISING IN ANY WAY FROM ANY USE OF, OR > RELIANCE > PLACED ON, THIS INFORMATION FOR ANY PURPOSE. > ========================================================================== > ======