module
HP OpenView Network Node Manager ovwebsnmpsrv.exe ovutil Buffer Overflow
| Disclosed | Created |
|---|---|
| 2010-06-16 | 2018-05-30 |
Disclosed
2010-06-16
Created
2018-05-30
Description
This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53
prior to NNM_01203. By specifying a long 'arg' parameter when executing the 'jovgraph.exe'
CGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary code.
This vulnerability is triggerable via either a GET or POST request. It is interesting to
note that this vulnerability cannot be exploited by overwriting SEH, since attempting
to would trigger CVE-2010-1964.
The vulnerable code is within a sub-function called from "main" within "ovwebsnmpsrv.exe"
with a timestamp prior to April 7th, 2010. This function contains a 256 byte stack buffer
which is passed to the "getProxiedStorageAddress" function within ovutil.dll. When
processing the address results in an error, the buffer is overflowed in a call to sprintf_new.
There are no stack cookies present, so exploitation is easily achieved by overwriting the
saved return address.
There exists some unreliability when running this exploit. It is not completely clear why
at this time, but may be related to OVWDB or session management. Also, on some attempts
OV NNM may report invalid characters in the URL. It is not clear what is causing this
either.
prior to NNM_01203. By specifying a long 'arg' parameter when executing the 'jovgraph.exe'
CGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary code.
This vulnerability is triggerable via either a GET or POST request. It is interesting to
note that this vulnerability cannot be exploited by overwriting SEH, since attempting
to would trigger CVE-2010-1964.
The vulnerable code is within a sub-function called from "main" within "ovwebsnmpsrv.exe"
with a timestamp prior to April 7th, 2010. This function contains a 256 byte stack buffer
which is passed to the "getProxiedStorageAddress" function within ovutil.dll. When
processing the address results in an error, the buffer is overflowed in a call to sprintf_new.
There are no stack cookies present, so exploitation is easily achieved by overwriting the
saved return address.
There exists some unreliability when running this exploit. It is not completely clear why
at this time, but may be related to OVWDB or session management. Also, on some attempts
OV NNM may report invalid characters in the URL. It is not clear what is causing this
either.
Author
jduck jduck@metasploit.com
Platform
Windows
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.