---------------------------------------------------------------------- Looking for a job? Secunia is hiring skilled researchers and talented developers. http://secunia.com/company/jobs/ ---------------------------------------------------------------------- TITLE: HP OpenView Network Node Manager Multiple Vulnerabilities SECUNIA ADVISORY ID: SA39757 VERIFY ADVISORY: http://secunia.com/advisories/39757/ DESCRIPTION: Some vulnerabilities have been reported in HP OpenView Network Node Manager, which can be exploited by malicious people to compromise a vulnerable system. 1) A format string error exists within ovet_demandpoll.exe when copying strings from an HTTP request using the "vnsprintf()" function. This can be exploited to execute arbitrary code via a specially crafted string passed via the "sel" parameter. 2) A boundary error exists within the "_OVParseLLA()" function in ov.dll when copying strings from an HTTP request using the "strcpy()" function. This can be exploited to cause a stack-based buffer overflow by passing an overly long string to the "sel" parameter. 3) A boundary error exists within the doLoad() function in snmpviewer.exe when copying strings from an HTTP request using the "sprintf()" function with a "%s" format specifier. This can be exploited to cause a stack-based buffer overflow by passing an overly long string to the "act" and "app" parameters. 4) A boundary error exists within getnnmdata.exe when copying strings from an HTTP request using the "sprintf()" function. This can be exploited to caused a stack-based buffer overflow by passing an overly long string to the "MaxAge" parameter. 5) A boundary error exists within getnnmdata.exe when copying strings from an HTTP request using the "sprintf()" function. This can be exploited to caused a stack-based buffer overflow by passing an overly long string to the "iCount" parameter. 6) A boundary error exists within getnnmdata.exe when copying strings from an HTTP request using the "sprintf()" function. This can be exploited to caused a stack-based buffer overflow by passing an overly long string to the "Hostname" parameter. Successful exploitation of the vulnerabilities may allow execution of arbitrary code. The vulnerabilities are reported in versions 7.01, 7.51, and 7.53 running on HP-UX, Linux, Solaris, and Windows. SOLUTION: Apply patches. http://support.openview.hp.com/selfsolve/patches -- HP OpenView Network Node Manager 7.53 -- HP-UX (IA): Apply patch PHSS_40708 or subsequent HP-UX (PA): Apply patch PHSS_40707 or subsequent Linux RedHatAS2.1: Apply patch LXOV_00103 or subsequent Linux RedHat4AS-x86_64: Apply patch LXOV_00104 or subsequent Solaris: Apply patch PSOV_03527 or subsequent Windows: Apply patch NNM_01203 or subsequent -- HP OpenView Network Node Manager 7.51 -- Upgrade to version 7.53 and apply patches. Patch bundles for upgrading from NNM v7.51 to NNM v5.53 are available using ftp: ftp://nnm_753:Update53@ftp.usa.hp.com/ -- HP OpenView Network Node Manager 7.01 (IA) -- Upgrade to version 7.53 and apply patches. -- HP OpenView Network Node Manager 7.01 (PA) -- HP-UX (PA): Apply patch PHSS_40705 or subsequent Solaris: Apply patch PSOV_03526 or subsequent Windows: Apply patch NNM_01202 or subsequent PROVIDED AND/OR DISCOVERED BY: An anonymous person, reported via ZDI. ORIGINAL ADVISORY: HPSBMA02527 SSRT010098: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02153379 ZDI: http://www.zerodayinitiative.com/advisories/ZDI-10-081 http://www.zerodayinitiative.com/advisories/ZDI-10-082 http://www.zerodayinitiative.com/advisories/ZDI-10-083 http://www.zerodayinitiative.com/advisories/ZDI-10-084 http://www.zerodayinitiative.com/advisories/ZDI-10-085 http://www.zerodayinitiative.com/advisories/ZDI-10-086 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------