Hewlett-Packard Network Node Manager 7.50 Remote Console weak files permissions

by Vitaly Popovich [Published on 8 Feb. 2007 / Last Updated on 8 Feb. 2007]


Title: Hewlett-Packard Network Node Manager 7.50 Remote Console weak files permissions
Application: Hewlett-Packard Network Node Manager 7.50 Remote Console under Microsoft Windows XP SP2.
Vulnerability: Local
Vulnerability Level: High
Impact: privilege escalation of any unprivileged user to Local System or another user's account.
Author: 3APA3A <3APA3A at security.nnov.ru>, http://SecurityVulns.com
Advisory URL: http://securityvulns.com/advisories/nnmrc.asp
SecurityVulns news URL: http://securityvulns.com/news/HP/NNM/RC/WP.html
CVE: CVE-2007-0819
Intro: NNM Remote Console is remote administration tool for HP Network Node Manager (NNM). Unlike the rest of NNM, it's installed on administrator's workstation. 7.50 is the latest version of NNM Remote Console, because console installation can not be upgraded to 7.51.
Vulnerability Description: The bug is very simple: insecure installation folder permissions. During installation of HP Open View Network Node Manager Console this commands is performed:
C:\WINDOWS\system32\cmd.exe /C CALL cacls "C:\Program Files\HP OpenView" /T /C /P Everyone:F < "C:\Program Files\HP OpenView\yes.txt" >> "C:\Program Files\HP OpenView\log\setup.log"
This command recursively changes access permissions for C:\Program Files\HP OpenView folder to Everyone:Full Control. It makes it possible for any local user to replace any of HP Open View executable files or ActiveX components with trojaned/backdoored ones and gain permissions of user running any of Open View applications (usually network administrator user). And worse: there is service installed into HP Open View folder, namely HP Open View Shared Trace Service with executable C:\Program Files\HP OpenView\bin\ovtrcsvc.exe It's executed with highest possible Local System account. It makes it possible for any local user to overwrite service executable and obtain Local System privileges.
Exploit:
1. Rename ovtrcsvc.exe to ovtrcsvc.old
2. Replace ovtrcsvc.exe with any application of

Title: Hewlett-Packard Network Node Manager 7.50 Remote Console weak files permissions

Application: Hewlett-Packard Network Node Manager 7.50 Remote Console under Microsoft Windows XP SP2.

Vulnerability: Local

Vulnerability Level: High

Impact: privilege escalation of any unprivileged user to Local System or another user's account.

Author: 3APA3A <3APA3A at security.nnov.ru>, http://SecurityVulns.com

Advisory URL: http://securityvulns.com/advisories/nnmrc.asp

SecurityVulns news URL: http://securityvulns.com/news/HP/NNM/RC/WP.html

CVE: CVE-2007-0819

Intro: NNM Remote Console is remote administration tool for HP Network Node Manager (NNM). Unlike the rest of NNM, it's installed on administrator's workstation. 7.50 is the latest version of NNM Remote Console, because console installation can not be upgraded to 7.51.

Vulnerability Description: The bug is very simple: insecure installation folder permissions. During installation of HP Open View Network Node Manager Console this commands is performed:

C:\WINDOWS\system32\cmd.exe /C CALL cacls "C:\Program Files\HP OpenView" /T /C /P Everyone:F < "C:\Program Files\HP OpenView\yes.txt" >> "C:\Program Files\HP OpenView\log\setup.log"

This command recursively changes access permissions for C:\Program Files\HP OpenView folder to Everyone:Full Control. It makes it possible for any local user to replace any of HP Open View executable files or ActiveX components with trojaned/backdoored ones and gain permissions of user running any of Open View applications (usually network administrator user). And worse: there is service installed into HP Open View folder, namely HP Open View Shared Trace Service with executable C:\Program Files\HP OpenView\bin\ovtrcsvc.exe It's executed with highest possible Local System account. It makes it possible for any local user to overwrite service executable and obtain Local System privileges.

Exploit:

1. Rename ovtrcsvc.exe to ovtrcsvc.old

2. Replace ovtrcsvc.exe with any application of your choice and restart system.

3. Reboot (or wait for reboot).

Workaround: Restore permission inheritance from parent folder for "C:\Program Files\HP OpenView\".

Vendor:

September, 11 2006 - Vendor (security-alert at hp.com) informed

September, 11 2006 - Automated response received

September, 12 2006 - Human response received ("We will investigate this and reply")

September, 29 2006 - Second vendor notification

September, 29 2006 - Vendor replies, patches are scheduled at the end of October. Vendor asks for coordinated disclosure.

November, 16 2006 - Third vendor notification

November, 16 2006 - "Sorry for the delay. I have asked the division for a schedule update. I will let you know."

February, 07 2007 - non-coordinated public disclosure.

Add Review or Comment

Featured Links