| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 20 Apr 2010 11:24:28 +0200 From: Security <security@...elan.be> To: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk> Subject: [CORELAN-10-027] - HP Operations Manager for Windows, Remote Execution of Arbitrary Code (srcvw4.dll and srcvw32.dll) |------------------------------------------------------------------| | __ __ | | _________ ________ / /___ _____ / /____ ____ _____ ___ | | / ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __ `__ \ | | / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / | | \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ | | | | http://www.corelan.be:8800 | | security@...elan.be | | | |-------------------------------------------------[ EIP Hunters ]--| | | | Vulnerability Disclosure Report | | | |------------------------------------------------------------------| Advisory : CORELAN-10-027 Disclosure date : 20/4/2010 References : HP : http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02078800 Corelan : http://www.corelan.be:8800/advisories.php?id=CORELAN-10-027 CVE : CVE-2010-1033 0x00 : Vulnerability information - Product : HP Operations Manager - Version : v7.5, v8.10 and v8.16 - Vendor : http://www.hp.com/ - URL : http://www.hp.com/ - Platform : Windows - Type of vulnerability : Remote Stack overflow - Risk rating : Medium - Issue fixed in version : Version:1 (rev.1) - 19 April 2010 Initial release - Vulnerability discovered by : mr_me - Corelan Team : http://www.corelan.be:8800/index.php/security/corelan-team-members/ Affected versions : HP Operations Manager for Windows v8.10, v8.16 with srcvw4.dll v4.0.1.1 and earlier HP Operations Manager for Windows v7.5 with srcvw32.dll v2.23.28 and earlier 0x01 : Vendor description of software HP Operations Manager is a consolidated event and performance management console that correlates infrastructure, network and end-user experience events across your entire IT infrastructure. It monitors both physical and virtual servers to identify the root cause of event storms, allowing faster time to resolution at lower cost. This software helps your IT staff improve its efficiencies by automating performance and availability monitoring. It provides a consolidated view into infrastructure health that helps you prevent service outages. And it allows your organization to handle more tasks on your own, freeing subject matter experts to focus on more strategic tasks. HP Operations Manager can also incorporate agent-less monitoring using HP SiteScope software. In addition, when used in conjunction with Operations Orchestration, it automates routine tasks, reducing the labor required to manage your IT operations. 0x02 : Vulnerability details By loading the activeX control (GUID: 366C9C52-C402-416B-862D-1464F629CA59) LoadFile() in the module srcvw4.dll an attacker can pass an overly long string value and overwrite the exception handler, thus, hijacking the flow of execution. 0x03 : Vendor communication - 30th Mar, 2010 - Initial vendor contact - 31st Mar, 2010 - Vendor acknowledged the issue and requested PoC - 31st Mar, 2010 - Sent PoC code - 1st Apr, 2010 - Vendor confirmed the vulnerability - 13th Apr, 2010 - Vendor notified us that they will release security bulletin and patch - 20th Apr, 2010 - Vendor releases security bulletin - 20th Apr, 2010 - Public Disclosure 0x04 : Exploit PoC code can be downloaded from http://www.corelan.be:8800/advisories.php?id=CORELAN-10-027 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists