[<prev] [next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.44.0303311152400.17735-100000@xenos.digitaldefense.net>
Date: Mon, 31 Mar 2003 13:20:46 -0600 (CST)
From: Erik Parker <erik.parker@...italdefense.net>
To: bugtraq@...urityfocus.com, <vulnwatch@...nwatch.org>
Subject: [DDI-1012] Malformed request causes denial of service in HP Instant
TopTools
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ----------------------------------------------------------------------------
Digital Defense Inc. Security Advisory DDI-1012 labs@...italdefense.net
http://www.digitaldefense.net/
- ----------------------------------------------------------------------------
Synopsis : Malformed request causes denial of service in HP Instant TopTools
Package : HP Instant TopTools
Type : Denial of service
Issue date : 03-31-2003
Versions Affected : < 5.55
CVE Id : CAN-2003-0169
- ----------------------------------------------------------------------------
o Product description:
HP Instant TopTools is an easy to install software application that enables you to
remotely view a NetServers' current state and easily access NetServer information to
assist in troubleshooting. Currently supported on all IPMI NetServers running
Microsoft NT/2000.
o Problem description:
When the Instant TopTools software is installed, you can easily cause a denial of
service that effectively brings the entire system to a halt. When you request a
file from the GoAhead-Webs webserver running on tcp port 280, you will notice it
doesn't directly serve any files. Most files are requested by a middle-man application
called hpnst.exe. For instance, if you want to get SrvSystemInfo.html, you request
this:
/cgi-bin/hpnst.exe?c=p+i=SrvSystemInfo.html
You can easily cause a denial of service against the host by having hpnst.exe
request itself. If you request this 30-40 times, the system will
become extremely unstable. The application will continue to loop and call
itself even once your request has timed out. The only way to fix the loop is
to kill hpnst.exe in your task manager, or reboot. It is possible to kill
the process if only a single request has been made. However, the system is not
usable after several have been made. The exact amount of requests needed
would greatly depend on the individual system's profile. The actual requested
resource was:
/cgi-bin/hpnst.exe?c=p+i=hpnst.exe
The Common Vulnerabilities and Exposures (CVE) project has assigned
the name CAN-2003-0169 to this issue. This is a candidate for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.
o Testing Environment:
These tests were done against an HP NetServer LP 1000r.The underlying operating
system on the host was Windows 2000 Build 2195, SP3. Instant TopTools version
5.04 build 4.
o Solutions and Workarounds:
Upgrading to the current version of HP TopTools is the best method for
fixing this vulnerability. You can get version 5.55 for Windows Server
2003, Windows 2000, and Windows NT4 from:
http://h20004.www2.hp.com/soar_rnotes/bsdmatrix/matrix50459en_US.html#Utility%20-%20HP%20Instant%20Toptools
As a temporary workaround, disabling the HP TopTools software on each
host would be an effective method of bypassing this threat. If this
service is available to the Internet, it is highly recommended that
you filter tcp port 280 inbound to this host, not only to protect against
this vulnerability, but also due to the designed capabilities of this
software.
o Revision History:
03-31-2003 Initial public release
o Vendor Contact Information:
02-17-2003 security-alert@...com notified
02-18-2003 Response from HP SOFTWARE SECURITY RESPONSE TEAM
03-27-2003 Vendor notified Digital Defense that a fix is available
03-28-2003 Vendor and DDI confirm information, and plan release
03-31-2003 Initial public release
o Thanks to:
HP Software Security Response Team for quick responses and professional
handling of this matter.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQE+hLyFjB+XO4ZKjSARAkUUAKCL//8oI8okp9WVqcGmBUj4BLysKACfXpBv
FdK1x9n+BYEa6eLUsvW+l8E=
=TyyI
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists