lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20110630175712.679c7f8a.aluigi@autistici.org>
Date: Thu, 30 Jun 2011 17:57:12 +0100
From: Luigi Auriemma <aluigi@...istici.org>
To: bugtraq@...urityfocus.com
Subject: Arbitrary files deletion in HP OpenView Communication Broker


#######################################################################

                             Luigi Auriemma

Application:  HP OpenView Communication Broker
              http://www8.hp.com/us/en/software/enterprise-software.html
Versions:     ovbbccb.exe <= 11.0.43.0
Platforms:    Windows, Linux, Solaris, HP-UX, AIX
Bug:          arbitrary files deletion
Exploitation: remote, versus server
Date:         27 Jun 2011 (found 01 Jun 2011)
Author:       Luigi Auriemma
              e-mail: aluigi@...istici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


HP Communication Broker is used in various HP enterprise softwares like
Performance Manager, Operations Manager and so on.


#######################################################################

======
2) Bug
======


ovbbccb.exe is a SYSTEM service running on port 383.

The "Register" command is used to tell ovbbccb.exe on what port is
located a particular service (for example the Coda one) and some other
informations about it so that the service can use it as an external
servlet.

Such informations are not passed directly via the HTTP request, they
are located in a local file specified by the client using its full
arbitrary path.
After having parsed the informations contained in this file the service
deletes it using MSVCR80.remove from OvXpl.dll:

  00431C42   C645 FC 17       MOV BYTE PTR SS:[EBP-4],17
  00431C46   8D4D CC          LEA ECX,DWORD PTR SS:[EBP-34]
  00431C49   FF15 18064400    CALL DWORD PTR DS:[<&OvXpl.?Delete@...e_>
                              ; OvXpl.?Delete@...e_t@...plIo@@QBE_NXZ

The result is that an attacker can delete any arbitrary file on the
same machine or on others (via UNC paths like "\\server\file.ini") with
SYSTEM privileges.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/ovbbccb_1.dat

  nc SERVER 383 < ovbbccb_1.dat

it will delete the file C:\path\sensitive_file.ini 


#######################################################################

======
4) Fix
======


No fix.


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ