[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Arbitrary files deletion in HP OpenView Performance Agent



#######################################################################

                             Luigi Auriemma

Application:  HP OpenView Performance Agent
              http://www8.hp.com/us/en/software/software-product.html?compURI=tcm:245-937022
Versions:     ovbbccb.exe <= 6.20.50.0
Platforms:    Windows, Linux, Solaris, HP-UX, AIX
Bug:          arbitrary files deletion
Exploitation: remote, versus server
Date:         27 Jun 2011 (found 01 Jun 2011)
Author:       Luigi Auriemma
              e-mail: aluigi@xxxxxxxxxxxxx
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


From vendor's website:
"HP Performance Manager software is a web-based analysis and
visualization tool that analyzes performance trends of applications,
systems, and services."


#######################################################################

======
2) Bug
======


ovbbccb.exe is a SYSTEM service running on port 383.

The "Register" command is used to tell ovbbccb.exe on what port is
located a particular service (for example the Coda one) and some other
informations about it so that the service can use it as an external
servlet.

Such informations are not passed directly via the HTTP request, they
are located in a local file specified by the client using its full
arbitrary path.
After having parsed the informations contained in this file the service
deletes it using MSVCR80.remove from OvXpl.dll:

  00431C42   C645 FC 17       MOV BYTE PTR SS:[EBP-4],17
  00431C46   8D4D CC          LEA ECX,DWORD PTR SS:[EBP-34]
  00431C49   FF15 18064400    CALL DWORD PTR DS:[<&OvXpl.?Delete@File_>
                              ; OvXpl.?Delete@File_t@OvXplIo@@QBE_NXZ

The result is that an attacker can delete any arbitrary file on the
same machine or on others (via UNC paths like "\\server\file.ini") with
SYSTEM privileges.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/ovbbccb_1.dat

  nc SERVER 383 < ovbbccb_1.dat

it will delete the file C:\path\sensitive_file.ini 


#######################################################################

======
4) Fix
======


No fix.


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org