----------------------------------------------------------------------


Looking for a job?


Secunia is hiring skilled researchers and talented developers.


http://secunia.com/company/jobs/


----------------------------------------------------------------------

TITLE:
HP OpenView Network Node Manager Multiple Vulnerabilities

SECUNIA ADVISORY ID:
SA39757

VERIFY ADVISORY:
http://secunia.com/advisories/39757/

DESCRIPTION:
Some vulnerabilities have been reported in HP OpenView Network Node
Manager, which can be exploited by malicious people to compromise a
vulnerable system.

1) A format string error exists within ovet_demandpoll.exe when
copying strings from an HTTP request using the "vnsprintf()"
function. This can be exploited to execute arbitrary code via a
specially crafted string passed via the "sel" parameter.

2) A boundary error exists within the "_OVParseLLA()" function in
ov.dll when copying strings from an HTTP request using the "strcpy()"
function. This can be exploited to cause a stack-based buffer overflow
by passing an overly long string to the "sel" parameter.

3) A boundary error exists within the doLoad() function in
snmpviewer.exe when copying strings from an HTTP request using the
"sprintf()" function with a "%s" format specifier. This can be
exploited to cause a stack-based buffer overflow by passing an overly
long string to the "act" and "app" parameters.

4) A boundary error exists within getnnmdata.exe when copying strings
from an HTTP request using the "sprintf()" function. This can be
exploited to caused a stack-based buffer overflow by passing an
overly long string to the "MaxAge" parameter.

5) A boundary error exists within getnnmdata.exe when copying strings
from an HTTP request using the "sprintf()" function. This can be
exploited to caused a stack-based buffer overflow by passing an
overly long string to the "iCount" parameter.

6) A boundary error exists within getnnmdata.exe when copying strings
from an HTTP request using the "sprintf()" function. This can be
exploited to caused a stack-based buffer overflow by passing an
overly long string to the "Hostname" parameter.

Successful exploitation of the vulnerabilities may allow execution of
arbitrary code.

The vulnerabilities are reported in versions 7.01, 7.51, and 7.53
running on HP-UX, Linux, Solaris, and Windows.

SOLUTION:
Apply patches.
http://support.openview.hp.com/selfsolve/patches

-- HP OpenView Network Node Manager 7.53 --

HP-UX (IA):
Apply patch PHSS_40708 or subsequent

HP-UX (PA):
Apply patch PHSS_40707 or subsequent

Linux RedHatAS2.1:
Apply patch LXOV_00103 or subsequent

Linux RedHat4AS-x86_64:
Apply patch LXOV_00104 or subsequent

Solaris:
Apply patch PSOV_03527 or subsequent

Windows:
Apply patch NNM_01203 or subsequent

-- HP OpenView Network Node Manager 7.51 --

Upgrade to version 7.53 and apply patches.
Patch bundles for upgrading from NNM v7.51 to NNM v5.53 are available
using ftp:
ftp://nnm_753:Update53@ftp.usa.hp.com/

-- HP OpenView Network Node Manager 7.01 (IA) --
Upgrade to version 7.53 and apply patches.

-- HP OpenView Network Node Manager 7.01 (PA) --

HP-UX (PA):
Apply patch PHSS_40705 or subsequent

Solaris:
Apply patch PSOV_03526 or subsequent

Windows:
Apply patch NNM_01202 or subsequent

PROVIDED AND/OR DISCOVERED BY:
An anonymous person, reported via ZDI.

ORIGINAL ADVISORY:
HPSBMA02527 SSRT010098:
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02153379

ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-081
http://www.zerodayinitiative.com/advisories/ZDI-10-082
http://www.zerodayinitiative.com/advisories/ZDI-10-083
http://www.zerodayinitiative.com/advisories/ZDI-10-084
http://www.zerodayinitiative.com/advisories/ZDI-10-085
http://www.zerodayinitiative.com/advisories/ZDI-10-086

----------------------------------------------------------------------

About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.

Subscribe:
http://secunia.com/advisories/secunia_security_advisories/

Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/


Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.

----------------------------------------------------------------------

Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org

----------------------------------------------------------------------