Please consider registering
guest

Log In Register

Semisecure Login is not enabled!
Please enable JavaScript and use a modern browser to ensure that your password is encrypted.

Register | Lost password?
Advanced Search:

— Forum Scope —



— Match —



— Forum Options —




Wildcard usage:
*  matches any number of characters    %  matches exactly one character

Minimum search word length is 4 characters - maximum search word length is 84 characters

Topic RSS
CORELAN-10-027 - HP Operations Manager remote BOF
April 20, 2010
11:05
mr_me

Corelan Team Member

Special guest
Forum Posts: 313
Member Since:
November 24, 2009
Offline

Advisory : CORELAN-10-027


Disclosure date : 20/4/2010


CVE : CVE-2010-1033

 

0x00 : Vulnerability information

 

- Product : HP Operations Manager

- Version : v8.16

- Vendor : http://www.hp.com/

- URL : http://www.hp.com/

- Platform : Windows

- Type of vulnerability : Remote Stack overflow

- Risk rating : Medium

- Issue fixed in version : Version:1 (rev.1) – 19 April 2010 Initial release

  http://h20000.www2.hp.com/bizs…..=c02078800

- Vulnerability discovered by : mr_me

- Corelan Team : http://www.corelan.be:8800/ind…..m-members/

 

 



0x01 : Vendor description of software

 

HP Operations Manager is a consolidated event and performance management console that correlates infrastructure, network and end-user experience events across your entire IT infrastructure. It monitors both physical and virtual servers to identify the root cause of event storms, allowing faster time to resolution at lower cost.

This software helps your IT staff improve its efficiencies by automating performance and availability monitoring. It provides a consolidated view into infrastructure health that helps you prevent service outages. And it allows your organization to handle more tasks on your own, freeing subject matter experts to focus on more strategic tasks.

HP Operations Manager can also incorporate agent-less monitoring using HP SiteScope software. In addition, when used in conjunction with Operations Orchestration, it automates routine tasks, reducing the labor required to manage your IT operations.

 

0x02 : Vulnerability details

 

By loading the activeX control (GUID: 366C9C52-C402-416B-862D-1464F629CA59) LoadFile() in the module srcvw4.dll an

attacker can pass an overly long string value and overwrite the exception handler, thus, hijacking the flow of execution.  

 

0x03 : Vendor communication

 

- 30th Mar, 2010 – Initial vendor contact

- 31st Mar, 2010 – Vendor acknowledged the issue and requested PoC

- 31st Mar, 2010 – Sent PoC code

- 1st Apr, 2010 – Vendor confirmed the vulnerability

- 13th Apr, 2010 – Vendor notified us that they will release security bulletin and patch

- 20th Apr, 2010 – Vendor releases security bulletin

- 20th Apr, 2010 – Public Disclosure

 

0x04 : Exploit/PoC

 

http://net-ninja.net/blog/medi…..r.html.txt

here

The road to hell is paved in good intentions.
Forum Timezone: Europe/Brussels

Most Users Ever Online: 91

Currently Online: james123456
9 Guest(s)

Currently Browsing this Page:
3 Guest(s)

Top Posters:

mr_me: 313

Lincoln: 198

rick2600: 181

redsees: 179

Member Stats:

Guest Posters: 1

Members: 11709

Moderators: 1

Admins: 1

Forum Stats:

Groups: 3

Forums: 54

Topics: 995

Posts: 6281

Newest Members: james123456, James123456789, diepasvi, inverse70

Moderators: Peter Van Eeckhoutte (2944)

Administrators: Peter Van Eeckhoutte (2944)