module
HP NNM CGI webappmon.exe OvJavaLocale Buffer Overflow
| Disclosed | Created |
|---|---|
| Aug 3, 2010 | May 30, 2018 |
Disclosed
Aug 3, 2010
Created
May 30, 2018
Description
This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53.
By sending a request containing a cookie longer than 5120 bytes, an attacker can overflow
a stack buffer and execute arbitrary code.
The vulnerable code is within the OvWwwDebug function. The static-sized stack buffer is
declared within this function. When the vulnerability is triggered, the stack trace looks
like the following:
#0 ...
#1 sprintf_new(local_stack_buf, fmt, cookie);
#2 OvWwwDebug(" HTTP_COOKIE=%s\n", cookie);
#3 ?OvWwwInit@@YAXAAHQAPADPBD@Z(x, x, x);
#4 sub_405ee0("nnm", "webappmon");
No validation is done on the cookie argument. There are no stack cookies, so exploitation
is easily achieved by overwriting the saved return address or SEH frame.
The original advisory detailed an attack vector using the "OvJavaLocale" cookie being
passed in a request to "webappmon.exe". Further research shows that several different
cookie values, as well as several different CGI applications, can be used.
'
By sending a request containing a cookie longer than 5120 bytes, an attacker can overflow
a stack buffer and execute arbitrary code.
The vulnerable code is within the OvWwwDebug function. The static-sized stack buffer is
declared within this function. When the vulnerability is triggered, the stack trace looks
like the following:
#0 ...
#1 sprintf_new(local_stack_buf, fmt, cookie);
#2 OvWwwDebug(" HTTP_COOKIE=%s\n", cookie);
#3 ?OvWwwInit@@YAXAAHQAPADPBD@Z(x, x, x);
#4 sub_405ee0("nnm", "webappmon");
No validation is done on the cookie argument. There are no stack cookies, so exploitation
is easily achieved by overwriting the saved return address or SEH frame.
The original advisory detailed an attack vector using the "OvJavaLocale" cookie being
passed in a request to "webappmon.exe". Further research shows that several different
cookie values, as well as several different CGI applications, can be used.
'
Authors
Platform
Windows
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.