HP OpenView NNM Host Header BO (Dec 18, 2009)

HP OpenView Network Node Manager (NNM) is one of the network and system management software applications developed by HP. It supplies several CGI applications to provide management interface of the NNM server. These CGI applications include webappmon.exe, OpenView.exe, toolbar.exe, ovlaunch.exe, ovlogin.exe and others. With these CGI applications users can control and manage the NNM server, as well as access command-line applications using a web browser.

The webappmon.exe CGI application provides network troubleshooting facilities such as ping, findroute, and others, to a HTTP client. This application can be accessed by a web browser using an HTTP request similar to the following:

GET /OvCgi/webappmon.exe?ins=nowait&action=ping&sel=192.168.0.1 HTTP/1.1 Host: 192.168.0.214 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive

There is a global buffer overflow vulnerability in the HP OpenView Network Node Manager CGI application webappmon.exe. The vulnerability is due to insufficient boundary checking when handling the Host HTTP header. Specifically, the vulnerable code in the affected application first copies a static string, “http://”, into a fixed global buffer of size 0x80 (128) bytes, then it concatenates the Host header value into the same buffer by calling a strcat-like function without proper boundary checking. Therefore, an overly long Host HTTP header will overflow the destination global buffer. An attacker addressing this vulnerability may inject and execute the malicious code within the security context of the Internet Guest Account user.

To protect SonicWALL customers from being attacked by any attacks addressing this vulnerability, the SonicWALL UTM team has created and released the following IPS signatures:

• 3009 HP OpenView NNM Host Header BO Attempt

This vulnerability has been assigned CVE-2009-4177 by mitre.

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.