HP OpenView客户端配置管理器远程执行代码和拒绝服务漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1192926 漏洞类型 设计错误
发布时间 2006-11-08 更新时间 2006-11-08
CVE编号 CVE-2006-5782 CNNVD-ID CNNVD-200611-146
漏洞平台 N/A CVSS评分 7.8
|漏洞来源
https://www.securityfocus.com/bid/20971
https://cxsecurity.com/issue/WLB-2006110045
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200611-146
|漏洞详情
HPOpenView客户端配置管理器(CCM)是一套简单易用的软件和HP硬件管理解决方案。HPOpenViewCCM的RadiaNotify守护程序radexecd.exe存在安全漏洞,远程攻击者可能利用此漏洞执行任意指令。这个守护程序默认绑定在TCP3465端口上,接收以下格式的数据:port\x00username\x00password\x00command其中port指定了所连接客户端上的回连端口。由于一个设计错误,攻击者无需提供正确的用户名和口令就可以在radexecd.exe安装目录中执行任意命令,这导致了至少两个预认证问题。首先,攻击者可以通过启动radbootw.exe重启受影响的设备;其次,攻击者可以通过启动radcrecv.exe生成任意文件。radcrecv监听命令行中所指定的任意端口,并通过多播下载接收文件。攻击者可以指定文件名和内容,并保存到radexecd.exe同一目录中。一旦生成了恶意文件,就可以启动该文件,导致执行任意代码。
|漏洞EXP
TSRT-06-13: HP OpenView Client Configuration Manager Device Code
            Execution Vulnerability

http://www.tippingpoint.com/security/advisories/TSRT-06-12.html
November  8, 2006

-- CVE ID:
CVE-2006-5782

-- Affected Vendor:
Hewlett-Packard

-- Affected Products:
OpenView Client Configuration Manager 1.0

-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable device installations of HP OpenView Client Configuraton
Manager (CCM). Authentication is not required to exploit this
vulnerability. The CCM server is not affected.

The specific flaw exists within the Radia Notify Daemon, radexecd.exe,
which binds to TCP port 3465 on default CCM device installs. The
vulnerable daemon expects to receive data in the following format:

portx00usernamex00passwordx00command

Where 'port' specifies a connect back port on the connecting client.
Due to a design flaw a correct username and password is not required in
order to execute arbitrary commands within the radexecd.exe install
directory. This exposes at least two pre-authentication issues. The
first, allows attackers to reboot affected devices by launching
radbootw.exe, which reboots the system without any further prompts. The
second, allows attackers to generate an arbitrary file by launching
radcrecv.exe. radcrecv will listen to an arbitrary port as specified on
the command line and receive files via multicast download. The filename
and contents can be specified by the attacker and is saved to the same
directory as radexecd.exe. Once a malicious file has been generated, it
can then be launched as before.

-- Vendor Response:
Hewlett-Packard has issued an update to correct this vulnerability. More
details can be found at:

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c
00795552

-- Disclosure Timeline:
2006.10.10 - Vulnerability reported to vendor
2006.11.08 - Coordinated public release of advisory

-- Credit:
This vulnerability was discovered by Pedram Amini, TippingPoint Security
Research Team.
|受影响的产品
HP OpenView Client Configuration Manager 1.0
|参考资料

来源:XF
名称:hp-openview-radianotify-dos(30138)
链接:http://xforce.iss.net/xforce/xfdb/30138
来源:BUGTRAQ
名称:20061108TSRT-06-13:HPOpenViewClientConfigurationManagerDeviceCodeExecutionVulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/450942/100/0/threaded
来源:VUPEN
名称:ADV-2006-4410
链接:http://www.frsirt.com/english/advisories/2006/4410
来源:SECTRACK
名称:1017197
链接:http://securitytracker.com/id?1017197
来源:SECUNIA
名称:22780
链接:http://secunia.com/advisories/22780
来源:HP
名称:SSRT061262
链接:http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00795552
来源:SREASON
名称:1842
链接:http://securityreason.com/securityalert/1842