HP NNM Template Format String Flaw

January 21, 2011

HP OpenView consists of a suite of network and system management software applications developed by HP. It includes several optional modules and components, such as OpenView Quality Manager, OpenView Performance Insight, and OpenView Network Node Manager.
The HP OpenView Network Node Manager (NNM) supplies several CGI applications to provide a management interface to the NNM server. These CGI applications include OpenView.exe, nnmRptConfig.exe, and nnmRptPresenter.exe among others. With these applications, users can control and manage the NNM server, as well as access command-line applications, using a web browser.

NNM is shipped with a number of report template files having the .rpt extension. The CGI application nnmRptConfig.exe is used to configure report generation by NNM. It uses various predefined templates and allows users to specify how frequently reports should be generated, where to send them, and what outgoing SMTP server to use, etc. This application can be accessed by a web browser. An example HTTP GET request the this application follows:

GET /OvCgi/nnmRptConfig.exe?Content&Action=Create&Template=Avail/GenAvail&Operation= Apply&Params=schdParams+nameParams&schdParams=schd_select1%3Dmonthtodate& nameParams=text1%3DGeneral+Availability%26text2%3Dtmp%40tmp.com%26text3%3D10.0.15.12 HTTP/1.1 Host: User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/2009032609 Firefox/3.0.8 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate

A format string code execution vulnerability exists in the NNM CGI program nnmRptConfig.exe. The vulnerability is due to insufficient input validation when handling one of the CGI parameters in HTTP requests. During message handling the vulnerable code uses an sprintf-like function to the copy a value string to a stack buffer. The code does not perform any validation on the user supplied string and uses it as part of a format string. Thus, if the string contains format conversion specifiers, they will be processed by the sprintf-like function instead of being copied verbatim into the target buffer.

Using certain format specifiers could lead to attacker-controlled memory corruption which can be exploited to inject and execute arbitrary code on the target server. A remote unauthenticated attacker can exploit this vulnerability by sending a crafted HTTP request to a target server. Successful exploitation could result in execution of arbitrary code within the security context of the Internet Guest Account user.
SonicWALL has released an IPS signature to address generic exploit attempts targeting this vulnerability. The following signature has been released to address this issue:

  • 6145 - HP OpenView Network Node Manager Format String Attempt

In addition to this targeted detection effort, SonicWALL has numerous IPS signatures that proactively target format string attacks against vulnerabilities such as this one.

This vulnerability has been assigned the identifier CVE-2011-0270 by mitre.