HP OpenView NNM Host Header BO

December 18, 2009

HP OpenView Network Node Manager (NNM) is one of the network and system management software applications developed by HP. It supplies several CGI applications to provide management interface of the NNM server. These CGI applications include webappmon.exe, OpenView.exe, toolbar.exe, ovlaunch.exe, ovlogin.exe and others. With these CGI applications users can control and manage the NNM server, as well as access command-line applications using a web browser.

The webappmon.exe CGI application provides network troubleshooting facilities such as ping, findroute, and others, to a HTTP client. This application can be accessed by a web browser using an HTTP request similar to the following:

GET /OvCgi/webappmon.exe?ins=nowait&action=ping&sel= HTTP/1.1 Host: User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv: Gecko/20090729 Firefox/3.5.2 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive

There is a global buffer overflow vulnerability in the HP OpenView Network Node Manager CGI application webappmon.exe. The vulnerability is due to insufficient boundary checking when handling the Host HTTP header. Specifically, the vulnerable code in the affected application first copies a static string, "http://", into a fixed global buffer of size 0x80 (128) bytes, then it concatenates the Host header value into the same buffer by calling a strcat-like function without proper boundary checking. Therefore, an overly long Host HTTP header will overflow the destination global buffer. An attacker addressing this vulnerability may inject and execute the malicious code within the security context of the Internet Guest Account user.

To protect SonicWALL customers from being attacked by any attacks addressing this vulnerability, the SonicWALL UTM team has created and released the following IPS signatures:

  • 3009 HP OpenView NNM Host Header BO Attempt

This vulnerability has been assigned CVE-2009-4177 by mitre.