Arbitrary files deletion in HP OpenView Communication Broker

2011-07-1100:00:00

vulners.com

JSON

#######################################################################

                         Luigi Auriemma

Application: HP OpenView Communication Broker
http://www8.hp.com/us/en/software/enterprise-software.html
Versions: ovbbccb.exe <= 11.0.43.0
Platforms: Windows, Linux, Solaris, HP-UX, AIX
Bug: arbitrary files deletion
Exploitation: remote, versus server
Date: 27 Jun 2011 (found 01 Jun 2011)
Author: Luigi Auriemma
e-mail: [email protected]
web: aluigi.org

#######################################################################

1) Introduction
2) Bug
3) The Code
4) Fix

#######################################################################

===============
1) Introduction

HP Communication Broker is used in various HP enterprise softwares like
Performance Manager, Operations Manager and so on.

#######################################################################

======
2) Bug

ovbbccb.exe is a SYSTEM service running on port 383.

The "Register" command is used to tell ovbbccb.exe on what port is
located a particular service (for example the Coda one) and some other
informations about it so that the service can use it as an external
servlet.

Such informations are not passed directly via the HTTP request, they
are located in a local file specified by the client using its full
arbitrary path.
After having parsed the informations contained in this file the service
deletes it using MSVCR80.remove from OvXpl.dll:

00431C42 C645 FC 17 MOV BYTE PTR SS:[EBP-4],17
00431C46 8D4D CC LEA ECX,DWORD PTR SS:[EBP-34]
00431C49 FF15 18064400 CALL DWORD PTR DS:[<&OvXpl.?Delete@File_>
; OvXpl.?Delete@File_t@OvXplIo@@QBE_NXZ

The result is that an attacker can delete any arbitrary file on the
same machine or on others (via UNC paths like "\\server\file.ini") with
SYSTEM privileges.

#######################################################################