Vulnerabilities > CVE-2007-2281 - Numeric Errors vulnerability in HP Openview Storage Data Protector 5.50/6.0

047910
CVSS 10.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
hp
CWE-189
critical
nessus

Summary

Integer overflow in the _ncp32._NtrpTCPReceiveMsg function in rds.exe in the Cell Manager Database Service in the Application Recovery Manager component in HP OpenView Storage Data Protector 5.50 and 6.0 allows remote attackers to execute arbitrary code via a large value in the size parameter.

Vulnerable Configurations

Part Description Count
Application
Hp
2

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyHP-UX Local Security Checks
    NASL idHPUX_PHSS_36799.NASL
    descriptions700_800 11.X OV DP5.50 PA RISC patch - CS packet : The remote HP-UX host is affected by multiple vulnerabilities : - Potential security vulnerabilities have been identified with HP OpenView Storage Data Protector running on HP-UX, Windows, Linux and Solaris. These vulnerabilities could be exploited remotely to execute arbitrary code. (HPSBMA02252 SSRT061258, SSRT061259) - A potential security vulnerability has been identified with OpenView Data Protector Application Recovery Manager version 5.5 and 6.0. The vulnerability could be exploited remotely to create a denial of service (DoS). (HPSBMA02481 SSRT090113)
    last seen2020-06-01
    modified2020-06-02
    plugin id43138
    published2009-12-14
    reporterThis script is Copyright (C) 2009-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/43138
    titleHP-UX PHSS_36799 : s700_800 11.X OV DP5.50 PA RISC patch - CS packet
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and patch checks in this plugin were 
    # extracted from HP patch PHSS_36799. The text itself is
    # copyright (C) Hewlett-Packard Development Company, L.P.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(43138);
      script_version("1.16");
      script_cvs_date("Date: 2018/07/12 19:01:15");
    
      script_cve_id("CVE-2007-2280", "CVE-2007-2281", "CVE-2009-3844");
      script_xref(name:"TRA", value:"TRA-2009-04");
      script_xref(name:"HP", value:"emr_na-c01124817");
      script_xref(name:"HP", value:"emr_na-c01943909");
      script_xref(name:"HP", value:"SSRT061258");
      script_xref(name:"HP", value:"SSRT061259");
      script_xref(name:"HP", value:"SSRT090113");
    
      script_name(english:"HP-UX PHSS_36799 : s700_800 11.X OV DP5.50 PA RISC patch - CS packet");
      script_summary(english:"Checks for the patch in the swlist output");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote HP-UX host is missing a security-related patch."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "s700_800 11.X OV DP5.50 PA RISC patch - CS packet : 
    
    The remote HP-UX host is affected by multiple vulnerabilities :
    
      - Potential security vulnerabilities have been identified
        with HP OpenView Storage Data Protector running on
        HP-UX, Windows, Linux and Solaris. These vulnerabilities
        could be exploited remotely to execute arbitrary code.
        (HPSBMA02252 SSRT061258, SSRT061259)
    
      - A potential security vulnerability has been identified
        with OpenView Data Protector Application Recovery
        Manager version 5.5 and 6.0. The vulnerability could be
        exploited remotely to create a denial of service (DoS).
        (HPSBMA02481 SSRT090113)"
      );
      script_set_attribute(attribute:"see_also", value:"https://www.tenable.com/security/research/tra-2009-04");
      # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01124817
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?5bd45cd2"
      );
      # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01943909
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?0a593fc9"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Install patch PHSS_36799 or subsequent."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'HP OmniInet.exe MSG_PROTOCOL Buffer Overflow');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'White_Phosphorus');
      script_cwe_id(119, 189);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:hp:hp-ux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2009/12/08");
      script_set_attribute(attribute:"plugin_publication_date", value:"2009/12/14");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.");
      script_family(english:"HP-UX Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/HP-UX/version", "Host/HP-UX/swlist");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("hpux.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/HP-UX/version")) audit(AUDIT_OS_NOT, "HP-UX");
    if (!get_kb_item("Host/HP-UX/swlist")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    if (!hpux_check_ctx(ctx:"11.00 11.11 11.23", proc:"parisc"))
    {
      exit(0, "The host is not affected since PHSS_36799 applies to a different OS release / architecture.");
    }
    
    patches = make_list("PHSS_36799", "PHSS_37827", "PHSS_38726");
    foreach patch (patches)
    {
      if (hpux_installed(app:patch))
      {
        exit(0, "The host is not affected because patch "+patch+" is installed.");
      }
    }
    
    
    flag = 0;
    if (hpux_check_patch(app:"DATA-PROTECTOR.OMNI-CS", version:"A.05.50")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:hpux_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyHP-UX Local Security Checks
    NASL idHPUX_PHSS_36589.NASL
    descriptions700_800 11.X OV DP6.00 IA-64 patch - CS packet : The remote HP-UX host is affected by multiple vulnerabilities : - A potential security vulnerability has been identified with OpenView Data Protector Application Recovery Manager version 5.5 and 6.0. The vulnerability could be exploited remotely to create a denial of service (DoS). (HPSBMA02481 SSRT090113) - Potential security vulnerabilities have been identified with HP OpenView Storage Data Protector running on HP-UX, Windows, Linux and Solaris. These vulnerabilities could be exploited remotely to execute arbitrary code. (HPSBMA02252 SSRT061258, SSRT061259)
    last seen2020-06-01
    modified2020-06-02
    plugin id43135
    published2009-12-14
    reporterThis script is Copyright (C) 2009-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/43135
    titleHP-UX PHSS_36589 : s700_800 11.X OV DP6.00 IA-64 patch - CS packet
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and patch checks in this plugin were 
    # extracted from HP patch PHSS_36589. The text itself is
    # copyright (C) Hewlett-Packard Development Company, L.P.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(43135);
      script_version("1.20");
      script_cvs_date("Date: 2018/07/12 19:01:15");
    
      script_cve_id("CVE-2007-2280", "CVE-2007-2281", "CVE-2009-3844");
      script_xref(name:"TRA", value:"TRA-2009-04");
      script_xref(name:"HP", value:"emr_na-c01124817");
      script_xref(name:"HP", value:"emr_na-c01943909");
      script_xref(name:"HP", value:"SSRT061258");
      script_xref(name:"HP", value:"SSRT061259");
      script_xref(name:"HP", value:"SSRT090113");
    
      script_name(english:"HP-UX PHSS_36589 : s700_800 11.X OV DP6.00 IA-64 patch - CS packet");
      script_summary(english:"Checks for the patch in the swlist output");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote HP-UX host is missing a security-related patch."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "s700_800 11.X OV DP6.00 IA-64 patch - CS packet : 
    
    The remote HP-UX host is affected by multiple vulnerabilities :
    
      - A potential security vulnerability has been identified
        with OpenView Data Protector Application Recovery
        Manager version 5.5 and 6.0. The vulnerability could be
        exploited remotely to create a denial of service (DoS).
        (HPSBMA02481 SSRT090113)
    
      - Potential security vulnerabilities have been identified
        with HP OpenView Storage Data Protector running on
        HP-UX, Windows, Linux and Solaris. These vulnerabilities
        could be exploited remotely to execute arbitrary code.
        (HPSBMA02252 SSRT061258, SSRT061259)"
      );
      script_set_attribute(attribute:"see_also", value:"https://www.tenable.com/security/research/tra-2009-04");
      # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01124817
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?5bd45cd2"
      );
      # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01943909
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?0a593fc9"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Install patch PHSS_36589 or subsequent."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'HP OmniInet.exe MSG_PROTOCOL Buffer Overflow');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'White_Phosphorus');
      script_cwe_id(119, 189);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:hp:hp-ux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2009/12/08");
      script_set_attribute(attribute:"plugin_publication_date", value:"2009/12/14");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.");
      script_family(english:"HP-UX Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/HP-UX/version", "Host/HP-UX/swlist");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("hpux.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/HP-UX/version")) audit(AUDIT_OS_NOT, "HP-UX");
    if (!get_kb_item("Host/HP-UX/swlist")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    if (!hpux_check_ctx(ctx:"11.23 11.31", proc:"ia64"))
    {
      exit(0, "The host is not affected since PHSS_36589 applies to a different OS release / architecture.");
    }
    
    patches = make_list("PHSS_36589", "PHSS_37302", "PHSS_37821", "PHSS_38405", "PHSS_39106", "PHSS_39794", "PHSS_40171", "PHSS_40567", "PHSS_41264", "PHSS_41869");
    foreach patch (patches)
    {
      if (hpux_installed(app:patch))
      {
        exit(0, "The host is not affected because patch "+patch+" is installed.");
      }
    }
    
    
    flag = 0;
    if (hpux_check_patch(app:"DATA-PROTECTOR.OMNI-CS", version:"A.06.00")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:hpux_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyHP-UX Local Security Checks
    NASL idHPUX_PHSS_37383.NASL
    descriptions700_800 11.23 OV DP5.50 IA-64 patch - CORE packet : The remote HP-UX host is affected by multiple vulnerabilities : - A potential security vulnerability has been identified with OpenView Data Protector Application Recovery Manager version 5.5 and 6.0. The vulnerability could be exploited remotely to create a denial of service (DoS). (HPSBMA02481 SSRT090113) - Potential security vulnerabilities have been identified with HP OpenView Storage Data Protector running on HP-UX, Windows, Linux and Solaris. These vulnerabilities could be exploited remotely to execute arbitrary code. (HPSBMA02252 SSRT061258, SSRT061259)
    last seen2020-06-01
    modified2020-06-02
    plugin id43141
    published2009-12-14
    reporterThis script is Copyright (C) 2009-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/43141
    titleHP-UX PHSS_37383 : s700_800 11.23 OV DP5.50 IA-64 patch - CORE packet
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and patch checks in this plugin were 
    # extracted from HP patch PHSS_37383. The text itself is
    # copyright (C) Hewlett-Packard Development Company, L.P.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(43141);
      script_version("1.18");
      script_cvs_date("Date: 2018/07/12 19:01:15");
    
      script_cve_id("CVE-2007-2280", "CVE-2007-2281", "CVE-2009-3844");
      script_xref(name:"TRA", value:"TRA-2009-04");
      script_xref(name:"HP", value:"emr_na-c01124817");
      script_xref(name:"HP", value:"emr_na-c01943909");
      script_xref(name:"HP", value:"SSRT061258");
      script_xref(name:"HP", value:"SSRT061259");
      script_xref(name:"HP", value:"SSRT090113");
    
      script_name(english:"HP-UX PHSS_37383 : s700_800 11.23 OV DP5.50 IA-64 patch - CORE packet");
      script_summary(english:"Checks for the patch in the swlist output");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote HP-UX host is missing a security-related patch."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "s700_800 11.23 OV DP5.50 IA-64 patch - CORE packet : 
    
    The remote HP-UX host is affected by multiple vulnerabilities :
    
      - A potential security vulnerability has been identified
        with OpenView Data Protector Application Recovery
        Manager version 5.5 and 6.0. The vulnerability could be
        exploited remotely to create a denial of service (DoS).
        (HPSBMA02481 SSRT090113)
    
      - Potential security vulnerabilities have been identified
        with HP OpenView Storage Data Protector running on
        HP-UX, Windows, Linux and Solaris. These vulnerabilities
        could be exploited remotely to execute arbitrary code.
        (HPSBMA02252 SSRT061258, SSRT061259)"
      );
      script_set_attribute(attribute:"see_also", value:"https://www.tenable.com/security/research/tra-2009-04");
      # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01124817
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?5bd45cd2"
      );
      # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01943909
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?0a593fc9"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Install patch PHSS_37383 or subsequent."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'HP OmniInet.exe MSG_PROTOCOL Buffer Overflow');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'White_Phosphorus');
      script_cwe_id(119, 189);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:hp:hp-ux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2009/12/08");
      script_set_attribute(attribute:"plugin_publication_date", value:"2009/12/14");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.");
      script_family(english:"HP-UX Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/HP-UX/version", "Host/HP-UX/swlist");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("hpux.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/HP-UX/version")) audit(AUDIT_OS_NOT, "HP-UX");
    if (!get_kb_item("Host/HP-UX/swlist")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    if (!hpux_check_ctx(ctx:"11.23", proc:"ia64"))
    {
      exit(0, "The host is not affected since PHSS_37383 applies to a different OS release / architecture.");
    }
    
    patches = make_list("PHSS_37383", "PHSS_38723");
    foreach patch (patches)
    {
      if (hpux_installed(app:patch))
      {
        exit(0, "The host is not affected because patch "+patch+" is installed.");
      }
    }
    
    
    flag = 0;
    if (hpux_check_patch(app:"DATA-PROTECTOR.OMNI-CORE-IS", version:"A.05.50")) flag++;
    if (hpux_check_patch(app:"DATA-PROTECTOR.OMNI-FRA-LS-P", version:"A.05.50")) flag++;
    if (hpux_check_patch(app:"DATA-PROTECTOR.OMNI-INTEG-P", version:"A.05.50")) flag++;
    if (hpux_check_patch(app:"DATA-PROTECTOR.OMNI-JPN-LS-P", version:"A.05.50")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:hpux_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyHP-UX Local Security Checks
    NASL idHPUX_PHSS_36622.NASL
    descriptions700_800 11.X OV DP6.00 PA-RISC patch - CORE packet : The remote HP-UX host is affected by multiple vulnerabilities : - A potential security vulnerability has been identified with OpenView Data Protector Application Recovery Manager version 5.5 and 6.0. The vulnerability could be exploited remotely to create a denial of service (DoS). (HPSBMA02481 SSRT090113) - Potential security vulnerabilities have been identified with HP OpenView Storage Data Protector running on HP-UX, Windows, Linux and Solaris. These vulnerabilities could be exploited remotely to execute arbitrary code. (HPSBMA02252 SSRT061258, SSRT061259)
    last seen2020-06-01
    modified2020-06-02
    plugin id43136
    published2009-12-14
    reporterThis script is Copyright (C) 2009-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/43136
    titleHP-UX PHSS_36622 : s700_800 11.X OV DP6.00 PA-RISC patch - CORE packet
  • NASL familyHP-UX Local Security Checks
    NASL idHPUX_PHSS_36588.NASL
    descriptions700_800 11.X OV DP6.00 PA-RISC patch - CS packet : The remote HP-UX host is affected by multiple vulnerabilities : - Potential security vulnerabilities have been identified with HP OpenView Storage Data Protector running on HP-UX, Windows, Linux and Solaris. These vulnerabilities could be exploited remotely to execute arbitrary code. (HPSBMA02252 SSRT061258, SSRT061259) - A potential security vulnerability has been identified with OpenView Data Protector Application Recovery Manager version 5.5 and 6.0. The vulnerability could be exploited remotely to create a denial of service (DoS). (HPSBMA02481 SSRT090113)
    last seen2020-06-01
    modified2020-06-02
    plugin id43134
    published2009-12-14
    reporterThis script is Copyright (C) 2009-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/43134
    titleHP-UX PHSS_36588 : s700_800 11.X OV DP6.00 PA-RISC patch - CS packet
  • NASL familyHP-UX Local Security Checks
    NASL idHPUX_PHSS_37382.NASL
    descriptions700_800 11.X OV DP5.50 PA-RISC patch - CORE packet : The remote HP-UX host is affected by multiple vulnerabilities : - Potential security vulnerabilities have been identified with HP OpenView Storage Data Protector running on HP-UX, Windows, Linux and Solaris. These vulnerabilities could be exploited remotely to execute arbitrary code. (HPSBMA02252 SSRT061258, SSRT061259) - A potential security vulnerability has been identified with OpenView Data Protector Application Recovery Manager version 5.5 and 6.0. The vulnerability could be exploited remotely to create a denial of service (DoS). (HPSBMA02481 SSRT090113)
    last seen2020-06-01
    modified2020-06-02
    plugin id43140
    published2009-12-14
    reporterThis script is Copyright (C) 2009-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/43140
    titleHP-UX PHSS_37382 : s700_800 11.X OV DP5.50 PA-RISC patch - CORE packet
  • NASL familyHP-UX Local Security Checks
    NASL idHPUX_PHSS_36800.NASL
    descriptions700_800 11.23 OV DP5.50 IA-64 patch - CS packet : The remote HP-UX host is affected by multiple vulnerabilities : - Potential security vulnerabilities have been identified with HP OpenView Storage Data Protector running on HP-UX, Windows, Linux and Solaris. These vulnerabilities could be exploited remotely to execute arbitrary code. (HPSBMA02252 SSRT061258, SSRT061259) - A potential security vulnerability has been identified with OpenView Data Protector Application Recovery Manager version 5.5 and 6.0. The vulnerability could be exploited remotely to create a denial of service (DoS). (HPSBMA02481 SSRT090113)
    last seen2020-06-01
    modified2020-06-02
    plugin id43139
    published2009-12-14
    reporterThis script is Copyright (C) 2009-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/43139
    titleHP-UX PHSS_36800 : s700_800 11.23 OV DP5.50 IA-64 patch - CS packet
  • NASL familyHP-UX Local Security Checks
    NASL idHPUX_PHSS_36623.NASL
    descriptions700_800 11.X OV DP6.00 IA-64 patch - CORE packet : The remote HP-UX host is affected by multiple vulnerabilities : - A potential security vulnerability has been identified with OpenView Data Protector Application Recovery Manager version 5.5 and 6.0. The vulnerability could be exploited remotely to create a denial of service (DoS). (HPSBMA02481 SSRT090113) - Potential security vulnerabilities have been identified with HP OpenView Storage Data Protector running on HP-UX, Windows, Linux and Solaris. These vulnerabilities could be exploited remotely to execute arbitrary code. (HPSBMA02252 SSRT061258, SSRT061259)
    last seen2020-06-01
    modified2020-06-02
    plugin id43137
    published2009-12-14
    reporterThis script is Copyright (C) 2009-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/43137
    titleHP-UX PHSS_36623 : s700_800 11.X OV DP6.00 IA-64 patch - CORE packet

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 37386 CVE(CAN) ID: CVE-2007-2281 HP OpenView Storage Data Protector是可扩展的数据管理解决方案,实现基于磁盘或磁带的高性能备份和恢复功能。 OpenView Storage Data Protector默认绑定在TCP 1530端口上的Cell Manager Database服务(rds.exe)中存在堆溢出漏洞。该服务通过_ncp32._NtrpTCPReceiveMsg()接收以下格式的套接字数据: [0xB6298C23][4-byte size][....][data] 之后将指定的size参数用作了内存分配例程_rm32.rm_getMem()的大小参数。由于缺少过滤检查,0xFFFFFFF8到0xFFFFFFFF之间的值就会导致整数溢出,分配不充分的堆缓冲区: 10004A57 mov eax, [ebp+arg_0] ; specified size 10004A5A add eax, 8 ; integer overflow 10004A5D push eax 10004A5E call ds:__imp__malloc 之后将原始报文数据写入到了不充分的缓冲区中,如_ncp32._NtrpTCPReceiveMsg()中所示: 002F2E77 mov eax, [ebp+received_length] 002F2E7A push eax ; size_t 002F2E7B mov ecx, [ebp+received_data] 002F2E7E push ecx ; src 002F2E7F mov edx, [ebp+allocated_buffer] 002F2E82 mov eax, [edx] 002F2E84 push eax ; dst 002F2E85 call _memcpy 攻击者可以利用这个漏洞覆盖内存指定的DWORD,导致执行任意代码。 HP OpenView Storage Data Protector 6.0 HP OpenView Storage Data Protector 5.5 厂商补丁: HP -- HP已经为此发布了一个安全公告(HPSBMA02252)以及相应补丁: HPSBMA02252:SSRT061258, SSRT061259 rev.1 - HP OpenView Storage Data Protector, Remote Arbitrary Code Execution 链接:http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01124817&printver=true
idSSV:15115
last seen2017-11-19
modified2009-12-20
published2009-12-20
reporterRoot
titleHP OpenView Storage Data Protector rds.exe服务堆溢出漏洞