TippingPoint Digital Vaccine Laboratories

Contact Us

HP OpenView Multiple Product Shared Trace Service Stack Overflow Vulnerabilities

TPTI-07-14: August 14th, 2007

CVE ID

CVE-2007-1676

Affected Vendors

Hewlett-Packard

Affected Products

HP OpenView Internet Service
HP OpenView Performance Manager
HP OpenView Performance Agent
HP OpenView Reporter
HP OpenView Operations
HP OpenView Operations Manager for Windows
HP OpenView Service Quality Manager
HP OpenView Network Node Manager
HP OpenView Business Process Insight and Related Products
HP OpenView Dashboard
HP OpenView Performance Insight

TippingPoint™ IPS Customer Protection

TippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID 4787. For further product information on the TippingPoint IPS:

http://www.tippingpoint.com

Vulnerability Details

These vulnerabilities allow remote attackers to execute arbitrary code on vulnerable installations of multiple Hewlett-Packard (HP) OpenView products, including: Performance Manager, Performance Agent, Reporter, Operations, Operations Manager, Service Quality Manager, Network Node Manager, Business Process Insight, Dashboard and Performance Insight. Authentication is not required to exploit these vulnerabilities.



The specific flaws exists within the OpenView Shared Trace Service. A service that is distributed with multiple products as ovtrcsvc.exe and OVTrace.exe. The vulnerable service may be found bound to TCP port 5053 (ovtrcsvc.exe) or TCP port 5051 (OVTrace.exe). Specially crafted data through opcode handlers 0x1a and 0x0f can result in arbitrary code execution under the context of the SYSTEM user.

Vendor Response

Hewlett-Packard states:

Hewlett-Packard has issued updates to correct this vulnerability. More details can be found at:

• http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01106515
  
• http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01109171
  
• http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01109584
  
• http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01109617
  
• http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01110576
  
• http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01110627
  
• http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01111851
  
• http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01112038
  
• http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01114023
  
• http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01114156
  
• http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01115068
  

Disclosure Timeline

2006-10-10 - Vulnerability reported to vendor
2007-08-14 - Coordinated public release of advisory

Credit

This vulnerability was discovered by:

Cody Pierce, TippingPoint DVLabs
Pedram Amini, TippingPoint DVLabs
Aaron Portnoy, TippingPoint DVLabs

Published Advisories

TPTI-10-02: Microsoft

• published 2010-02-09

TPTI-10-01: Hewlett-Packard

• published 2010-01-21

TPTI-09-15: Hewlett-Packard

• published 2009-12-17

TPTI-09-13: Hewlett-Packard

• published 2009-12-09

TPTI-09-12: Hewlett-Packard

• published 2009-12-09

Upcoming Advisories

RealNetworks

• reported 2010-02-26

Sophos

• reported 2009-04-01

Oracle

• reported 2009-03-13

Blog Entries

MOBOTS: WeatherFist Exposed

• 2010-03-10 by Daniel Tijerina
• (0 Comments)

RSA Conference 2010 Talks

• 2010-02-23 by Jason Avery
• (0 Comments)

Pwn2Own 2010

• 2010-02-15 by Aaron Portnoy
• (23 Comments)

Mostrame la Guita!

• 2009-10-29 by Pedram Amini
• (4 Comments)

Ekoparty Wrap Up

• 2009-09-21 by Pedram Amini
• (6 Comments)