Vulnerability

    OpenView NNM (Java SNMP MIB Browser Object ID)

Affected

    HP9000 Series 700/800 running HP-UX releases 10.XX and 11.XX,  Sun
    Microsystems SOLARIS releases 2.X,  plus under Win NT4.X/  Win2000
    running NNM 6.1, NNM 5.01, and NNM 4.11.

Description

    Following is based on a Delphis Consulting Security Team  Advisory
    DST2K0014.  By using the OverView5 CGI interface which is  shipped
    and installed by default  with HPOpenView network node  manager it
    is possible to cause a BufferOverRun in SNMP.EXE.  This is done be
    connecting to port 80 which the WWW service resides on by  default
    and sending a large GET string. The string  has to be a length  of
    132 + EIP (4 bytes making a total of 136 bytes).  This will  cause
    the above application to BufferOverRun over writing EIP.

    Example:

        http://127.0.0.1/OvCgi/OpenView5.exe?Context=Snmp&Action=Snmp&Host=&Oid=A0B0C0D0E0F0G0H0I0J0K0L0M0N0O0P0Q0R0S0T0U0V0W0X0Y0a0b0c0d0e0f0g0h0i0j0k0l0m0n0o0p0q0r0s0t0u0v0w0x0y0A1B1C1D1E1F1G1H1I1J1K1L1M1N1O1P1ZZZZ

Solution

    Apply appropriate patches listed below:

        HP-UX 11.00   HP-UX 10.X    SOLARIS 2.X    WinNT4.X/2000
        PHSS_22407    PHSS_22406    PSOV_02830     NNM_00621