nv-l
[Top] [All Lists]

Execute command with actionsvr

To: nv-l@lists.tivoli.com
Subject: Execute command with actionsvr
From: "Davis, Donald" <donald.davis@firstcitizens.com>
Date: Thu, 16 Aug 2001 12:33:47 -0400
James,
I successfully just executed a command with actionsvr from a trap.
Here's how I did it:

Ruleset Name = CMD.rs
------------------------
Event Stream = Block
Trap = hpux - Cold Start
Action = $NVATTR_1
------------------------
ovstop/ovstart actionsvr
------------------------
snmptrap <NVserver> .1.3.6.1.4.1.11.2.3.2 <NVserver> 0 0 0
.1.3.6.1.4.1.11.2.3.2.0 octetstringasci "/usr/bin/X11/xclock -display
1.2.3.4:0"
-----------------------------------------
This popped a clock on my PC workstation. I assume it would work just as
well for shutdown -F. I didn't try that!
Of course any trap would have worked, I just happened to pick hpux. 

Don Davis




-----Original Message-----
From: James Shanks [mailto:SHANKS@us.tivoli.com]
Sent: Thursday, August 16, 2001 10:06 AM
To: IBM NetView Discussion
Subject: Re: [NV-L] RE: CERT Advisory CA-2001-24


Don -

I have a comment here and perhaps you can help.  You said
"2. There is an additional security exposure that was not mentioned.
NetView's actionsvr daemon could also be configured to execute a trap
variable. Example, coding $NVATTR_1 to be executed in an "Action" or
"Inline
Action" in a ruleset."

Well, the fix does address the alleged hole as there is a new nvcorrd and a
new actionsvr in the fix as well.
BUT -- we could not produce a failure in the way you described, though we
tried for a long time.
If you, or anyone else can produce the same failure in nvcorrd and
actionsvr before the fix is applied, or with the
new environment variable, AdditionalLegalTrapCharacters=disable, so that
the code works the way it used to,
I am very interested in seeing how you did it.  Development put the code
changes into actionsvr and nvcorrd because
the IBM security folks all but demanded it, "just to be safe", they said,
but in truth, we have never seen the problem demonstrated
using a ruleset.  The problem, so far as we could see, was in the ovactiond
code we got from HP so many years ago.


James Shanks
Level 3 Support
Tivoli NetView for UNIX and NT



"Davis, Donald" <donald.davis@firstcitizens.com>@tkg.com on 08/16/2001
09:45:21 AM

Please respond to IBM NetView Discussion <nv-l@tkg.com>

Sent by:  owner-nv-l@tkg.com


To:   "Walley, Mike" <mike.walley@firstcitizens.com>, "Gallagher, Bob"
      <bob.gallagher@firstcitizens.com>
cc:   "'NV-l@tkg.com'" <NV-l@tkg.com>
Subject:  [NV-L] RE: CERT Advisory CA-2001-24



Mike,

Discussion:
NetView receives SNMP traps from any agent that has configured the NetView
server as its trap destination.
These traps can be sent by any node on our internal network. The firewall
does not permit any traffic on port 162 to pass through from the Internet.
NetView processes these traps, displays the variables sent with the trap in
the Event display and takes additional (automation) actions if configured
to
do so.

There are a couple of ways that this could become a security exposure:
1. Configuring an SNMP trap variable as the "Command for Automatic Action"
in trapd.conf would cause NetView's ovactiond daemon to execute the SNMP
trap variable that was sent. Example coding "$1" as the "Command for
Automatic Action".

2. There is an additional security exposure that was not mentioned.
NetView's actionsvr daemon could also be configured to execute a trap
variable. Example, coding $NVATTR_1 to be executed in an "Action" or
"Inline
Action" in a ruleset.

These configurations are NOT something that a NetView administrator would
do
by accident. This would have to be an intentional act, done solely for the
purpose of executing a command from a trap message. I consider this
"hacking" and certainly not a good practice to implement in a production
environment.

The APAR from Tivoli (IY21527) escapes any non alpha-numeric characters in
the trap variables.
This is not an exposure for us and therefore, I do not plan to install this
fix.


Don Davis

-----Original Message-----
From: Walley, Mike
Sent: Thursday, August 16, 2001 8:40 AM
To: Gallagher, Bob; Davis, Donald
Subject: FW: CERT Advisory CA-2001-24


Bob & Don,

Are we open to this exposure and if so what steps do you plan to correct
the
issue?

Thanks,
Mike

-----Original Message-----
From: Davis, Johnson A
Sent: Thursday, August 16, 2001 8:13 AM
To: Walley, Mike
Subject: FW: CERT Advisory CA-2001-24



FYI, Johnson

-----Original Message-----
From: tasante [mailto:tasante@cisco.com]
Sent: Wednesday, August 15, 2001 7:01 PM
To: Robert G. Gallagher (E-mail)
Cc: Ernie Nieradka (E-mail); Johnson Davis (E-mail)
Subject: CERT Advisory CA-2001-24


Bob,
-----BEGIN PGP SIGNED MESSAGE-----

CERT Advisory CA-2001-24 Vulnerability in OpenView and NetView

   Original release date: August 15, 2001
   Last revised: --
   Source: CERT/CC

   A complete revision history can be found at the end of this file.

Systems Affected

   * Systems running HP OpenView Network Node Manager (NNM) Version 6.1
     on the following platforms:

     * HP9000 Servers running HP-UX releases 10.20 and 11.00 (only)
     * Sun Microsystems Solaris releases 2.x
     * Microsoft Windows NT4.x / Windows 2000

   * Systems running Tivoli NetView Versions 5.x and 6.x on the following
     platforms:

     * IBM AIX
     * Sun Microsystems Solaris
     * Compaq Tru64 Unix
     * Microsoft Windows NT4.x / Windows 2000

Overview

   ovactiond is a component of OpenView by Hewlett-Packard Company (HP)
   and NetView by Tivoli, an IBM Company (Tivoli). These products are
   used to manage large systems and networks. There is a serious
   vulnerability in ovactiond that allows intruders to execute arbitrary
   commands with elevated privileges. This may subsequently lead to an
   intruder gaining administrative control of a vulnerable machine.

I. Description

   ovactiond is the SNMP trap and event handler for both OpenView and
   NetView. There is a vulnerability in ovactiond that allows an intruder
   to execute arbitrary commands by sending a malicious message to the
   management server. These commands run with the privileges of the
   ovactiond process, which varies according to the operating system.

   OpenView version 6.1 is vulnerable in the default configuration.
   Versions prior to 6.1 are not vulnerable in the default configuration,
   but there are public reports that versions prior to 6.1 may be
   vulnerable if users have made customizations to the trapd.conf file.

   On June 21, 2001, HP released a security bulletin (HP SB #154) and a
   patch for this vulnerability in OpenView version 6.1. For more
   information, see

http://us-support.external.hp.com/cki/bin/doc.pl/screen=ckiDisplayDocument?d

ocId=200000055277985
http://www.kb.cert.org/vuls/id/952171

   Tivoli NetView versions 5.x and 6.x are not vulnerable with the
   default configuration. It is, however, likely that customized
   configurations are vulnerable. This security vulnerability only exists
   if an authorized user configures additional event actions and
   specifies potentially destructive varbinds (those of type string or
   opaque). Tivoli has developed a patch for versions 5.x and 6.x. The
   patch addresses the vulnerability in ovactiond, as well as taking
   preventative measures on other components specific to NetView.

   Tivoli has published information on this vulnerability at

          http://www.tivoli.com/support/

II. Impact

   An intruder can execute arbitrary commands with the privileges of the
   ovactiond process. On UNIX systems, ovactiond typically runs as user
   bin; on Windows systems it typically runs in the Local System security
   context. On Windows NT systems, this allows an intruder to gain
   administrative control of the underlying operating system. On UNIX
   systems, an intruder may be able to leverage bin access to gain root
   access.

   Additionally, systems running these products often have trust
   relationships with other network devices. An intruder who compromises
   these systems may be able to leverage this trust to compromise other
   devices on the network or to make changes to the network
   configuration.

III. Solution

Apply a patch

   Appendix A contains information provided by vendors for this advisory.
   We will update the appendix as we receive more information. If you do
   not see your vendor's name, the CERT/CC did not hear from that vendor.
   Please contact your vendor directly.

Appendix A. - Vendor Information

   This appendix contains information provided by vendors for this
   advisory. When vendors report new information to the CERT/CC, we
   update this section and note the changes in our revision history. If a
   particular vendor is not listed below, we have not received their
   comments.

Apple

   Mac OS X and Mac OS X Server do not have this vulnerability.

Computer Associates

   Computer Associates has completed a review of all Unicenter functions
   and processing related to SNMP traps as indicated by the advisory.
   Unicenter is not subject to the same vulnerabilities as demonstrated
   by the SNMP trap managers identified by CERT (i.e., OpenView and
   NetView). CA Unicenter does not formulate commands determined through
   trap data parsing. Unicenter implements this technology using
   different methods and thereby avoids this exposure. Computer
   Associates maintains strong relationships with these vendors and
   recommends that clients running any environments containing either of
   these products visit the website URLs specifically identified by the
   CERT Coordination Center.

FreeBSD

   FreeBSD does not use this code.

Fujitsu

   Regarding VU#952171, Fujitsu's UXP/V operating system is not affected
   because there's no implementation of any OpenView Technology in UXP/V.

Hewlett-Packard

   On June 21, 2001, HP released a security bulletin (HP SB #154) and a
   patch for this vulnerability in OpenView version 6.1. For more
   information, see

http://us-support.external.hp.com/cki/bin/doc.pl/screen=ckiDisplayDocument?d

ocId=200000055277985
http://www.kb.cert.org/vuls/id/952171

Microsoft

   NNM is a third-party application as far as our platform is concerned.
   We don't have any special relationship with it. HP would need to
   provide the patches.

Tivoli

   Tivoli acknowledges that certain user customizations to Tivoli NetView
   may lead to a potential security exposure. Please reference
   http://www.tivoli.com/support/ for further information and to obtain
   an e-fix which addresses the issue.

References

1.
http://us-support.external.hp.com/cki/bin/doc.pl/screen=ckiDisplayDocument?d

ocId=200000055277985
2. http://www.tivoli.com/support/
3. http://www.securityfocus.com/bid/2845
4. http://www.kb.cert.org/vuls/id/952171
     _________________________________________________________________

   The CERT Coordination Center thanks Milo G. van der Zee for notifying
   us about this problem, and Tivoli and Hewlett-Packard for other
   information used in the construction of this advisory.
     _________________________________________________________________

   Feedback on this document can be directed to the authors, Jason A.
   Rafail and Shawn Hernan.
   ______________________________________________________________________

   This document is available from:
   http://www.cert.org/advisories/CA-2001-24.html
   ______________________________________________________________________

CERT/CC Contact Information

   Email: cert@cert.org
          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890
          U.S.A.

   CERT personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4)
   Monday through Friday; they are on call for emergencies during other
   hours, on U.S. holidays, and on weekends.

Using encryption

   We strongly urge you to encrypt sensitive information sent by email.
   Our public PGP key is available from

   http://www.cert.org/CERT_PGP.key

   If you prefer to use DES, please call the CERT hotline for more
   information.

Getting security information

   CERT publications and other security information are available from
   our web site

   http://www.cert.org/

   To subscribe to the CERT mailing list for advisories and bulletins,
   send email to majordomo@cert.org. Please include in the body of your
   message

   subscribe cert-advisory

   * "CERT" and "CERT Coordination Center" are registered in the U.S.
   Patent and Trademark Office.
   ______________________________________________________________________

   NO WARRANTY
   Any material furnished by Carnegie Mellon University and the Software
   Engineering Institute is furnished on an "as is" basis. Carnegie
   Mellon University makes no warranties of any kind, either expressed or
   implied as to any matter including, but not limited to, warranty of
   fitness for a particular purpose or merchantability, exclusivity or
   results obtained from use of the material. Carnegie Mellon University
   does not make any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.
     _________________________________________________________________

   Conditions for use, disclaimers, and sponsorship information

   Copyright 2001 Carnegie Mellon University.

   Revision History
August 15, 2001:  Initial release


____________________________________________
Tony Asante

----------------------------------------------------------------------------
--

This electronic mail and any files transmitted with it are confidential and
are intended solely for the use of individual or entity to whom they are
addressed. If you are not the intended recipient or the person responsible
for delivering the electronic mail to the intended recipient, be advised
that you have received this electronic mail in error and that any use,
dissemination, forwarding, printing, or copying of this electronic mail is
strictly prohibited. If you have received this electronic mail in error,
please immediately notify the sender by return mail.

============================================================================
==


_________________________________________________________________________
NV-L List information and Archives: http://www.tkg.com/nv-l


_________________________________________________________________________


<Prev in Thread] Current Thread [Next in Thread>
  • Execute command with actionsvr, Davis, Donald <=

Archive operated by Skills 1st Ltd

See also: The NetView Web