Multiple vulnerabilities have been reported in HP OpenView Network Node Manager, which can be exploited by malicious people to compromise a vulnerable system.

1) A boundary error within the "execvp_nc()" function in ov.dll when copying strings from an HTTP request using the "strcat_new()" function can be exploited to cause a buffer overflow by passing an overly long string to e.g. webappmon.exe.

2) An input validation error in jovgraph.exe when processing the "displayWidth" option can be exploited to inject shell commands via a specially crafted web request.

3) A boundary error in ovutil.dll when processing the "stringToSeconds" value can be exploited to cause a buffer overflow via a specially crafted web request.

4) A boundary error in ovas.exe when processing the "Source Node" and "Destination Node" POST parameters can be exploited to cause a stack-based buffer overflow via specially crafted data sent to e.g. TCP port 7510.

5) A boundary error in ovutil.dll when processing the "COOKIE" GET parameter can be exploited to cause a stack-based buffer overflow via a specially crafted web request.

6) A boundary error in nnmRptConfig.exe when processing the "data_select1" POST parameter can be exploited to cause a buffer overflow via a specially crafted web request.

7) A boundary error in nnmRptConfig.exe when processing the "nameParams" POST parameter can be exploited to cause a buffer overflow via a specially crafted web request.

8) A boundary error in nnmRptConfig.exe when processing the "schdParams" POST parameter can be exploited to cause a buffer overflow via a specially crafted web request.

9) A boundary error in nnmRptConfig.exe when processing the "text1" POST parameter can be exploited to cause a buffer overflow via a specially crafted web request.

10) A boundary error in nnmRptConfig.exe when processing the "schd_select1" POST parameter can be exploited to cause a buffer overflow via a specially crafted web request.

11) A format string error in nnmRptConfig.exe when creating an error message can be exploited to corrupt memory via a web request containing a specially crafted template name.

12) An input validation error in unspecified CGI scripts when processing certain parameters can be exploited to inject shell commands via a specially crafted web request.

The vulnerabilities are reported in version 7.51 and 7.53 running on HP-UX, Linux, Solaris, and Windows.

Solution
Apply patches.
Further details available in Customer Area

Provided and/or discovered by
1) Sebastien Renaud, Vupen.
1,2,3) An anonymous person, reported via ZDI.
4,5) SilentSignal, reported via ZDI.
6,7,8,9,10,11) Aniway, reported via ZDI.
12) An anonymous person, reported via iDefense.

Changelog
Further details available in Customer Area

Original Advisory
HPSBMA02557 SSRT100025:
http://itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02286088

HPSBMA02621 SSRT100352:
https://www.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02670501

ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-137/
http://www.zerodayinitiative.com/advisories/ZDI-11-003/
http://www.zerodayinitiative.com/advisories/ZDI-11-004/
http://www.zerodayinitiative.com/advisories/ZDI-11-005/
http://www.zerodayinitiative.com/advisories/ZDI-11-006/
http://www.zerodayinitiative.com/advisories/ZDI-11-007/
http://www.zerodayinitiative.com/advisories/ZDI-11-008/
http://www.zerodayinitiative.com/advisories/ZDI-11-009/
http://www.zerodayinitiative.com/advisories/ZDI-11-010/
http://www.zerodayinitiative.com/advisories/ZDI-11-011/
http://www.zerodayinitiative.com/advisories/ZDI-11-012/

iDefense:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=887

Deep Links
Links available in Customer Area