From erik.parker@digitaldefense.net Fri Apr 4 05:12:38 2003 From: Erik Parker To: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org Date: Mon, 31 Mar 2003 13:20:46 -0600 (CST) Subject: [VulnWatch] [DDI-1012] Malformed request causes denial of service in HP Instant TopTools -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ---------------------------------------------------------------------------- Digital Defense Inc. Security Advisory DDI-1012 labs@digitaldefense.net http://www.digitaldefense.net/ - ---------------------------------------------------------------------------- Synopsis : Malformed request causes denial of service in HP Instant TopTools Package : HP Instant TopTools Type : Denial of service Issue date : 03-31-2003 Versions Affected : < 5.55 CVE Id : CAN-2003-0169 - ---------------------------------------------------------------------------- o Product description: HP Instant TopTools is an easy to install software application that enables you to remotely view a NetServers' current state and easily access NetServer information to assist in troubleshooting. Currently supported on all IPMI NetServers running Microsoft NT/2000. o Problem description: When the Instant TopTools software is installed, you can easily cause a denial of service that effectively brings the entire system to a halt. When you request a file from the GoAhead-Webs webserver running on tcp port 280, you will notice it doesn't directly serve any files. Most files are requested by a middle-man application called hpnst.exe. For instance, if you want to get SrvSystemInfo.html, you request this: /cgi-bin/hpnst.exe?c=p+i=SrvSystemInfo.html You can easily cause a denial of service against the host by having hpnst.exe request itself. If you request this 30-40 times, the system will become extremely unstable. The application will continue to loop and call itself even once your request has timed out. The only way to fix the loop is to kill hpnst.exe in your task manager, or reboot. It is possible to kill the process if only a single request has been made. However, the system is not usable after several have been made. The exact amount of requests needed would greatly depend on the individual system's profile. The actual requested resource was: /cgi-bin/hpnst.exe?c=p+i=hpnst.exe The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2003-0169 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. o Testing Environment: These tests were done against an HP NetServer LP 1000r.The underlying operating system on the host was Windows 2000 Build 2195, SP3. Instant TopTools version 5.04 build 4. o Solutions and Workarounds: Upgrading to the current version of HP TopTools is the best method for fixing this vulnerability. You can get version 5.55 for Windows Server 2003, Windows 2000, and Windows NT4 from: http://h20004.www2.hp.com/soar_rnotes/bsdmatrix/matrix50459en_US.html#Utility%20-%20HP%20Instant%20Toptools As a temporary workaround, disabling the HP TopTools software on each host would be an effective method of bypassing this threat. If this service is available to the Internet, it is highly recommended that you filter tcp port 280 inbound to this host, not only to protect against this vulnerability, but also due to the designed capabilities of this software. o Revision History: 03-31-2003 Initial public release o Vendor Contact Information: 02-17-2003 security-alert@hp.com notified 02-18-2003 Response from HP SOFTWARE SECURITY RESPONSE TEAM 03-27-2003 Vendor notified Digital Defense that a fix is available 03-28-2003 Vendor and DDI confirm information, and plan release 03-31-2003 Initial public release o Thanks to: HP Software Security Response Team for quick responses and professional handling of this matter. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+hLyFjB+XO4ZKjSARAkUUAKCL//8oI8okp9WVqcGmBUj4BLysKACfXpBv FdK1x9n+BYEa6eLUsvW+l8E= =TyyI -----END PGP SIGNATURE-----