Plugin Spotlight: HP DDMI Remote System Access
Traditional buffer overflow vulnerabilities require specific conditions to be met on the system, payload to be written for the target platform and an exploit smart enough to get around system execution protections in memory. Some of the most dangerous exploits rely on vulnerabilities that can be triggered in a varying number of conditions and circumstances. A far more reliable approach is to take over a process or manipulate a protocol to gain access to the system that does not require that a buffer overflow vulnerability be present.
This brings us to the HP Discovery & Dependency Mapping Inventory (DDMI) agent, which runs on a variety of platforms, including Windows and Linux, to provide central inventory management. HP's DDMI agent contains a flaw that allows an attacker to connect to it without credentials and manage the agent. The agent fails to check for a valid SSL certificate from managing DDMI servers, which means anyone can pretend to be the server and control the agent, providing the ability to:
- Disclose sensitive information about installed software
- Read the contents of arbitrary files
- Launch arbitrary processes with SYSTEM privileges
The last item clearly presents the most risk as it gives control of the system to anyone on the network that can pretend to be a DDMI server. The agents accept commands via Simple Object Access Protocol (SOAP); example requests are included in the plugin output:
|NOTE: You must also go into the "Advanced" tab in the Nessus client, under "Global variable settings" and click on the "Enable CGI scanning" checkbox in order for this plugin to execute.|
Nessus will create the appropriate SOAP request, and if "Safe Checks" are disabled, run a command on the remote host. On Windows, Nessus will run the "ipconfig" command, and on Linux systems, the "id" command will be run. The nature of the vulnerability makes it difficult to return the output of the command, so it is saved as a file on the target system:
If "Safe Checks" is enabled, Nessus will download a file from the target system.
HP has given this a CVSS score of 4.0, however Nessus ranks this vulnerability with a CVSS score of 10.0, a much more critical ranking. The reason is that this could present serious risk, especially for an organization that has this widely deployed to several thousand desktops. A fix is available from HP, patch number HPED_00306 (for DDMI version 7.5x) / HPED_00304 (for version 2.5x) so be certain to patch your systems.