#######################################################################

                             Luigi Auriemma

Application:  HP OpenView Communication Broker
              http://www8.hp.com/us/en/software/enterprise-software.html
Versions:     ovbbccb.exe <= 11.0.43.0
Platforms:    Windows, Linux, Solaris, HP-UX, AIX
Bug:          arbitrary files deletion
Exploitation: remote, versus server
Date:         27 Jun 2011 (found 01 Jun 2011)
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


HP Communication Broker is used in various HP enterprise softwares like
Performance Manager, Operations Manager and others.


#######################################################################

======
2) Bug
======


ovbbccb.exe is a SYSTEM service running on port 383.

The "Register" command is used to tell ovbbccb.exe on what port is
located a particular service (for example the Coda one) and some other
informations about it so that the service can use it as an external
servlet.

Such informations are not passed directly via the HTTP request, they
are located in a local file specified by the client using its full
arbitrary path.
After having parsed the informations contained in this file the service
deletes it using MSVCR80.remove from OvXpl.dll:

  00431C42   C645 FC 17       MOV BYTE PTR SS:[EBP-4],17
  00431C46   8D4D CC          LEA ECX,DWORD PTR SS:[EBP-34]
  00431C49   FF15 18064400    CALL DWORD PTR DS:[<&OvXpl.?Delete@File_>
                              ; OvXpl.?Delete@File_t@OvXplIo@@QBE_NXZ

The result is that an attacker can delete any arbitrary file on the
same machine or on others (via UNC paths like "\\server\file.ini") with
SYSTEM privileges.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/ovbbccb_1.dat

  nc SERVER 383 < ovbbccb_1.dat

it will delete the file C:\path\sensitive_file.ini 


#######################################################################

======
4) Fix
======


No fix.


#######################################################################