CVE-2009-0714
published 2009-05-14CVE-2009-0714: Unspecified vulnerability in the dpwinsup module (dpwinsup.dll) for dpwingad (dpwingad.exe) in HP Data Protector Express and Express SSE 3.x before build…
PriorityP345high7.2CVSS 2.0
AVLACLAuNCCICAC
EXPLOIT
EPSS
51.61%
98.8th percentile
Unspecified vulnerability in the dpwinsup module (dpwinsup.dll) for dpwingad (dpwingad.exe) in HP Data Protector Express and Express SSE 3.x before build 47065, and Express and Express SSE 4.x before build 46537, allows remote attackers to cause a denial of service (application crash) or read portions of memory via one or more crafted packets.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hp | data_protector_express | — | — |
| hp | data_protector_express | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for TCP connections to port 3817 targeting the dpwingad process; crafted packets with the 16-byte header \x54\x84\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x92\x00\x00\x00 followed by a large payload are indicative of exploitation attempts. ↗
- →The vulnerability is triggered via user-controlled data in ECX at offset ESP+54 within dpwinsup.dll, leading to an out-of-bounds memory read or crash; look for unexpected crashes or memory disclosure responses from dpwingad.exe on port 3817. ↗
- →Payload includes 130 bytes of padding ('A'*130) appended after the 16-byte magic header; network signatures should match this pattern on TCP/3817 connections to dpwingad. ↗
- ·The exploit targets HP Data Protector Express/Express SSE 3.x before build 47065 and 4.x before build 46537 (Windows only); the PoC was specifically tested against build 43064. ↗
- ·The Metasploit module defaults to starting memory leak at PEB address 0x7ffdf000; if the supplied MEMORY address resolves to zero, it falls back to this default. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
HP Data Protector 4.00-SP1b43064 - Remote Memory Leak/Denial of Service
exploitdb·2009-06-23
CVE-2009-0714 HP Data Protector 4.00-SP1b43064 - Remote Memory Leak/Denial of Service
HP Data Protector 4.00-SP1b43064 - Remote Memory Leak/Denial of Service
---
#!/usr/bin/env python
#POC Memory disclosure/ Denial Of Service
#HP Data protector 4.00-sp1 43064
#Tested for Windows Version Only
'''
Buggy code @dpwinsup module of dpwingad process running at 3817/TCP port dpwinsup.10275F80
100DDE89 8B15 54A72210 MOV EDX,DWORD PTR DS:[1022A754]
100DDE8F 8B82 98650000 MOV EAX,DWORD PTR DS:[EDX+6598]
100DDE95 8B4C24 54 MOV ECX,DWORD PTR SS:[ESP+54] ;ECX = user controlled data
100DDE99 8D1481 LEA EDX,DWORD PTR DS:[ECX+EAX*4] ;EDX = if invalid/valid offset
100DDE9C 8B3495 F0A42210 MOV ESI,DWORD PTR DS:[EDX*4+1022A4F0] ;Crash/Memory Leak
100DDEA3 83C4 1C ADD ESP,1C
100DDEA6 897424 10 MOV DWORD PTR SS:[ESP+10],ESI
'''
import socket
import sys
import struct
import time
import ge
Exploit-DB
HP Data Protector 4.00-SP1b43064 - Remote Memory Leak/Denial of Service (Metasploit)
exploitdb·2009-06-23·CVSS 7.2
CVE-2009-0714 [HIGH] HP Data Protector 4.00-SP1b43064 - Remote Memory Leak/Denial of Service (Metasploit)
HP Data Protector 4.00-SP1b43064 - Remote Memory Leak/Denial of Service (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'HP Data Protector 4.00-SP1 Build 43064 Memory leak and DoS',
'Description' => %q{
HP Data Protector is prone to a memory leak vulnerability. The same
vector of exploitation can be used for denial of service attack if
an invalid memory address is accessed.
},
'Author' => [ 'Nibin' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: ???? $',
'References' =>
[
[ 'URL', 'http://ivizsecurity.com/security-advisor
No writeups or analysis indexed.
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01697543http://ivizsecurity.com/security-advisory-iviz-sr-09002.htmlhttp://secunia.com/advisories/35084http://www.securityfocus.com/bid/34955http://www.securitytracker.com/id?1022220http://www.vupen.com/english/advisories/2009/1309https://www.exploit-db.com/exploits/9006https://www.exploit-db.com/exploits/9007http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01697543http://ivizsecurity.com/security-advisory-iviz-sr-09002.htmlhttp://secunia.com/advisories/35084http://www.securityfocus.com/bid/34955http://www.securitytracker.com/id?1022220http://www.vupen.com/english/advisories/2009/1309https://www.exploit-db.com/exploits/9006https://www.exploit-db.com/exploits/9007
2009-05-14
Published