CVE-2011-0514
published 2011-01-20CVE-2011-0514: The RDS service (rds.exe) in HP Data Protector Manager 6.11 allows remote attackers to cause a denial of service (crash) via a packet with a large data size to…
PriorityP342medium5CVSS 2.0
AVNACLAuNCNINAP
EXPLOIT
EPSS
48.87%
98.7th percentile
The RDS service (rds.exe) in HP Data Protector Manager 6.11 allows remote attackers to cause a denial of service (crash) via a packet with a large data size to TCP port 1530.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hp | data_protector_manager | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x23\x8c\x29\xb6\x64\x00\x00\x00\x41\x41\x41\x41
- →Alert on TCP connections to port 1530 carrying a packet whose 4-byte size field (bytes 5–8) is set to 0x64000000 (1,677,721,600), indicating an oversized malloc request targeting rds.exe. ↗
- →The exploit packet always begins with the fixed 4-byte header \x23\x8c\x29\xb6; use this as a network signature anchor on TCP/1530 traffic to HP Data Protector RDS. ↗
- →Monitor rds.exe for abnormal termination or crash events; the crash is triggered when _rm32.dll's malloc() returns 0 due to an impossibly large allocation request passed from _ncp32.dll. ↗
- →Look for the error string 'rm_getMem: out of memory, allocating %u bytes. Called from %s' in process memory or crash dumps of rds.exe as evidence of exploitation attempt. ↗
- ·The exploit targets HP Data Protector Manager version 6.11 specifically; the RDS service listens on TCP/1530 by default and must be network-accessible for exploitation. ↗
- ·Exploit was tested on Windows XP SP2 and SP3 only; behaviour on other OS versions is unconfirmed. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
HP Data Protector 6.20 - Multiple Vulnerabilities
exploitdb·2011-06-29·CVSS 5.0
CVE-2011-1865 [MEDIUM] HP Data Protector 6.20 - Multiple Vulnerabilities
HP Data Protector 6.20 - Multiple Vulnerabilities
---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Core Security Technologies - Corelabs Advisory
http://corelabs.coresecurity.com/
Multiple vulnerabilities in HP Data Protector
1. *Advisory Information*
Title: Multiple vulnerabilities in HP Data Protector
Advisory ID: CORE-2011-0514
Advisory URL:
http://www.coresecurity.com/content/HP-Data-Protector-multiple-vulnerabilities
Date published: 2011-06-29
Date of last update: 2011-06-29
Vendors contacted: HP
Release mode: Coordinated release
2. *Vulnerability Information*
Class: Remote stack overflow [CWE-120], Null pointer dereference
[CWE-476], Improper input validation [CWE-20]
Impact: Code execution
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2011-1865, CVE-2011
Exploit-DB
HP Data Protector Manager 6.11 - RDS Service Remote Denial of Service
exploitdb·2011-01-08
CVE-2011-0514 HP Data Protector Manager 6.11 - RDS Service Remote Denial of Service
HP Data Protector Manager 6.11 - RDS Service Remote Denial of Service
---
#!/usr/bin/perl
# ===============================
# HP Data Protector Manager v6.11
# ===============================
#
# Bug: Remote Denial of Service Vulnerabilities (RDS Service)
#
# Software: http://h71028.www7.hp.com/enterprise/w1/en/software/information-management-data-protector.html
# Date: 08/01/2011
# Authors: Roi Mallo - rmallof[AT]gmail[DOT]com
# http://elotrolad0.blogspot.com/ - http://twitter.com/rmallof
# Pepelux - pepelux[AT]enye-sec[DOT]com
# http://www.enye-sec.org - http://www.pepelux.org - http://twitter.com/pepeluxx
#
# Vulnerable file: Program Files\OmniBack\rds.exe
#
# Tested on Windows XP SP2 && Windows XP SP3
#
#
# POC:
# _ncp32.dll is the responsable of waiting the packet (RECV)
# when a p
Metasploit
HP Data Protector Manager RDS DOS
metasploit
HP Data Protector Manager RDS DOS
HP Data Protector Manager RDS DOS
This module causes a remote DOS on HP Data Protector's RDS service. By sending a malformed packet to port 1530, _rm32.dll causes RDS to crash due to an enormous size for malloc().
No writeups or analysis indexed.
2011-01-20
Published