CVE-2011-0922
published 2011-02-09CVE-2011-0922: The client in HP Data Protector allows remote attackers to execute arbitrary programs via an EXEC_SETUP command that references a UNC share pathname.
PriorityP276critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
64.22%
99.1th percentile
The client in HP Data Protector allows remote attackers to execute arbitrary programs via an EXEC_SETUP command that references a UNC share pathname.
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x00\x00\x01\xbe\xff\xfe\x32\x00\x00\x00\x20
bytes↗
\x00\x00\x01\xbe\xff\xfe\x32\x00\x00\x00\x20\x00\x70\x00\x77\x00\x6e\x00\x32\x00
- →Detect inbound TCP connections to port 5555 (HP Data Protector OmniInet) containing the EXEC_SETUP or EXEC_CMD command referencing a UNC path (\\<host>\Omniback\i386\installservice.exe). ↗
- →Look for TCP payloads to port 5555 beginning with the byte sequence \x00\x00\x01\xbe\xff\xfe\x32\x00 as a network signature for CVE-2011-0922 exploit attempts. ↗
- →Monitor SMB share access for the path \Omniback\i386\installservice.exe, which is the attacker-staged payload filename used in exploitation. ↗
- →Alert on processes spawned by the HP Data Protector OmniInet service (omniinet.exe) that execute installservice.exe or reference \Omniback\i386\ UNC paths. ↗
- ·Exploitation requires the attacker to host a malicious SMB share named 'Omniback' with a subfolder 'i386' containing the payload executable; the SYSTEM account on the victim must be able to access this share. ↗
- ·Affected versions are HP Data Protector 6.10, 6.11, and 6.20 on Windows; the vulnerable process is OmniInet listening on TCP port 5555. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
HP Data Protector - CMD Install Service (Metasploit)
exploitdb·2013-08-02·CVSS 10.0
CVE-2011-0922 [CRITICAL] HP Data Protector - CMD Install Service (Metasploit)
HP Data Protector - CMD Install Service (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
# Exploit Title: HP Data Protector Client EXEC_CMD Remote Code Execution Vulnerability
# Date: 2012-13-07
# Exploit Author: Ben Turner, Doug McLeod
# Vendor Homepage: www.hp.com
# Version: 6.10 & 6.11 & 6.20
# Tested on: Windows 2003 Server SP2 en
# CVE: CVE-2011-0922
# Notes: ZDI-11-056
# Reference: http://www.zerodayinitiative.com/advisories/ZDI-11-056/
# Reference: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02781143
require 'msf/core'
class Metasploit3 'HP Data Pro
Exploit-DB
HP Data Protector Client - EXEC_CMD Remote Code Execution
exploitdb·2012-06-19·CVSS 10.0
CVE-2011-0922 [CRITICAL] HP Data Protector Client - EXEC_CMD Remote Code Execution
HP Data Protector Client - EXEC_CMD Remote Code Execution
---
#!/usr/bin/env python
# Exploit Title: HP Data Protector Client EXEC_CMD Remote Code Execution Vulnerability
# Date: 2012-12-06
# Exploit Author: Ben Turner
# Vendor Homepage: www.hp.com
# Version: 6.11 & 6.20
# Tested on: Windows 2003 Server SP2 en
# CVE: CVE-2011-0922
# Notes: ZDI-11-056
# Reference: http://www.zerodayinitiative.com/advisories/ZDI-11-056/
# Reference: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02781143
import socket
import sys
import binascii
if len(sys.argv) != 4:
print ""
print "\033[0;31mUsage: ./hp_protector.py \033[0m"
print ""
print "\033[0;32mMake sure you create a meterpreter payload and a share with the following \\\\\\Omniback\\i386\\installservice.exe\033[0m"
print
Exploit-DB
HP Data Protector Client 6.11 - 'EXEC_SETUP' Remote Code Execution
exploitdb·2011-05-29·CVSS 10.0
CVE-2011-0922 [CRITICAL] HP Data Protector Client 6.11 - 'EXEC_SETUP' Remote Code Execution
HP Data Protector Client 6.11 - 'EXEC_SETUP' Remote Code Execution
---
# Exploit Title: HP Data Protector Cliet EXEC_SETUP Remote Code Execution Vulnerability PoC (ZDI-11-056)
# Date: 2011-05-29
# Author: @fdiskyou
# e-mail: rui at deniable.org
# Version: 6.11
# Tested on: Windows 2003 Server SP2 en
# CVE: CVE-2011-0922
# Notes: ZDI-11-056
# Reference: http://www.zerodayinitiative.com/advisories/ZDI-11-056/
# Reference: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02781143
#
# The following PoC instructs an HP Data Protector Client to download and install an .exe file. It tries to get the file
# from a share (\\pwn2003se.home.it) and if it fails it tries to access the same file via HTTP. To get the PoC working with
# this payload share a malicious file via HTTP
Metasploit
HP Data Protector 6.10/6.11/6.20 Install Service
metasploit
HP Data Protector 6.10/6.11/6.20 Install Service
HP Data Protector 6.10/6.11/6.20 Install Service
This module exploits HP Data Protector OmniInet process on Windows only. This exploit invokes the install service function which allows an attacker to create a custom payload in the format of an executable. To ensure this works, the SMB server created in MSF must have a share called Omniback which has a subfolder i386, i.e. \192.168.1.1\Omniback\i386\
No writeups or analysis indexed.
http://dvlabs.tippingpoint.com/blog/2011/02/07/zdi-disclosure-hphttp://marc.info/?l=bugtraq&m=130391284726795&w=2http://www.securityfocus.com/archive/1/516272/100/0/threadedhttp://www.securityfocus.com/bid/46234http://www.vupen.com/english/advisories/2011/0308http://zerodayinitiative.com/advisories/ZDI-11-056/http://dvlabs.tippingpoint.com/blog/2011/02/07/zdi-disclosure-hphttp://marc.info/?l=bugtraq&m=130391284726795&w=2http://www.securityfocus.com/archive/1/516272/100/0/threadedhttp://www.securityfocus.com/bid/46234http://www.vupen.com/english/advisories/2011/0308http://zerodayinitiative.com/advisories/ZDI-11-056/
2011-02-09
Published