cbcvebase.
CVE-2011-0922
published 2011-02-09

CVE-2011-0922: The client in HP Data Protector allows remote attackers to execute arbitrary programs via an EXEC_SETUP command that references a UNC share pathname.

PriorityP276critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
64.22%
99.1th percentile
The client in HP Data Protector allows remote attackers to execute arbitrary programs via an EXEC_SETUP command that references a UNC share pathname.

Detection & IOCsextracted from sources · hover to see the quote

port5555
port5555
commandEXEC_SETUP
path\\<host>\Omniback\i386\installservice.exe
path\192.168.1.1\Omniback\i386\
bytes
\x00\x00\x01\xbe\xff\xfe\x32\x00\x00\x00\x20
bytes
\x00\x00\x01\xbe\xff\xfe\x32\x00\x00\x00\x20\x00\x70\x00\x77\x00\x6e\x00\x32\x00
  • Detect inbound TCP connections to port 5555 (HP Data Protector OmniInet) containing the EXEC_SETUP or EXEC_CMD command referencing a UNC path (\\<host>\Omniback\i386\installservice.exe).
  • Look for TCP payloads to port 5555 beginning with the byte sequence \x00\x00\x01\xbe\xff\xfe\x32\x00 as a network signature for CVE-2011-0922 exploit attempts.
  • Monitor SMB share access for the path \Omniback\i386\installservice.exe, which is the attacker-staged payload filename used in exploitation.
  • Alert on processes spawned by the HP Data Protector OmniInet service (omniinet.exe) that execute installservice.exe or reference \Omniback\i386\ UNC paths.
  • ·Exploitation requires the attacker to host a malicious SMB share named 'Omniback' with a subfolder 'i386' containing the payload executable; the SYSTEM account on the victim must be able to access this share.
  • ·Affected versions are HP Data Protector 6.10, 6.11, and 6.20 on Windows; the vulnerable process is OmniInet listening on TCP port 5555.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.