cbcvebase.
CVE-2012-0124
published 2012-03-14

CVE-2012-0124: Unspecified vulnerability in HP Data Protector Express (aka DPX) 5.0.00 before build 59287 and 6.0.00 before build 11974 allows remote attackers to execute…

PriorityP270critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
62.66%
99.1th percentile
Unspecified vulnerability in HP Data Protector Express (aka DPX) 5.0.00 before build 59287 and 6.0.00 before build 11974 allows remote attackers to execute arbitrary code or cause a denial of service via unknown vectors.

Affected

2 ranges
VendorProductVersion rangeFixed in
hpdata_protector_express
hpdata_protector_express

Detection & IOCsextracted from sources · hover to see the quote

port3817
processdpwinsdr.exe
filenamedpwindtb.dll
bytes
\x54\x84\x00\x00\x00\x00\x00\x00
bytes
\x51\x84\x00\x00\x02\x02\x02\x32
  • Monitor for connections to TCP port 3817 (HP Data Protector Express default service port) from untrusted/external hosts, especially those sending large folder-name payloads.
  • Exploit uses SEH handler overwrite combined with egg-hunting (egg tag 'w00t') to locate payload in heap; look for the egg-hunter pattern in network traffic to port 3817.
  • Exploit authenticates with default credentials (username 'Admin', empty password); alert on authentication attempts to dpwinsdr.exe service using blank passwords.
  • The exploit payload contains bad characters \x00, \x2f, \x5c; network signatures should look for oversized folder-name fields (~2730+ bytes) in Create Object requests (opcode \x51\x84) to port 3817.
  • The ROP/SEH gadget used is a pop-pop-ret from ifsutil.dll at address 0x66dd3e49; presence of this return address in stack memory or network payload is a strong exploit indicator.
  • ·The Metasploit module target is specifically HP Data Protector Express 5.0.00.59287 on Windows XP SP3; the ROP gadget address (0x66dd3e49 in ifsutil.dll) may not be reliable on other OS versions or patch levels.
  • ·CVE-2012-0124 affects DPX 5.0.00 before build 59287 and 6.0.00 before build 11974; the public exploit only targets the 5.x branch — 6.x exploitation details are unspecified.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.