CVE-2012-0124
published 2012-03-14CVE-2012-0124: Unspecified vulnerability in HP Data Protector Express (aka DPX) 5.0.00 before build 59287 and 6.0.00 before build 11974 allows remote attackers to execute…
PriorityP270critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
62.66%
99.1th percentile
Unspecified vulnerability in HP Data Protector Express (aka DPX) 5.0.00 before build 59287 and 6.0.00 before build 11974 allows remote attackers to execute arbitrary code or cause a denial of service via unknown vectors.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hp | data_protector_express | — | — |
| hp | data_protector_express | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x54\x84\x00\x00\x00\x00\x00\x00
bytes↗
\x51\x84\x00\x00\x02\x02\x02\x32
- →Monitor for connections to TCP port 3817 (HP Data Protector Express default service port) from untrusted/external hosts, especially those sending large folder-name payloads. ↗
- →Exploit uses SEH handler overwrite combined with egg-hunting (egg tag 'w00t') to locate payload in heap; look for the egg-hunter pattern in network traffic to port 3817. ↗
- →Exploit authenticates with default credentials (username 'Admin', empty password); alert on authentication attempts to dpwinsdr.exe service using blank passwords. ↗
- →The exploit payload contains bad characters \x00, \x2f, \x5c; network signatures should look for oversized folder-name fields (~2730+ bytes) in Create Object requests (opcode \x51\x84) to port 3817. ↗
- →The ROP/SEH gadget used is a pop-pop-ret from ifsutil.dll at address 0x66dd3e49; presence of this return address in stack memory or network payload is a strong exploit indicator. ↗
- ·The Metasploit module target is specifically HP Data Protector Express 5.0.00.59287 on Windows XP SP3; the ROP gadget address (0x66dd3e49 in ifsutil.dll) may not be reliable on other OS versions or patch levels. ↗
- ·CVE-2012-0124 affects DPX 5.0.00 before build 59287 and 6.0.00 before build 11974; the public exploit only targets the 5.x branch — 6.x exploitation details are unspecified. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
HP Data Protector - Create New Folder Buffer Overflow (Metasploit)
exploitdb·2012-07-01
CVE-2012-0124 HP Data Protector - Create New Folder Buffer Overflow (Metasploit)
HP Data Protector - Create New Folder Buffer Overflow (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'HP Data Protector Create New Folder Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in HP Data Protector 5. The overflow
occurs in the creation of new folders, where the name of the folder is handled in a
insecure way by the dpwindtb.dll component. While the overflow occurs in the stack, the
folder name is split in fragments in this insecure copy. Because of this, this module
uses egg hunting
Metasploit
HP Data Protector Create New Folder Buffer Overflow
metasploit
HP Data Protector Create New Folder Buffer Overflow
HP Data Protector Create New Folder Buffer Overflow
This module exploits a stack buffer overflow in HP Data Protector 5. The overflow occurs in the creation of new folders, where the name of the folder is handled in a insecure way by the dpwindtb.dll component. While the overflow occurs in the stack, the folder name is split in fragments in this insecure copy. Because of this, this module uses egg hunting to search a non corrupted copy of the payload in the heap. On the other hand the overflowed buffer is stored in a frame protected by stack cookies, because of this SEH handler overwrite is used. Any user of HP Data Protector Express is able to create new folders and trigger the vulnerability. Moreover, in the default installation the 'Admin' user has an empty password. Successful exploit
No writeups or analysis indexed.
2012-03-14
Published