CVE-2012-4361
published 2012-08-20CVE-2012-4361: lhn/public/network/ping in HP SAN/iQ before 9.5 on the HP Virtual SAN Appliance allows remote authenticated users to execute arbitrary commands via shell…
PriorityP265high7.7CVSS 2.0
AVAACLAuSCCICAC
EXPLOIT
EPSS
47.80%
98.7th percentile
lhn/public/network/ping in HP SAN/iQ before 9.5 on the HP Virtual SAN Appliance allows remote authenticated users to execute arbitrary commands via shell metacharacters in the second parameter.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hp | san_iq | <= 9.0 | — |
| hp | san_iq | — | — |
| hp | san_iq | — | — |
| hp | san_iq | — | — |
| hp | san_iq | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x00\x00\x00\x00\x00\x00\x00\x01
bytes↗
\x00\x00\x00\x14\xff\xff\xff\xff
- →Monitor TCP port 13838 for connections to HP VSA appliances; this is the Hydra management protocol port used by the exploit. ↗
- →Detect login attempts using the hardcoded backdoor credential 'global$agent' / 'L0CAlu53R' on port 13838. ↗
- →Alert on Hydra protocol packets containing the path '/lhn/public/network/ping/' with shell metacharacters (e.g., semicolons) in the second path parameter. ↗
- →Detect Hydra protocol packet header magic bytes '\x00\x00\x00\x00\x00\x00\x00\x01' followed by a 4-byte big-endian length field and trailer '\x00\x00\x00\x14\xff\xff\xff\xff' on port 13838. ↗
- ·The exploit requires authentication using a hardcoded default/backdoor credential; patching or disabling this account mitigates exploitation. ↗
- ·Forward slash '/' is a bad character for payloads; detection rules must account for encoded or slash-free payload variants. ↗
- ·Netcat, Ruby, and PHP are not available on the target; only telnet, bash, and perl payloads are viable for exploitation. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-gf3h-f36r-6v4f: lhn/public/network/ping in HP SAN/iQ before 9
ghsa_unreviewed·2022-05-17
CVE-2012-4361 [HIGH] CWE-78 GHSA-gf3h-f36r-6v4f: lhn/public/network/ping in HP SAN/iQ before 9
lhn/public/network/ping in HP SAN/iQ before 9.5 on the HP Virtual SAN Appliance allows remote authenticated users to execute arbitrary commands via shell metacharacters in the second parameter.
GHSA
GHSA-w9qp-hfqh-wjg8: lhn/public/network/ping in HP SAN/iQ 9
ghsa_unreviewed·2022-05-17·CVSS 7.7
CVE-2012-2986 [HIGH] CWE-78 GHSA-w9qp-hfqh-wjg8: lhn/public/network/ping in HP SAN/iQ 9
lhn/public/network/ping in HP SAN/iQ 9.5 on the HP Virtual SAN Appliance allows remote authenticated users to execute arbitrary commands via shell metacharacters in the (1) first, (2) third, or (3) fourth parameter. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-4361.
No detection rules found.
Exploit-DB
HP StorageWorks P4000 - Virtual SAN Appliance Command Execution (Metasploit)
exploitdb·2012-05-21
CVE-2012-4362 HP StorageWorks P4000 - Virtual SAN Appliance Command Execution (Metasploit)
HP StorageWorks P4000 - Virtual SAN Appliance Command Execution (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 "HP StorageWorks P4000 Virtual SAN Appliance Command Execution",
'Description' => %q{
This module exploits a vulnerability found in HP's StorageWorks P4000 VSA,
versions prior to 9.5. By using a default account credential, it is possible
to inject arbitrary commands as part of a ping request via port 13838.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Nicolas Gregoire', #Discovery, PoC, additional assistance
'sinn3r' #M
Exploit-DB
HP VSA - Remote Command Execution
exploitdb·2012-02-17
CVE-2012-4362 HP VSA - Remote Command Execution
HP VSA - Remote Command Execution
---
#!/usr/bin/python
''' ==================================
Pseudo documentation
================================== '''
# HP VSA / SANiQ Hydra client
# Nicolas Grégoire
# v0.5
''' ==================================
Target information
================================== '''
HOST = '192.168.201.11' # The remote host
PORT = 13838 # The hydra port
''' ==================================
Imports
================================== '''
import getopt
import re
import sys
import binascii
import struct
import socket
import os
''' ==================================
Define functions
================================== '''
# Some nice formatting
def zprint(str):
print '[=] ' + str
# Define packets
def send_Exec():
zprint('Send Exec')
# RESTRICTIONS
# You can'
Metasploit
HP StorageWorks P4000 Virtual SAN Appliance Command Execution
metasploit
HP StorageWorks P4000 Virtual SAN Appliance Command Execution
HP StorageWorks P4000 Virtual SAN Appliance Command Execution
This module exploits a vulnerability found in HP's StorageWorks P4000 VSA on versions prior to 9.5. By using a default account credential, it is possible to inject arbitrary commands as part of a ping request via port 13838.
No writeups or analysis indexed.
2012-08-20
Published