cbcvebase.
CVE-2012-4361
published 2012-08-20

CVE-2012-4361: lhn/public/network/ping in HP SAN/iQ before 9.5 on the HP Virtual SAN Appliance allows remote authenticated users to execute arbitrary commands via shell…

PriorityP265high7.7CVSS 2.0
AVAACLAuSCCICAC
EXPLOIT
EPSS
47.80%
98.7th percentile
lhn/public/network/ping in HP SAN/iQ before 9.5 on the HP Virtual SAN Appliance allows remote authenticated users to execute arbitrary commands via shell metacharacters in the second parameter.

Affected

5 ranges
VendorProductVersion rangeFixed in
hpsan_iq<= 9.0
hpsan_iq
hpsan_iq
hpsan_iq
hpsan_iq

Detection & IOCsextracted from sources · hover to see the quote

port13838
path/lhn/public/network/ping
commandget:/lhn/public/network/ping/127.0.0.1/foobar;<PAYLOAD>/
port12345
bytes
\x00\x00\x00\x00\x00\x00\x00\x01
bytes
\x00\x00\x00\x14\xff\xff\xff\xff
  • Monitor TCP port 13838 for connections to HP VSA appliances; this is the Hydra management protocol port used by the exploit.
  • Detect login attempts using the hardcoded backdoor credential 'global$agent' / 'L0CAlu53R' on port 13838.
  • Alert on Hydra protocol packets containing the path '/lhn/public/network/ping/' with shell metacharacters (e.g., semicolons) in the second path parameter.
  • Detect Hydra protocol packet header magic bytes '\x00\x00\x00\x00\x00\x00\x00\x01' followed by a 4-byte big-endian length field and trailer '\x00\x00\x00\x14\xff\xff\xff\xff' on port 13838.
  • ·The exploit requires authentication using a hardcoded default/backdoor credential; patching or disabling this account mitigates exploitation.
  • ·Forward slash '/' is a bad character for payloads; detection rules must account for encoded or slash-free payload variants.
  • ·Netcat, Ruby, and PHP are not available on the target; only telnet, bash, and perl payloads are viable for exploitation.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.