CVE-2013-0928
published 2013-01-21CVE-2013-0928: The NetWorker command processor in rrobotd.exe in the Device Manager in EMC AlphaStor 4.0 before build 800 allows remote attackers to execute arbitrary…
PriorityP274critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
34.47%
98.2th percentile
The NetWorker command processor in rrobotd.exe in the Device Manager in EMC AlphaStor 4.0 before build 800 allows remote attackers to execute arbitrary commands via a DCP "run command" operation.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| emc | alphastor | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x75
- →Monitor TCP port 3000 for connections to rrobotd.exe (EMC AlphaStor Device Manager). Packets beginning with opcode byte 0x75 followed by shell metacharacters (e.g., '&', 'cmd.exe') are indicative of exploitation attempts. ↗
- →A check response of 'Could not fork command' from rrobotd.exe on port 3000 indicates the target is vulnerable and the opcode 0x75 command injection path is reachable. ↗
- →Inspect DCP protocol traffic on port 3000 for 'run command' (opcode 0x75) operations containing shell command separators such as '&' or 'cmd.exe /c', which indicate command injection exploitation of CVE-2013-0928. ↗
- ·The Metasploit module was tested specifically against EMC AlphaStor 4.0 build 116; the vulnerability affects all builds before 800. Payloads use a maximum space of 2048 bytes with NoPs disabled, and command stager lines are capped at 487 characters due to input length constraints. ↗
- ·The exploit targets x86 architecture (Windows). The payload space is limited to 2048 bytes with a per-command stager line maximum of 487 characters, meaning detection rules should account for high-volume sequential short commands on port 3000. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
EMC AlphaStor Device Manager Opcode 0x75 - Command Injection (Metasploit)
exploitdb·2014-09-24
CVE-2013-0928 EMC AlphaStor Device Manager Opcode 0x75 - Command Injection (Metasploit)
EMC AlphaStor Device Manager Opcode 0x75 - Command Injection (Metasploit)
---
require 'msf/core'
class Metasploit3 'EMC AlphaStor Device Manager Opcode 0x75 Command Injection',
'Description' => %q{
This module exploits a flaw within the Device Manager (rrobtd.exe). When parsing the 0x75
command, the process does not properly filter user supplied input allowing for arbitrary
command injection. This module has been tested successfully on EMC AlphaStor 4.0 build 116
with Windows 2003 SP2 and Windows 2008 R2.
},
'Author' =>
[
'Anyway ', # Vulnerability Discovery
'Preston Thornburn ', # msf module
'Mohsan Farid ', # msf module
'Brent Morris ', # msf module
'juan vazquez' # convert aux module into exploit
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2013-0928'],
['ZDI', '13-033']
]
Metasploit
EMC AlphaStor Device Manager Opcode 0x75 Command Injection
metasploit
EMC AlphaStor Device Manager Opcode 0x75 Command Injection
EMC AlphaStor Device Manager Opcode 0x75 Command Injection
This module exploits a flaw within the Device Manager (rrobtd.exe). When parsing the 0x75 command, the process does not properly filter user supplied input allowing for arbitrary command injection. This module has been tested successfully on EMC AlphaStor 4.0 build 116 with Windows 2003 SP2 and Windows 2008 R2.
No writeups or analysis indexed.
http://archives.neohapsis.com/archives/bugtraq/2013-01/0078.htmlhttp://www.exploit-db.com/exploits/34756http://www.securityfocus.com/bid/57472http://www.zerodayinitiative.com/advisories/ZDI-13-033/http://archives.neohapsis.com/archives/bugtraq/2013-01/0078.htmlhttp://www.exploit-db.com/exploits/34756http://www.securityfocus.com/bid/57472http://www.zerodayinitiative.com/advisories/ZDI-13-033/
2013-01-21
Published