cbcvebase.
CVE-2013-2343
published 2013-07-02

CVE-2013-2343: Unspecified vulnerability on the HP LeftHand Virtual SAN Appliance hydra with software before 10.0 allows remote attackers to execute arbitrary code via…

PriorityP277critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
61.81%
99.1th percentile
Unspecified vulnerability on the HP LeftHand Virtual SAN Appliance hydra with software before 10.0 allows remote attackers to execute arbitrary code via unknown vectors, aka ZDI-CAN-1510.

Affected

1 ranges
VendorProductVersion rangeFixed in
hplefthand_virtual_san_appliance_hydra_software<= 9.0

Detection & IOCsextracted from sources · hover to see the quote

port13838
commandlogin:/global$agent/L0CAlu53R/Version "9.0.0"
commandlogin:/#global$agent/<BOF>/Version "1"
other0x0804EB34
other0x08072E58
other0x08050CB8
bytes
\x00\x00\x00\x00\x00\x00\x00\x01 [4-byte length] \x00\x00\x00\x00 \x00\x00\x00\x00\x00\x00\x00\x00 \x00\x00\x00\x14\xff\xff\xff\xff
  • Monitor for TCP connections to port 13838 on HP P4000/LeftHand VSA appliances — this is the proprietary hydra management protocol port targeted by the exploit.
  • Detect exploit login packets by inspecting traffic on port 13838 for the fixed 8-byte header \x00\x00\x00\x00\x00\x00\x00\x01 followed by a 4-byte big-endian length, then the sequence \x00\x00\x00\x14\xff\xff\xff\xff before the payload string.
  • Flag login requests to the hydra service containing the credential string 'L0CAlu53R' — this is the hardcoded password used in the check/probe phase of the exploit.
  • Alert on login packets to port 13838 where the login string contains '#global$agent' (with leading hash), which is the exploit's attack-phase login path distinct from the normal probe path.
  • Detect oversized login request bodies on port 13838 — the exploit uses an offset of 3446 bytes before the ROP chain, so any login payload exceeding normal bounds (e.g., >1000 bytes) should be flagged.
  • The vulnerability is triggered by sscanf() parsing of the login request; look for abnormally long fields in the login:/ URI structure on the hydra service.
  • The stack-adjustment prepend encoder bytes \x81\xc4\x54\xf2\xff\xff (add esp, -3500) may appear at the start of shellcode within the payload — scan for this byte sequence in port 13838 traffic.
  • ·The public Metasploit module only targets HP VSA version 9 (prior to 10.0); the ROP gadget addresses (Ret, FakeObject, JmpEsp) are hardcoded for the 'hydra' binary from that specific version and will differ on other builds.
  • ·Bad characters for payload encoding are \x2f, \x00, \x0d, \x0a — these are filtered by the vulnerable sscanf/login parser and must be avoided in shellcode; detection signatures should account for encoded payloads avoiding these bytes.
  • ·The exploit sets ExitFunction to 'none', meaning the process does not cleanly exit after exploitation — post-exploitation process state on the appliance may be unstable.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.