CVE-2013-2343
published 2013-07-02CVE-2013-2343: Unspecified vulnerability on the HP LeftHand Virtual SAN Appliance hydra with software before 10.0 allows remote attackers to execute arbitrary code via…
PriorityP277critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
61.81%
99.1th percentile
Unspecified vulnerability on the HP LeftHand Virtual SAN Appliance hydra with software before 10.0 allows remote attackers to execute arbitrary code via unknown vectors, aka ZDI-CAN-1510.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hp | lefthand_virtual_san_appliance_hydra_software | <= 9.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x00\x00\x00\x00\x00\x00\x00\x01 [4-byte length] \x00\x00\x00\x00 \x00\x00\x00\x00\x00\x00\x00\x00 \x00\x00\x00\x14\xff\xff\xff\xff
- →Monitor for TCP connections to port 13838 on HP P4000/LeftHand VSA appliances — this is the proprietary hydra management protocol port targeted by the exploit. ↗
- →Detect exploit login packets by inspecting traffic on port 13838 for the fixed 8-byte header \x00\x00\x00\x00\x00\x00\x00\x01 followed by a 4-byte big-endian length, then the sequence \x00\x00\x00\x14\xff\xff\xff\xff before the payload string. ↗
- →Flag login requests to the hydra service containing the credential string 'L0CAlu53R' — this is the hardcoded password used in the check/probe phase of the exploit. ↗
- →Alert on login packets to port 13838 where the login string contains '#global$agent' (with leading hash), which is the exploit's attack-phase login path distinct from the normal probe path. ↗
- →Detect oversized login request bodies on port 13838 — the exploit uses an offset of 3446 bytes before the ROP chain, so any login payload exceeding normal bounds (e.g., >1000 bytes) should be flagged. ↗
- →The vulnerability is triggered by sscanf() parsing of the login request; look for abnormally long fields in the login:/ URI structure on the hydra service. ↗
- →The stack-adjustment prepend encoder bytes \x81\xc4\x54\xf2\xff\xff (add esp, -3500) may appear at the start of shellcode within the payload — scan for this byte sequence in port 13838 traffic. ↗
- ·The public Metasploit module only targets HP VSA version 9 (prior to 10.0); the ROP gadget addresses (Ret, FakeObject, JmpEsp) are hardcoded for the 'hydra' binary from that specific version and will differ on other builds. ↗
- ·Bad characters for payload encoding are \x2f, \x00, \x0d, \x0a — these are filtered by the vulnerable sscanf/login parser and must be avoided in shellcode; detection signatures should account for encoded payloads avoiding these bytes. ↗
- ·The exploit sets ExitFunction to 'none', meaning the process does not cleanly exit after exploitation — post-exploitation process state on the appliance may be unstable. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
HP StorageWorks P4000 Virtual SAN Appliance - Login Buffer Overflow (Metasploit)
exploitdb·2013-08-13
CVE-2013-2343 HP StorageWorks P4000 Virtual SAN Appliance - Login Buffer Overflow (Metasploit)
HP StorageWorks P4000 Virtual SAN Appliance - Login Buffer Overflow (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 "HP StorageWorks P4000 Virtual SAN Appliance Login Buffer Overflow",
'Description' => %q{
This module exploits a buffer overflow vulnerability found in HP's StorageWorks
P4000 VSA on versions prior to 10.0. The vulnerability is due to an insecure usage
of the sscanf() function when parsing login requests. This module has been tested
successfully on the HP VSA 9 Virtual Appliance.
},
'License' => MSF_LICENSE,
'Autho
Metasploit
HP StorageWorks P4000 Virtual SAN Appliance Login Buffer Overflow
metasploit
HP StorageWorks P4000 Virtual SAN Appliance Login Buffer Overflow
HP StorageWorks P4000 Virtual SAN Appliance Login Buffer Overflow
This module exploits a buffer overflow vulnerability found in HP's StorageWorks P4000 VSA on versions prior to 10.0. The vulnerability is due to an insecure usage of the sscanf() function when parsing login requests. This module has been tested successfully on the HP VSA 9 Virtual Appliance.
No writeups or analysis indexed.
2013-07-02
Published