CVE-2013-2347
published 2014-01-04CVE-2013-2347: The Backup Client Service (OmniInet.exe) in HP Storage Data Protector 6.2X allows remote attackers to execute arbitrary commands or cause a denial of service…
PriorityP274critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
66.41%
99.2th percentile
The Backup Client Service (OmniInet.exe) in HP Storage Data Protector 6.2X allows remote attackers to execute arbitrary commands or cause a denial of service via a crafted EXEC_BAR packet to TCP port 5555, aka ZDI-CAN-1885.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hp | storage_data_protector | — | — |
| hp | storage_data_protector | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect EXEC_BAR exploit packets by matching the opcode value '11' (0x31 0x00 0x31 0x00 in UTF-16LE) preceded by the Unicode BOM (0xFF 0xFE) on TCP port 5555 inbound to OmniInet.exe. ↗
- →Validate exploit response fingerprinting: a successful EXEC_BAR response unpacks to length=8, BOM=0xFFFE, value=0x36, trailing=0 — monitor for this pattern on port 5555. ↗
- →Monitor OmniInet.exe for spawning cmd.exe child processes, especially with arguments containing 'net user' or 'net localgroup Administrators', as this is the direct post-exploitation pattern. ↗
- →Exploit packets begin with a 4-byte big-endian length field followed immediately by the Unicode BOM 0xFF 0xFE; filter inbound TCP/5555 traffic for packets starting with \x00\x00\x01 (length prefix) then \xff\xfe. ↗
- ·The exploit requires the packet to contain at least 19 arguments; the 18th is the command path and the 19th is the argument — defenders should note that padding arguments (positions 8–17) are arbitrary random strings and will vary per exploit attempt. ↗
- ·The Metasploit module uses a VBScript CMDStager that replaces 'cscript //nologo' with 'wscript //nologo' to evade detection; process monitoring rules should cover both cscript and wscript spawned from OmniInet.exe. ↗
- ·The Powershell payload path in the Metasploit module strips %COMSPEC% before execution, meaning the command string sent over the wire will not contain the %COMSPEC% variable — signature rules relying on that string will miss Powershell-based exploitation. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
HP Data Protector - Backup Client Service Remote Code Execution (Metasploit)
exploitdb·2014-03-10
CVE-2013-2347 HP Data Protector - Backup Client Service Remote Code Execution (Metasploit)
HP Data Protector - Backup Client Service Remote Code Execution (Metasploit)
---
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 'HP Data Protector Backup Client Service Remote Code Execution',
'Description' => %q{
This module abuses the Backup Client Service (OmniInet.exe) to achieve remote code
execution. The vulnerability exists in the EXEC_BAR operation, which allows to
execute arbitrary processes. This module has been tested successfully on HP Data
Protector 6.20 on Windows 2003 SP2 and Windows 2008 R2.
},
'Author' =>
[
'Aniway.Anyway ', # Vulnerability discovery
'juan vazquez' # Metasploit module
],
'References' =>
[
[ 'CVE', '2013-2347' ],
[ 'BID', '6464
Exploit-DB
HP Data Protector - 'EXEC_BAR' Remote Command Execution
exploitdb·2014-02-16·CVSS 10.0
CVE-2013-2347 [CRITICAL] HP Data Protector - 'EXEC_BAR' Remote Command Execution
HP Data Protector - 'EXEC_BAR' Remote Command Execution
---
import argparse
import socket
"""
Exploit Title: HP Data Protector EXEC_BAR Remote Command Execution
Exploit Author: Chris Graham @cgrahamseven
CVE: CVE-2013-2347
Date: February 14, 2014
Vendor Homepage: www.hp.com
Version: 6.10, 6.11, 6.20
Tested On: Windows Server 2003, Windows Server 2008 R2
References:
https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03822422
http://www.zerodayinitiative.com/advisories/ZDI-14-008/
Details:
The omniinet service, which runs by default on port 5555, is susceptible
to numerous remotely exploitable vulnerabilities. By sending a malicious
EXEC_BAR packet (opcode 11), a remote attacker can force the omniinet
service to run an arbitrary command. On Windows, the omnii
Metasploit
HP Data Protector Backup Client Service Remote Code Execution
metasploit
HP Data Protector Backup Client Service Remote Code Execution
HP Data Protector Backup Client Service Remote Code Execution
This module abuses the Backup Client Service (OmniInet.exe) to achieve remote code execution. The vulnerability exists in the EXEC_BAR operation, which allows to execute arbitrary processes. This module has been tested successfully on HP Data Protector 6.20 on Windows 2003 SP2 and Windows 2008 R2.
No writeups or analysis indexed.
http://ddilabs.blogspot.com/2014/02/fun-with-hp-data-protector-execbar.htmlhttp://h20565.www2.hp.com/portal/site/hpsc/template.PAGE/public/kb/docDisplay/?docId=emr_na-c03822422http://www.exploit-db.com/exploits/32164http://www.zerodayinitiative.com/advisories/ZDI-14-008/http://ddilabs.blogspot.com/2014/02/fun-with-hp-data-protector-execbar.htmlhttp://h20565.www2.hp.com/portal/site/hpsc/template.PAGE/public/kb/docDisplay/?docId=emr_na-c03822422http://www.exploit-db.com/exploits/32164http://www.zerodayinitiative.com/advisories/ZDI-14-008/
2014-01-04
Published