cbcvebase.
CVE-2013-6194
published 2014-01-04

CVE-2013-6194: Unspecified vulnerability in HP Storage Data Protector 6.2X allows remote attackers to execute arbitrary code or cause a denial of service via unknown vectors…

PriorityP273critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
65.92%
99.2th percentile
Unspecified vulnerability in HP Storage Data Protector 6.2X allows remote attackers to execute arbitrary code or cause a denial of service via unknown vectors, aka ZDI-CAN-1905.

Affected

2 ranges
VendorProductVersion rangeFixed in
hpstorage_data_protector
hpstorage_data_protector

Detection & IOCsextracted from sources · hover to see the quote

port5555
processOmniInet.exe
commandopcode 42
path\..\..\..\..\..\windows\system32\<vbs_name>.vbs
path\..\..\..\..\..\WINDOWS\system32\wbem\mof\<mof_name>.mof
  • Monitor for inbound TCP connections to port 5555 (OmniInet.exe default port) containing packets that begin with a UTF-16 BOM (0xFF 0xFE) and include the string '42' as the opcode field — this is the trigger condition for the directory traversal exploit.
  • Detect directory traversal sequences in HP Data Protector OmniInet.exe network packets: look for '\..\..\..\..\..\' patterns in the rissServerCertificate field of opcode 42 messages.
  • Alert on creation of .vbs or .mof files in windows\system32\ or windows\system32\wbem\mof\ by OmniInet.exe, as the exploit uses WMI MOF execution (wbemexec trick) for payload execution.
  • Packets exploiting this vulnerability use Unicode encoding (UTF-16 BOM 0xFF 0xFE) with null-byte (0x00 0x00) field terminators and space separators — use this as a network signature anchor alongside opcode '42' in the message body.
  • The exploit sends an initial 64-byte random alpha-uppercase string to fingerprint the service before exploitation; detect this banner-grab pattern on port 5555 as a precursor reconnaissance indicator.
  • ·The exploit was tested and confirmed vulnerable only against HP Data Protector 6.20 build 370 on Windows 2003 SP2 and Windows XP SP3; versions 6.21 and above are flagged as 'Detected' (not confirmed vulnerable) by the Metasploit check method.
  • ·Payload space is limited to 2048 bytes and must be embedded into a VBS wrapper (exe-to-VBS) because binary content cannot be uploaded directly via the traversal primitive.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.