CVE-2013-6194
published 2014-01-04CVE-2013-6194: Unspecified vulnerability in HP Storage Data Protector 6.2X allows remote attackers to execute arbitrary code or cause a denial of service via unknown vectors…
PriorityP273critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
65.92%
99.2th percentile
Unspecified vulnerability in HP Storage Data Protector 6.2X allows remote attackers to execute arbitrary code or cause a denial of service via unknown vectors, aka ZDI-CAN-1905.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hp | storage_data_protector | — | — |
| hp | storage_data_protector | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for inbound TCP connections to port 5555 (OmniInet.exe default port) containing packets that begin with a UTF-16 BOM (0xFF 0xFE) and include the string '42' as the opcode field — this is the trigger condition for the directory traversal exploit. ↗
- →Detect directory traversal sequences in HP Data Protector OmniInet.exe network packets: look for '\..\..\..\..\..\' patterns in the rissServerCertificate field of opcode 42 messages. ↗
- →Alert on creation of .vbs or .mof files in windows\system32\ or windows\system32\wbem\mof\ by OmniInet.exe, as the exploit uses WMI MOF execution (wbemexec trick) for payload execution. ↗
- →Packets exploiting this vulnerability use Unicode encoding (UTF-16 BOM 0xFF 0xFE) with null-byte (0x00 0x00) field terminators and space separators — use this as a network signature anchor alongside opcode '42' in the message body. ↗
- →The exploit sends an initial 64-byte random alpha-uppercase string to fingerprint the service before exploitation; detect this banner-grab pattern on port 5555 as a precursor reconnaissance indicator. ↗
- ·The exploit was tested and confirmed vulnerable only against HP Data Protector 6.20 build 370 on Windows 2003 SP2 and Windows XP SP3; versions 6.21 and above are flagged as 'Detected' (not confirmed vulnerable) by the Metasploit check method. ↗
- ·Payload space is limited to 2048 bytes and must be embedded into a VBS wrapper (exe-to-VBS) because binary content cannot be uploaded directly via the traversal primitive. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
HP Data Protector - Backup Client Service Directory Traversal (Metasploit)
exploitdb·2014-01-24
CVE-2013-6194 HP Data Protector - Backup Client Service Directory Traversal (Metasploit)
HP Data Protector - Backup Client Service Directory Traversal (Metasploit)
---
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 'HP Data Protector Backup Client Service Directory Traversal',
'Description' => %q{
This module exploits a directory traversal vulnerability in the Hewlett-Packard Data
Protector product. The vulnerability exists at the Backup Client Service (OmniInet.exe)
when parsing packets with opcode 42. This module has been tested successfully on HP Data
Protector 6.20 on Windows 2003 SP2 and Windows XP SP3.
},
'Author' =>
[
'Brian Gorenc', # Vulnerability discovery
'juan vazquez' # Metasploit module
],
'References' =>
[
[ 'CVE', '2013-6194' ],
[
Metasploit
HP Data Protector Backup Client Service Directory Traversal
metasploit
HP Data Protector Backup Client Service Directory Traversal
HP Data Protector Backup Client Service Directory Traversal
This module exploits a directory traversal vulnerability in the Hewlett-Packard Data Protector product. The vulnerability exists in the Backup Client Service (OmniInet.exe) and is triggered when parsing packets with opcode 42. This module has been tested successfully on HP Data Protector 6.20 on Windows 2003 SP2 and Windows XP SP3.
No writeups or analysis indexed.
http://h20565.www2.hp.com/portal/site/hpsc/template.PAGE/public/kb/docDisplay/?docId=emr_na-c03822422http://osvdb.org/show/osvdb/101630http://www.exploit-db.com/exploits/31181http://h20565.www2.hp.com/portal/site/hpsc/template.PAGE/public/kb/docDisplay/?docId=emr_na-c03822422http://osvdb.org/show/osvdb/101630http://www.exploit-db.com/exploits/31181
2014-01-04
Published