CVE-2016-2004
published 2016-04-21CVE-2016-2004: HPE Data Protector before 7.03_108, 8.x before 8.15, and 9.x before 9.06 allow remote attackers to execute arbitrary code via unspecified vectors related to…
PriorityP182critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
94.30%
99.8th percentile
HPE Data Protector before 7.03_108, 8.x before 8.15, and 9.x before 9.06 allow remote attackers to execute arbitrary code via unspecified vectors related to lack of authentication. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-2623.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hp | data_protector | >= 7.0 < 7.03_108 | 7.03_108 |
| hp | data_protector | >= 8.0 < 8.15 | 8.15 |
| hp | data_protector | >= 9.0 < 9.06 | 9.06 |
Detection & IOCsextracted from sources · hover to see the quote
hex00000034320001010101010100010001000100010100203238005c7065726c2e65786500202d6573797374656d282777686f616d69272900
bytes
00000034fffe3900000020006e007400200061007500740068006f0072006900740079005c00730079007300740065006d000a0000000000
- →Detect CVE-2016-2004 exploitation attempts by monitoring TCP port 5555 for the HP Data Protector encryption initialisation byte sequence starting with \x00\x00\x00\x48\xff\xfe followed by a TLS/SSL handshake upgrade on the same connection. ↗
- →After the encryption init handshake, the exploit upgrades the socket to TLS (SSLv23/ALL ciphers, no cert verification) on the same TCP port 5555 connection; a plaintext init packet immediately followed by a TLS ClientHello on port 5555 is a strong indicator of exploitation. ↗
- →The Metasploit module delivers a PowerShell-encoded payload via perl.exe -esystem(); monitor for perl.exe spawning PowerShell or cmd.exe as a child process on Data Protector agent hosts. ↗
- →The Nuclei template matches a successful exploitation response by looking for the hex pattern '00000034fffe39...6e00740020006100750074...5c00730079007300740065006d000a' (NT AUTHORITY\SYSTEM in UTF-16LE) on port 5555.
- ·CVE-2016-2004 is an incomplete fix for CVE-2014-2623; patching CVE-2014-2623 alone is insufficient — the specific version thresholds are 7.03_108, 8.15, and 9.06. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
HP Data Protector A.09.00 - Encrypted Communications Arbitrary Command Execution (Metasploit)
exploitdb·2016-05-31·CVSS 9.8
CVE-2016-2004 [CRITICAL] HP Data Protector A.09.00 - Encrypted Communications Arbitrary Command Execution (Metasploit)
HP Data Protector A.09.00 - Encrypted Communications Arbitrary Command Execution (Metasploit)
---
# Exploit Title: Data Protector Encrypted Communications
# Date: 26-05-2016
# Exploit Author: Ian Lovering
# Vendor Homepage: http://www8.hp.com/uk/en/software-solutions/data-protector-backup-recovery-software/
# Version: A.09.00 and earlier
# Tested on: Windows Server 2008
# CVE : CVE-2016-2004
#
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'msf/core/exploit/powershell'
require 'openssl'
class MetasploitModule "HP Data Protector Encrypted Communication Remote Command Execution",
'Description' => %q{
This module exploits a well known remote code exection exploit after es
Exploit-DB
HP Data Protector A.09.00 - Arbitrary Command Execution
exploitdb·2016-05-26·CVSS 9.8
CVE-2016-2004 [CRITICAL] HP Data Protector A.09.00 - Arbitrary Command Execution
HP Data Protector A.09.00 - Arbitrary Command Execution
---
#!/usr/bin/python
#
# Exploit Title: Data Protector Encrypted Communications
# Date: 26-05-2016
# Exploit Author: Ian Lovering
# Vendor Homepage: http://www8.hp.com/uk/en/software-solutions/data-protector-backup-recovery-software/
# Version: A.09.00 and earlier
# Tested on: Windows Server 2008
# CVE : CVE-2016-2004
#
# This proof of concept demonstrates that enabling encrypted control communication on
# Data Protector agents does not provide any additional security.
# As is provides no authentication it is not a viable workaround to prevent the
# exploitation of well known Data Protector issues such as cve-2014-2623
#
# This exploit establishes and unauthenticated encrypted communication channel to
# a Data Protector Agent and
Nuclei
HP Data Protector - Arbitrary Command Execution
nuclei·CVSS 10.0
CVE-2016-2004 [CRITICAL] HP Data Protector - Arbitrary Command Execution
HP Data Protector - Arbitrary Command Execution
HPE Data Protector before 7.03_108, 8.x before 8.15, and 9.x before 9.06 allow remote attackers to execute arbitrary code via unspecified vectors related to lack of authentication. This vulnerability exists because of an incomplete fix for CVE-2014-2623.
Template:
id: CVE-2016-2004
info:
name: HP Data Protector - Arbitrary Command Execution
author: pussycat0x
severity: critical
description: HPE Data Protector before 7.03_108, 8.x before 8.15, and 9.x before 9.06 allow remote attackers to execute arbitrary code via unspecified vectors related to lack of authentication. This vulnerability exists because of an incomplete fix for CVE-2014-2623.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrar
Metasploit
HP Data Protector Encrypted Communication Remote Command Execution
metasploit
HP Data Protector Encrypted Communication Remote Command Execution
HP Data Protector Encrypted Communication Remote Command Execution
This module exploits a well known remote code execution exploit after establishing encrypted control communications with a Data Protector agent. This allows exploitation of Data Protector agents that have been configured to only use encrypted control communications. This exploit works by executing the payload with Microsoft PowerShell so will only work against Windows Vista or newer. Tested against Data Protector 9.0 installed on Windows Server 2008 R2.
http://packetstormsecurity.com/files/137199/HP-Data-Protector-A.09.00-Command-Execution.htmlhttp://packetstormsecurity.com/files/137341/HP-Data-Protector-Encrypted-Communication-Remote-Command-Execution.htmlhttp://www.kb.cert.org/vuls/id/267328http://www.securitytracker.com/id/1035631https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05085988https://www.exploit-db.com/exploits/39858/https://www.exploit-db.com/exploits/39874/http://packetstormsecurity.com/files/137199/HP-Data-Protector-A.09.00-Command-Execution.htmlhttp://packetstormsecurity.com/files/137341/HP-Data-Protector-Encrypted-Communication-Remote-Command-Execution.htmlhttp://www.kb.cert.org/vuls/id/267328http://www.securitytracker.com/id/1035631https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05085988https://www.exploit-db.com/exploits/39858/https://www.exploit-db.com/exploits/39874/
2016-04-21
Published