Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2013-2022 Tenable Network Security, Inc.HP_DATA_PROTECTOR_HPSBMU02833.NASL
HistoryJun 10, 2013 - 12:00 a.m.

HP Data Protector Multiple RCE Vulnerabilities

2013-06-1000:00:00
This script is Copyright (C) 2013-2022 Tenable Network Security, Inc.
www.tenable.com
44

10 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.953 High

EPSS

Percentile

99.4%

JSON

According to its version and build number, the remote instance of HP Data Protector is affected by multiple stack-based buffer overflow conditions in crs.exe when parsing various opcodes. A remote, unauthenticated attacker can exploit these to execute arbitrary code in the context of the SYSTEM user or have other unspecified impact.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(66849);
  script_version("1.19");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");

  script_cve_id(
    "CVE-2013-2324",
    "CVE-2013-2325",
    "CVE-2013-2326",
    "CVE-2013-2327",
    "CVE-2013-2328",
    "CVE-2013-2329",
    "CVE-2013-2330",
    "CVE-2013-2331",
    "CVE-2013-2332",
    "CVE-2013-2333",
    "CVE-2013-2334",
    "CVE-2013-2335"
  );
  script_bugtraq_id(
    60299,
    60300,
    60301,
    60302,
    60303,
    60304,
    60306,
    60307,
    60308,
    60309,
    60310,
    60311
  );
  script_xref(name:"HP", value:"HPSBMU02883");
  script_xref(name:"HP", value:"SSRT101227");
  script_xref(name:"HP", value:"emr_na-c03781657");
  script_xref(name:"EDB-ID", value:"28973");

  script_name(english:"HP Data Protector Multiple RCE Vulnerabilities");

  script_set_attribute(attribute:"synopsis", value:
"The remote backup service is affected by multiple remote code
execution vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"According to its version and build number, the remote instance of HP
Data Protector is affected by multiple stack-based buffer overflow
conditions in crs.exe when parsing various opcodes. A remote,
unauthenticated attacker can exploit these to execute arbitrary code
in the context of the SYSTEM user or have other unspecified impact.");
  script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-13-121/");
  script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-13-122/");
  script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-13-123/");
  script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-13-124/");
  script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-13-125/");
  script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-13-126/");
  script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-13-127/");
  script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-13-128/");
  script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-13-129/");
  script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-13-130/");
  script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-13-131/");
  script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-13-161/");
  # https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-c03781657
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b4edd7f1");
  script_set_attribute(attribute:"solution", value:
"Apply the relevant patches referenced in the HP advisory.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'HP Data Protector Cell Request Service Buffer Overflow');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
  script_set_attribute(attribute:"exploit_framework_exploithub", value:"true");
  script_set_attribute(attribute:"exploithub_sku", value:"EH-13-114");

  script_set_attribute(attribute:"vuln_publication_date", value:"2013/06/03");
  script_set_attribute(attribute:"patch_publication_date", value:"2013/06/03");
  script_set_attribute(attribute:"plugin_publication_date", value:"2013/06/10");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:hp:data_protector");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:hp:storage_data_protector");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2013-2022 Tenable Network Security, Inc.");

  script_dependencies("os_fingerprint.nasl", "ssh_get_info.nasl", "hp_data_protector_module_versions.nbin");
  script_require_keys("Services/data_protector/cell_server/Version");
  script_require_ports("Services/hp_openview_dataprotector", 5555);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");

port = get_service(svc:'hp_openview_dataprotector', default:5555, exit_on_fail:TRUE);

version = get_kb_item_or_exit("Services/data_protector/cell_server/Version");
build = get_kb_item("Services/data_protector/cell_server/Build");

internal_build = get_kb_item("Services/data_protector/build");
if(isnull(internal_build)) internal_build = 0;

# unpatched module, major release (referred to as 'MR' by the vendor)
if(isnull(build)) build = 'MR';

# We need OS-specific info in order to reliably determine whether or
# not those systems are vulnerable
hpux_ver = get_kb_item("Host/HP-UX/version");
solaris_ver = get_kb_item("Host/Solaris/Version");
rh_release = get_kb_item("Host/RedHat/release");
sles_release = get_kb_item("Host/SuSE/release");

winver = get_kb_item("SMB/WindowsVersion");
winver1 = get_kb_item("Host/OS/smb");
if(isnull(winver) && !isnull(winver1))
{
  item = eregmatch(pattern:" ([0-9.]+)$", string:winver1);
  if(!isnull(item) && !isnull(item[1]))
    winver = item[1];
}

if (
  (isnull(hpux_ver) || hpux_ver == '') &&
  (isnull(solaris_ver) || solaris_ver == '') &&
  (isnull(rh_release) || rh_release == '') &&
  (isnull(sles_release) || sles_release == '') &&
  (isnull(winver) || winver == '')
) exit(1, "Unable to determine the operating system version running the HP Data Protector service listening on port "+port+".");

vulnerable = FALSE;

# Ignore anything that looks like DP for Unix since it's not mentioned in the
# advisory
if ('SSPUX' >< build)
  vulnerable = FALSE;

else if ((version == "A.06.20" || version == "A.06.21") && internal_build < 408)
{
 # unpatched version == build number (only HP-UX, Solaris, Windows,
 # and RHEL affected)
 if (
   (
   (hpux_ver && (hpux_ver == "11.11" || hpux_ver == "11.23" || hpux_ver =="11.31")) ||
   (solaris_ver && (solaris_ver == "5.8" || solaris_ver == "5.9" || solaris_ver == "5.10")) ||
   (rh_release && ('release 4' >< rh_release || 'release 5' >< rh_release)) ||
   (winver && (winver == '5.2' || winver == '6.0'))
   ) && build == 'MR'
 )
 {
   vulnerable = TRUE;
 }

 # HP-UX security patch (fixed in PHSS_43422)
 else if (
   hpux_ver &&
   (hpux_ver == "11.11" || hpux_ver == "11.23" || hpux_ver == "11.31") &&
   match = eregmatch(pattern:"PHSS_[0]*([1-9][0-9]*)", string:build)
 )
 {
  build_num = int(match[1]);
  if (build_num < 43422)
    vulnerable = TRUE;
 }
 # linux security patch (fixed in DPLNX_00243)
 else if (
   (
     (rh_release && ('release 4' >< rh_release || 'release 5' >< rh_release)) ||
     (sles_release && ('SLES9' >< sles_release || 'SLES10' >< sles_release || 'SLES11' >< sles_release))
   ) &&
   match = eregmatch(pattern:"DPLNX_[0]*([1-9][0-9]*)", string:build)
 )
 {
  build_num = int(match[1]);
  if (build_num < 243)
    vulnerable = TRUE;
 }
 # solaris security patch (fixed in DPSOL_00510)
 else if (
   solaris_ver &&
   (solaris_ver == "5.8" || solaris_ver == "5.9" || solaris_ver == "5.10") &&
   match = eregmatch(pattern:"DPSOL_[0]*([1-9][0-9]*)", string:build))
 {
  build_num = int(match[1]);
  if (build_num < 510)
    vulnerable = TRUE;
 }
 # windows security patch (fixed in DPWIN_00632)
 else if (
   winver &&
   (winver == '5.2' || winver == '6.0') &&
   match = eregmatch(pattern:"DPWIN_[0]*([1-9][0-9]*)", string:build)
 )
 {
   build_num = int(match[1]);
   if (build_num < 632)
     vulnerable = TRUE;
 }
}
else if ((version == "A.07.00" || version == "A.07.01") && internal_build < 103)
{
 # unpatched version == build number (only HP-UX, SLES, Windows,
 # and RHEL affected)
 if (
   (
   (hpux_ver && (hpux_ver == "11.11" || hpux_ver == "11.23") || hpux_ver =="11.31") ||
   (sles_release && ('SLES9' >< sles_release || 'SLES10' >< sles_release || 'SLES11' >< sles_release)) ||
   (rh_release && ('release 4' >< rh_release || 'release 5' >< rh_release)) ||
   (winver && (winver == '5.2' || winver == '6.0'))
   ) && build == 'MR'
 )
 {
   vulnerable = TRUE;
 }

 # linux security patch (fixed in DPLNX_00235)
 else if (
   (
     (rh_release && ('release 4' >< rh_release || 'release 5' >< rh_release)) ||
     (sles_release && ('SLES9' >< sles_release || 'SLES10' >< sles_release || 'SLES11' >< sles_release))
   ) &&
   match = eregmatch(pattern:"DPLNX_[0]*([1-9][0-9]*)", string:build)
 )
 {
  build_num = int(match[1]);
  if (build_num < 235)
    vulnerable = TRUE;
 }
 # HP-UX security patch (fixed in PHSS_43315)
 else if (
   hpux_ver &&
   (hpux_ver == "11.11" || hpux_ver == "11.23" || hpux_ver == "11.31") &&
   match = eregmatch(pattern:"PHSS_[0]*([1-9][0-9]*)", string:build)
 )
 {
  build_num = int(match[1]);
  if (build_num < 43315)
    vulnerable = TRUE;
 }
 # Windows security patch (fixed in DPWIN_00624)
 else if (
   winver &&
   (winver == '5.2' || winver == '6.0') &&
   match = eregmatch(pattern:"DPWIN_[0]*([1-9][0-9]*)", string:build)
 )
 {
   build_num = int(match[1]);
   if (build_num < 624)
     vulnerable = TRUE;
 }
}

if (vulnerable)
{
  if (report_verbosity > 0)
  {
    report = '\n  Cell server version : '+version+
             '\n  Cell server build   : '+build+
             '\n';
    security_hole(port:port, extra:report);
  }
  else security_hole(port);
}
else
{
  audit(AUDIT_LISTEN_NOT_VULN, "HP Data Protector Cell Server", port, version + "(build " + build + ")");
}
VendorProductVersionCPE
hpdata_protectorcpe:/a:hp:data_protector
hpstorage_data_protectorcpe:/a:hp:storage_data_protector

References

Related

securityvulns 2
zdi 12
cve 12
checkpoint_advisories 12
saint 8
prion 12
nvd 12
cvelist 12
packetstorm 1
zdt 1
securityvulns
securityvulns
[security bulletin] HPSBMU02883 SSRT101227 rev.1 - HP Data Protector, Remote Increase of Privilege, Denial of Service &#40;DoS&#41;, Execution of Arbitrary Code
2013-06-05 00:00:00
HP Data Protector multiple security vulnerabilities
2013-06-05 00:00:00
zdi
zdi
Hewlett-Packard Data Protector Cell Manager crs.exe Opcode 260 Remote Code Execution Vulnerability
2013-06-11 00:00:00
Hewlett-Packard Data Protector Cell Manager crs.exe Multiple Opcodes Remote Code Execution Vulnerability
2013-06-11 00:00:00
Hewlett-Packard Data Protector Cell Manager crs.exe Opcode 211 Remote Code Execution Vulnerability
2013-06-11 00:00:00
cve
cve
CVE-2013-2329
2022-10-03 16:15:01
CVE-2013-2332
2022-10-03 16:14:59
CVE-2013-2331
2022-10-03 16:15:00
checkpoint_advisories
checkpoint_advisories
HP Data Protector CRS Opcode 259 Stack Buffer Overflow (CVE-2013-2329)
2013-07-14 00:00:00
HP Data Protector CRS Opcode 235 Stack Buffer Overflow (CVE-2013-2325)
2013-09-29 00:00:00
HP Data Protector CRS Opcode 260 Stack Buffer Overflow (CVE-2013-2332)
2013-10-27 00:00:00
saint
saint
HP Data Protector opcode 259 buffer overflow
2013-07-09 00:00:00
HP Data Protector CRS Opcode 211 Stack Buffer Overflow
2013-07-24 00:00:00
HP Data Protector opcode 259 buffer overflow
2013-07-09 00:00:00
prion
prion
Code injection
2013-06-06 13:02:00
Code injection
2013-06-06 13:02:00
Code injection
2013-06-06 13:02:00
nvd
nvd
CVE-2013-2329
2013-06-06 13:02:15
CVE-2013-2331
2013-06-06 13:02:15
CVE-2013-2330
2013-06-06 13:02:15
cvelist
cvelist
CVE-2013-2332
2022-10-03 16:14:59
CVE-2013-2330
2022-10-03 16:15:01
CVE-2013-2331
2022-10-03 16:15:00
packetstorm
packetstorm
HP Data Protector Cell Request Service Buffer Overflow
2013-10-14 00:00:00
zdt
zdt
HP Data Protector Cell Request Service Buffer Overflow
2013-10-15 00:00:00

10 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.953 High

EPSS

Percentile

99.4%

JSON
Related for HP_DATA_PROTECTOR_HPSBMU02833.NASL
securityvulns2zdi12cve12checkpoint_advisories12saint8prion12nvd12cvelist12packetstorm1zdt1