HP Data Protector Client agent EXEC_SETUP code execution

2011-03-0300:00:00

SAINT Corporation

download.saintcorporation.com

10 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.965 High

EPSS

Percentile

99.6%

JSON

Added: 03/03/2011
CVE: CVE-2011-0922
BID: 46234
OSVDB: 72525

Background

HP OpenView Storage Data Protector is a backup solution for enterprise and distributed environments.

Problem

The backup agent provided by the Data Protector Backup Client Service may be instructed to execute a setup file from a SMB share. However, the agent does not perform any validation of the setup file. An attacker may connect to the backup agent and instruct it to execute an executable of their choice.

Resolution

Upgrade as directed in HP Security Bulletin HPSBMA02654 SSRT100441 and enable encrypted control communication services.

References

<http://zerodayinitiative.com/advisories/ZDI-11-056/>
<http://secunia.com/advisories/43202/>

Limitations

This exploit works against HP Data Protector 6.11 running on Microsoft Windows Server 2003 SP2 English (DEP OptOut).

The executable smbclient must be available on the exploit server, and a valid SMB user with permission to write to the SMB share is required. The smb password is not allowed to contain single quotes (').