HP OpenView Storage Data Protector Backup Client Service GET_FILE Message Processing Overflow

2011-05-09T00:00:00
ID SAINT:11AC21721375593F227AD281E8E6C4F0
Type saint
Reporter SAINT Corporation
Modified 2011-05-09T00:00:00

Description

Added: 05/09/2011
CVE: CVE-2011-1729
BID: 47638
OSVDB: 72188

Background

HP OpenView Storage Data Protector is a backup solution for enterprise and distributed environments.

Problem

A remote code execution vulnerability exists in HP Data Protector Backup Client Service due to a buffer overflow in the processing of GET_FILE messages. A remote unauthenticated attacker could exploit this vulnerability by sending malformed GET_FILE message packets to the target service.

Resolution

Upgrade to Data Protector A.06.20 or newer, as indicated in HP Security Bulletin HPSBMA02668 SSRT100474.

References

<http://secunia.com/advisories/44402/>
<http://www.zerodayinitiative.com/advisories/ZDI-11-145/>

Limitations

Exploit works on HP Data Protector Backup Client Service 6.11 running on Microsoft Windows Server 2003 SP2 English (DEP OptOut) with KB956802 (gdi32.dll version 5.2.3790.4396) and KB2393802 (ntdll.dll version 5.2.3790.4789) installed, and on Microsoft Windows Server 2008 SP2 English (DEP AlwaysOff).

Platforms

Windows Server 2003
Windows Server 2008