HP OpenView Storage Data Protector Backup Client Service GET_FILE Message Processing Overflow

2011-05-0900:00:00

SAINT Corporation

my.saintcorporation.com

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.854 High

EPSS

Percentile

98.5%

JSON

Added: 05/09/2011
CVE: CVE-2011-1729
BID: 47638
OSVDB: 72188

Background

HP OpenView Storage Data Protector is a backup solution for enterprise and distributed environments.

Problem

A remote code execution vulnerability exists in HP Data Protector Backup Client Service due to a buffer overflow in the processing of GET_FILE messages. A remote unauthenticated attacker could exploit this vulnerability by sending malformed GET_FILE message packets to the target service.

Resolution

Upgrade to Data Protector A.06.20 or newer, as indicated in HP Security Bulletin HPSBMA02668 SSRT100474.

References

<http://secunia.com/advisories/44402/>
<http://www.zerodayinitiative.com/advisories/ZDI-11-145/>

Limitations

Exploit works on HP Data Protector Backup Client Service 6.11 running on Microsoft Windows Server 2003 SP2 English (DEP OptOut) with KB956802 (gdi32.dll version 5.2.3790.4396) and KB2393802 (ntdll.dll version 5.2.3790.4789) installed, and on Microsoft Windows Server 2008 SP2 English (DEP AlwaysOff).