HP Data Protector Client agent EXEC_SETUP code execution

2011-03-03T00:00:00
ID SAINT:7DBA43203E74748CA1F3CAF4FC72B941
Type saint
Reporter SAINT Corporation
Modified 2011-03-03T00:00:00

Description

Added: 03/03/2011
CVE: CVE-2011-0922
BID: 46234
OSVDB: 72525

Background

HP OpenView Storage Data Protector is a backup solution for enterprise and distributed environments.

Problem

The backup agent provided by the Data Protector Backup Client Service may be instructed to execute a setup file from a SMB share. However, the agent does not perform any validation of the setup file. An attacker may connect to the backup agent and instruct it to execute an executable of their choice.

Resolution

Upgrade as directed in HP Security Bulletin HPSBMA02654 SSRT100441 and enable encrypted control communication services.

References

<http://zerodayinitiative.com/advisories/ZDI-11-056/>
<http://secunia.com/advisories/43202/>

Limitations

This exploit works against HP Data Protector 6.11 running on Microsoft Windows Server 2003 SP2 English (DEP OptOut).

The executable smbclient must be available on the exploit server, and a valid SMB user with permission to write to the SMB share is required. The smb password is not allowed to contain single quotes (').

Platforms

Windows