HP OpenView Storage Data Protector is a backup solution for enterprise and distributed environments.
The backup agent provided by the Data Protector Backup Client Service may be instructed to execute a setup file from a SMB share. However, the agent does not perform any validation of the setup file. An attacker may connect to the backup agent and instruct it to execute an executable of their choice.
Upgrade as directed in HP Security Bulletin HPSBMA02654 SSRT100441 and enable encrypted control communication services.
This exploit works against HP Data Protector 6.11 running on Microsoft Windows Server 2003 SP2 English (DEP OptOut).
smbclient must be available on the exploit server, and a valid SMB user with permission to write to the SMB share is required. The smb password is not allowed to contain single quotes (').