HP Data Protector Backup Client Service opcode 42 directory traversal

2014-01-28T00:00:00
ID SAINT:ACD5EA568EDF33CDA0FC232E9C73FA96
Type saint
Reporter SAINT Corporation
Modified 2014-01-28T00:00:00

Description

Added: 01/28/2014
CVE: CVE-2013-6194
BID: 64647
OSVDB: 101630

Background

HP OpenView Storage Data Protector is a backup solution for enterprise and distributed environments.

Problem

A vulnerability in the Backup Client Service (OmniInet.exe) allows remote, unauthenticated attackers to write files to arbitrary locations by sending an opcode 42 request containing a directory traversal attack. This can be leveraged to execute arbitrary commands with SYSTEM privileges.

Resolution

Apply the patch referenced in HPSBMU02895 SSRT101253.

References

<http://www.zerodayinitiative.com/advisories/ZDI-14-003/>

Limitations

Exploit works on HP Data Protector 6.20 on Windows Server 2003 SP2 and Windows XP SP3.

Platforms

Windows