SAINT CorporationSAINT:B5F335549535758E727EBAA33D3EDBC0HP Data Protector Client EXEC_CMD Command Execution
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.972 High
EPSS
Percentile
99.8%
Added: 06/07/2011
CVE: CVE-2011-0923
BID: 46234
OSVDB: 72526
Background
HP OpenView Storage Data Protector is a backup solution for enterprise and distributed environments.
Problem
The HP Data Protector Client is vulnerable to remote code execution as a result of insufficient input validation of arguments passed to the **EXEC_CMD** command.
Resolution
Upgrade as indicated in HP Security Bulletin HPSBMA02654 SSRT100441 and enable encrypted control communication services.
References
<http://secunia.com/advisories/43202/>
<http://www.zerodayinitiative.com/advisories/ZDI-11-055/>
Limitations
Exploit works on HP Data Protector Backup Client Service 6.11.
The executable smbclient must be available on the exploit server, and a valid SMB user with permission to write to the SMB share is required. The smb password is not allowed to contain single quotes (').
The option **OB2INETSCRIPTEXECFULLPATH** must be specified as 1 in the configuration file **omnirc**.
Platforms
Windows
Related
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.972 High
EPSS
Percentile
99.8%