HP Data Protector Client EXEC_CMD Command Execution

Added: 06/07/2011
CVE: CVE-2011-0923
BID: 46234
OSVDB: 72526

Background

HP OpenView Storage Data Protector is a backup solution for enterprise and distributed environments.

Problem

The HP Data Protector Client is vulnerable to remote code execution as a result of insufficient input validation of arguments passed to the EXEC_CMD command.

Resolution

Upgrade as indicated in HP Security Bulletin HPSBMA02654 SSRT100441 and enable encrypted control communication services.

References

http://secunia.com/advisories/43202/
http://www.zerodayinitiative.com/advisories/ZDI-11-055/

Limitations

Exploit works on HP Data Protector Backup Client Service 6.11.

The executable smbclient must be available on the exploit server, and a valid SMB user with permission to write to the SMB share is required. The smb password is not allowed to contain single quotes (').

The option OB2INETSCRIPTEXECFULLPATH must be specified as 1 in the configuration file omnirc.

Platforms

Windows

Back to exploit index