Tag Archives: HP

HP Data Protector Multiple Vulnerabilities

This exploit abuses a vulnerability in the HP Data Protector service. This flaw allows an unauthenticated attacker to take advantage of the EXEC_CMD command and traverse back to /bin/sh, this allows arbitrary remote code execution under the context of root.
View Source

HP Data Protector 6.1 EXEC_CMD Remote Code Execution – [CVE: 2011-0923]
Exploit-DB updates

HP Data Protector Media Operations versions 6.20 and below suffer from a heap corruption vulnerability.
View Source
Exploit-DB updates

HP Data Protector Media Operations versions 6.20 and below suffer from a directory traversal vulnerability. Proof of concept included.
View Source

HP Data Protector Remote Root Shell for Linux
Exploit-DB updates

HP Data Protector Client EXEC_CMD Remote Code Execution
Exploit-DB updates
A vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Hewlett-Packard Data Protector. Authentication is not required to exploit this vulnerability. The specific flaw exists within the dpwintdb.exe process which listens by default on TCP port 3817. When parsing data within a DtbClsAddObject request, the process copies data from the network into a fixed-length buffer on the stack via an unchecked loop. This can be leveraged by attackers to execute arbitrary code under the context of the SYSTEM user.
View Source

HP Data Protector Create New Folder Buffer Overflow
This Metasploit module exploits a stack buffer overflow in HP Data Protector 5. The overflow occurs in the creation of new folders, where the name of the folder is handled in a insecure way by the dpwindtb.dll component. While the overflow occurs in the stack, the folder name is split in fragments in this insecure copy. Because of this, this module uses egg hunting to search a non corrupted copy of the payload in the heap. On the other hand the overflowed buffer is stored in a frame protected by stack cookies, because of this SEH handler overwrite is used. Any user of HP Data Protector Express is able to create new folders and trigger the vulnerability. Moreover, in the default installation the ‘Admin’ user has an empty password. Successful exploitation will lead to code execution with the privileges of the “dpwinsdr.exe” (HP Data Protector Express Domain Server Service) process, which runs as SYSTEM by default.
View Source
Exploit-DB updates