Vulnerabilities > CVE-2009-0714 - Privilege Escalation vulnerability in HP Data Protector Express 3.5/4.0

047910
CVSS 7.2 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
local
low complexity
microsoft
novell
redhat
suse
hp
nessus
exploit available
NVD
Published: 2009-05-14
Updated: 2019-10-09

Summary

Unspecified vulnerability in the dpwinsup module (dpwinsup.dll) for dpwingad (dpwingad.exe) in HP Data Protector Express and Express SSE 3.x before build 47065, and Express and Express SSE 4.x before build 46537, allows remote attackers to cause a denial of service (application crash) or read portions of memory via one or more crafted packets.

Vulnerable Configurations

Part Description Count
OS
Microsoft
1
OS
Novell
1
OS
Redhat
1
OS
Suse
1
Application
Hp
5

Exploit-Db

  • descriptionHP Data Protector 4.00-SP1b43064 Remote Memory Leak/Dos (meta). CVE-2009-0714. Dos exploit for windows platform
    fileexploits/windows/dos/9007.rb
    idEDB-ID:9007
    last seen2016-02-01
    modified2009-06-23
    platformwindows
    port
    published2009-06-23
    reporterNibin
    sourcehttps://www.exploit-db.com/download/9007/
    titleHP Data Protector 4.00-SP1b43064 - Remote Memory Leak/Dos meta
    typedos
  • descriptionHP Data Protector 4.00-SP1b43064 Remote Memory Leak/Dos Exploit. CVE-2009-0714. Dos exploit for windows platform
    fileexploits/windows/dos/9006.py
    idEDB-ID:9006
    last seen2016-02-01
    modified2009-06-23
    platformwindows
    port
    published2009-06-23
    reporterNibin
    sourcehttps://www.exploit-db.com/download/9006/
    titleHP Data Protector 4.00-SP1b43064 - Remote Memory Leak/Dos Exploit
    typedos

Nessus

NASL familyWindows
NASL idHP_DATA_PROTECTOR_EXP_PRIV_ESCALATION.NASL
descriptionHP Data Protector Express is installed on the remote host. The installed version of the software is affected by an unspecified local privilege escalation vulnerability. A local attacker could exploit this vulnerability to trigger a denial of service condition or execute arbitrary code with system level privileges. According to reports, this flaw could also be triggered remotely by exploiting a memory leak vulnerability, see references for more information.
last seen2020-06-01
modified2020-06-02
plugin id38792
published2009-05-15
reporterThis script is Copyright (C) 2009-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/38792
titleHP Data Protector Express Crafted Traffic Remote Memory Disclosure
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(38792);
  script_version("1.15");
  script_cvs_date("Date: 2018/11/15 20:50:27");
  
  script_cve_id("CVE-2009-0714");
  script_bugtraq_id(34955);
  script_xref(name:"EDB-ID", value:"9006");
  script_xref(name:"EDB-ID", value:"9007");
  script_xref(name:"Secunia", value:"35084");

  script_name(english:"HP Data Protector Express Crafted Traffic Remote Memory Disclosure");
  script_summary(english:"Checks version of dpwinsdr.exe");
 
  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote Windows host contains an application that is affected by a
local privilege escalation vulnerability."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"HP Data Protector Express is installed on the remote host.  The
installed version of the software is affected by an unspecified local
privilege escalation vulnerability.  A local attacker could exploit
this vulnerability to trigger a denial of service condition or execute
arbitrary code with system level privileges. According to reports,
this flaw could also be triggered remotely by exploiting a memory 
leak vulnerability, see references for more information."
  );
  script_set_attribute(
    attribute:"see_also", 
    value:"http://ivizsecurity.com/security-advisory-iviz-sr-09002.html"
  );
  # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01697543
  script_set_attribute(
    attribute:"see_also", 
    value:"http://www.nessus.org/u?bbd5cf40"
  );
  script_set_attribute(
    attribute:"see_also", 
    value:"https://www.securityfocus.com/archive/1/503482"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"Upgrade to HP Data Protector Express Single Server Edition version
3.5 SP2 build 47065 / 4.0 SP1 build 46537 or later."
  );
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"plugin_publication_date", value: "2009/05/15");
  script_set_attribute(attribute:"patch_publication_date", value: "2009/05/13");
  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:hp:storage_data_protector");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");
  script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.");

  script_dependencies("hp_data_protector_exp_installed.nasl");
  script_require_keys("SMB/HP Data Protector Express/Path", "SMB/HP Data Protector Express/Version", "SMB/HP Data Protector Express/Build");

  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");

path = get_kb_item_or_exit('SMB/HP Data Protector Express/Path');
version = get_kb_item_or_exit('SMB/HP Data Protector Express/Version');
build = get_kb_item_or_exit('SMB/HP Data Protector Express/Build');

ver = split(version, sep:'.');
for (i=0; i<max_index(ver); i++)
  ver[i] = int(ver[i]);

fix = NULL;
if ((ver[0] == 3 && ver[1] < 50) ||
    (ver[0] == 3 && ver[1] == 50 && build < 47065)) fix = '3.50 build 47065';
else if (ver[0] == 4 && ver[1] == 0 && build < 46537) fix = '4.0 buid 46537';

if (fix)
{
  if (report_verbosity > 0)
  {
    report =
      '\n  Path              : ' + path +
      '\n  Installed version : ' +version + ' build ' + build +
      '\n  Fixed version     : ' + fix + '\n';
    security_warning(port:get_kb_item('SMB/transport'));
  }
  else security_warning(port:get_kb_item('SMB/transport'));
  exit(0);
}
else exit(0, 'The HP Data Protector Express '+version+' Build '+build+' install in '+path+' is not affected.');

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/78610/hpdp2-dos.txt
idPACKETSTORM:78610
last seen2016-12-05
published2009-06-24
reporterNibin
sourcehttps://packetstormsecurity.com/files/78610/HP-Data-Protector-4.00-sp1-43064-Denial-Of-Service.html
titleHP Data Protector 4.00-sp1 43064 Denial Of Service

Seebug

  • bulletinFamilyexploit
    descriptionBUGTRAQ ID: 34955 CVE(CAN) ID: CVE-2009-0714 HP Data Protector软件能够实现自动化的高性能备份与恢复,支持通过磁盘和磁带进行备份和恢复。 HP Data Protector使用私有协议与远程客户端通讯。如果远程客户端向Data Protector备份域服务器的dpwinsup.dll模块发送了特制报文,就可能泄露任意内存,导致运行在3817/TCP端口上的dpwingad进程崩溃。 ; Buggy code @dpwinsup module of dpwingad process ; running at 3817/TCP port ; dpwinsup.10275F80 100DDE89 8B15 54A72210 MOV EDX,DWORD PTR DS:[1022A754] 100DDE8F 8B82 98650000 MOV EAX,DWORD PTR DS:[EDX+6598] ; ECX = user controlled data 100DDE95 8B4C24 54 MOV ECX,DWORD PTR SS:[ESP+54] ; EDX = if invalid/valid offset 100DDE99 8D1481 LEA EDX,DWORD PTR DS:[ECX+EAX*4] ; Crash/Memory Leak 100DDE9C 8B3495 F0A42210 MOV ESI,DWORD PTR DS:[EDX*4+1022A4F0] 100DDEA3 83C4 1C ADD ESP,1C 100DDEA6 897424 10 MOV DWORD PTR SS:[ESP+10],ESI HP Data Protector Express SSE 4.x HP Data Protector Express SSE 3.x HP Data Protector Express 4.x HP Data Protector Express 3.x 厂商补丁: HP -- HP已经为此发布了一个安全公告(HPSBMA02417)以及相应补丁: HPSBMA02417:SSRT090031 rev.1 - HP Data Protector Express and HP Data Protector Express Single Server Edition (SSE), Local Denial of Service (DoS), Execution of Arbitrary Code 链接:<a href="http://alerts.hp.com/r?2.1.3KT.2ZR.zWmfi.DEO%5f5w..T.HP34.1soQ.bW89MQ%5f%5fDCPWFQR0" target="_blank" rel=external nofollow>http://alerts.hp.com/r?2.1.3KT.2ZR.zWmfi.DEO%5f5w..T.HP34.1soQ.bW89MQ%5f%5fDCPWFQR0</a>
    idSSV:11691
    last seen2017-11-19
    modified2009-06-24
    published2009-06-24
    reporterRoot
    titleHP Data Protector dpwinsup.dll内存泄漏漏洞
  • bulletinFamilyexploit
    descriptionNo description provided by source.
    idSSV:11689
    last seen2017-11-19
    modified2009-06-24
    published2009-06-24
    reporterRoot
    sourcehttps://www.seebug.org/vuldb/ssvid-11689
    titleHP Data Protector 4.00-SP1b43064 Remote Memory Leak/Dos (meta)
  • bulletinFamilyexploit
    descriptionNo description provided by source.
    idSSV:66661
    last seen2017-11-19
    modified2014-07-01
    published2014-07-01
    reporterRoot
    sourcehttps://www.seebug.org/vuldb/ssvid-66661
    titleHP Data Protector 4.00-SP1b43064 - Remote Memory Leak/Dos (meta)

References