Vulnerabilities > CVE-2012-0124 - Unspecified vulnerability in HP Data Protector Express 5.0/6.0

CVSS 10.0 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

network

low complexity

critical

nessus

exploit available

metasploit

NVD

Published: 2012-03-14

Updated: 2019-10-09

Summary

Unspecified vulnerability in HP Data Protector Express (aka DPX) 5.0.00 before build 59287 and 6.0.00 before build 11974 allows remote attackers to execute arbitrary code or cause a denial of service via unknown vectors.

Vulnerable Configurations

Part	Description	Count
Application	Hp HP Data Protector Express 5.0 HP Data Protector Express 6.0	2

Exploit-Db

description	HP Data Protector Create New Folder Buffer Overflow. CVE-2012-0124. Remote exploit for windows platform
id	EDB-ID:19484
last seen	2016-02-02
modified	2012-07-01
published	2012-07-01
reporter	metasploit
source	https://www.exploit-db.com/download/19484/
title	HP Data Protector Create New Folder Buffer Overflow

Metasploit

description	This module exploits a stack buffer overflow in HP Data Protector 5. The overflow occurs in the creation of new folders, where the name of the folder is handled in a insecure way by the dpwindtb.dll component. While the overflow occurs in the stack, the folder name is split in fragments in this insecure copy. Because of this, this module uses egg hunting to search a non corrupted copy of the payload in the heap. On the other hand the overflowed buffer is stored in a frame protected by stack cookies, because of this SEH handler overwrite is used. Any user of HP Data Protector Express is able to create new folders and trigger the vulnerability. Moreover, in the default installation the 'Admin' user has an empty password. Successful exploitation will lead to code execution with the privileges of the "dpwinsdr.exe" (HP Data Protector Express Domain Server Service) process, which runs as SYSTEM by default.
id	MSF:EXPLOIT/WINDOWS/MISC/HP_DATAPROTECTOR_NEW_FOLDER
last seen	2020-06-11
modified	2020-02-18
published	2012-06-29
references	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0124 https://blog.rapid7.com/2012/07/06/an-example-of-egghunting-to-exploit-cve-2012-0124
reporter	Rapid7
source	https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/misc/hp_dataprotector_new_folder.rb
title	HP Data Protector Create New Folder Buffer Overflow

Nessus

NASL family	Windows
NASL id	HP_DATA_PROTECTOR_EXP_HPSBMU02746.NASL
description	The version of HP Data Protector Express installed on the remote Windows host is 5.x earlier than 5.0.0 build 59287 or 6.x earlier than 6.0.0 build 11974. As such, it is potentially affected by multiple unspecified denial of service and code execution vulnerabilities.
last seen	2020-06-01
modified	2020-06-02
plugin id	58399
published	2012-03-20
reporter	This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/58399
title	HP Data Protector Express 5.x < 5.0.0 Build 59287 / 6.x < 6.0.0 Build 11974 Multiple Vulnerabilities
code	# # (C) Tenable Network Security, Inc. # include('compat.inc'); if (description) { script_id(58399); script_version("1.8"); script_cvs_date("Date: 2018/07/12 19:01:17"); script_cve_id( "CVE-2012-0121", "CVE-2012-0122", "CVE-2012-0123", "CVE-2012-0124" ); script_bugtraq_id(52431); script_xref(name:"EDB-ID", value:"19484"); script_name(english:"HP Data Protector Express 5.x < 5.0.0 Build 59287 / 6.x < 6.0.0 Build 11974 Multiple Vulnerabilities"); script_summary(english:"Checks version of HP Data Protector Express"); script_set_attribute(attribute:"synopsis", value: "The remote Windows host contains a backup application that is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of HP Data Protector Express installed on the remote Windows host is 5.x earlier than 5.0.0 build 59287 or 6.x earlier than 6.0.0 build 11974. As such, it is potentially affected by multiple unspecified denial of service and code execution vulnerabilities."); # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03229235 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?94781a20"); script_set_attribute(attribute:"solution", value: "Upgrade to HP Data Protector Express 5.0.0 build 59287 / 6.0.0 build 11974 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'HP Data Protector Create New Folder Buffer Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2012/03/12"); script_set_attribute(attribute:"patch_publication_date", value:"2012/03/12"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/03/20"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:hp:data_protector_express"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc."); script_dependencies("hp_data_protector_exp_installed.nasl"); script_require_keys("SMB/HP Data Protector Express/Path", "SMB/HP Data Protector Express/Version", "SMB/HP Data Protector Express/Build"); exit(0); } include("global_settings.inc"); include("misc_func.inc"); path = get_kb_item_or_exit('SMB/HP Data Protector Express/Path'); version = get_kb_item_or_exit('SMB/HP Data Protector Express/Version'); build = get_kb_item_or_exit('SMB/HP Data Protector Express/Build'); ver = split(version, sep:'.'); for (i=0; i<max_index(ver); i++) ver[i] = int(ver[i]); fix = NULL; if (ver[0] == 5 && ver[1] == 0 && ver[2] == 0 && ver_compare(ver:build, fix:'59287') == -1) fix = '5.0.0 build 59287'; else if (ver[0] == 6 && ver[1] == 0 && ver[2] == 0 && ver_compare(ver:build, fix:'11974') == -1) fix = '6.0.0 build 11974'; if (fix) { if (report_verbosity > 0) { report = '\n Path : ' + path + '\n Installed version : ' + version + ' build ' + build + '\n Fixed version : ' + fix + '\n'; security_hole(port:get_kb_item("SMB/transport"), extra:report); } else security_hole(get_kb_item("SMB/transport")); exit(0); } else exit(0, 'The HP Data Protector Express '+version+' build '+build+' install in '+path+' is not affected.');

Packetstorm

data source	https://packetstormsecurity.com/files/download/114411/hp_dataprotector_new_folder.rb.txt
id	PACKETSTORM:114411
last seen	2016-12-05
published	2012-07-02
reporter	sinn3r
source	https://packetstormsecurity.com/files/114411/HP-Data-Protector-Create-New-Folder-Buffer-Overflow.html
title	HP Data Protector Create New Folder Buffer Overflow

References

http://www.securityfocus.com/archive/1/521944