Vulnerabilities > CVE-2013-2335 - Remote Code Execution vulnerability in HP Data Protector

047910
CVSS 10.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
hp
critical
nessus

Summary

Unspecified vulnerability in HP Storage Data Protector 6.20, 6.21, 7.00, and 7.01 allows remote attackers to execute arbitrary code via unknown vectors, aka ZDI-CAN-1733.

Nessus

NASL familyMisc.
NASL idHP_DATA_PROTECTOR_HPSBMU02833.NASL
descriptionAccording to its version and build number, the remote instance of HP Data Protector is affected by multiple stack-based buffer overflow conditions in crs.exe when parsing various opcodes. A remote, unauthenticated attacker can exploit these to execute arbitrary code in the context of the SYSTEM user or have other unspecified impact.
last seen2020-06-01
modified2020-06-02
plugin id66849
published2013-06-10
reporterThis script is Copyright (C) 2013-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/66849
titleHP Data Protector Multiple RCE Vulnerabilities
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(66849);
  script_version("1.18");
  script_cvs_date("Date: 2018/11/15 20:50:23");

  script_cve_id(
    "CVE-2013-2324",
    "CVE-2013-2325",
    "CVE-2013-2326",
    "CVE-2013-2327",
    "CVE-2013-2328",
    "CVE-2013-2329",
    "CVE-2013-2330",
    "CVE-2013-2331",
    "CVE-2013-2332",
    "CVE-2013-2333",
    "CVE-2013-2334",
    "CVE-2013-2335"
  );
  script_bugtraq_id(
    60299,
    60300,
    60301,
    60302,
    60303,
    60304,
    60306,
    60307,
    60308,
    60309,
    60310,
    60311
  );
  script_xref(name:"HP", value:"HPSBMU02883");
  script_xref(name:"HP", value:"SSRT101227");
  script_xref(name:"HP", value:"emr_na-c03781657");
  script_xref(name:"EDB-ID", value:"28973");

  script_name(english:"HP Data Protector Multiple RCE Vulnerabilities");
  script_summary(english:"Does a banner check.");

  script_set_attribute(attribute:"synopsis", value:
"The remote backup service is affected by multiple remote code
execution vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"According to its version and build number, the remote instance of HP
Data Protector is affected by multiple stack-based buffer overflow
conditions in crs.exe when parsing various opcodes. A remote,
unauthenticated attacker can exploit these to execute arbitrary code
in the context of the SYSTEM user or have other unspecified impact.");
  script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-13-121/");
  script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-13-122/");
  script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-13-123/");
  script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-13-124/");
  script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-13-125/");
  script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-13-126/");
  script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-13-127/");
  script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-13-128/");
  script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-13-129/");
  script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-13-130/");
  script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-13-131/");
  script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-13-161/");
  # https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-c03781657
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b4edd7f1");
  script_set_attribute(attribute:"solution", value:
"Apply the relevant patches referenced in the HP advisory.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploithub_sku", value:"EH-13-114");
  script_set_attribute(attribute:"exploit_framework_exploithub", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'HP Data Protector Cell Request Service Buffer Overflow');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2013/06/03");
  script_set_attribute(attribute:"patch_publication_date", value:"2013/06/03");
  script_set_attribute(attribute:"plugin_publication_date", value:"2013/06/10");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:hp:data_protector");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:hp:storage_data_protector");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.");

  script_dependencies("os_fingerprint.nasl", "ssh_get_info.nasl", "hp_data_protector_module_versions.nbin");
  script_require_keys("Services/data_protector/cell_server/Version");
  script_require_ports("Services/hp_openview_dataprotector", 5555);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");

port = get_service(svc:'hp_openview_dataprotector', default:5555, exit_on_fail:TRUE);

version = get_kb_item_or_exit("Services/data_protector/cell_server/Version");
build = get_kb_item("Services/data_protector/cell_server/Build");

internal_build = get_kb_item("Services/data_protector/build");
if(isnull(internal_build)) internal_build = 0;

# unpatched module, major release (referred to as 'MR' by the vendor)
if(isnull(build)) build = 'MR';

# We need OS-specific info in order to reliably determine whether or
# not those systems are vulnerable
hpux_ver = get_kb_item("Host/HP-UX/version");
solaris_ver = get_kb_item("Host/Solaris/Version");
rh_release = get_kb_item("Host/RedHat/release");
sles_release = get_kb_item("Host/SuSE/release");

winver = get_kb_item("SMB/WindowsVersion");
winver1 = get_kb_item("Host/OS/smb");
if(isnull(winver) && !isnull(winver1))
{
  item = eregmatch(pattern:" ([0-9.]+)$", string:winver1);
  if(!isnull(item) && !isnull(item[1]))
    winver = item[1];
}

if (
  (isnull(hpux_ver) || hpux_ver == '') &&
  (isnull(solaris_ver) || solaris_ver == '') &&
  (isnull(rh_release) || rh_release == '') &&
  (isnull(sles_release) || sles_release == '') &&
  (isnull(winver) || winver == '')
) exit(1, "Unable to determine the operating system version running the HP Data Protector service listening on port "+port+".");

vulnerable = FALSE;

# Ignore anything that looks like DP for Unix since it's not mentioned in the
# advisory
if ('SSPUX' >< build)
  vulnerable = FALSE;

else if ((version == "A.06.20" || version == "A.06.21") && internal_build < 408)
{
 # unpatched version == build number (only HP-UX, Solaris, Windows,
 # and RHEL affected)
 if (
   (
   (hpux_ver && (hpux_ver == "11.11" || hpux_ver == "11.23" || hpux_ver =="11.31")) ||
   (solaris_ver && (solaris_ver == "5.8" || solaris_ver == "5.9" || solaris_ver == "5.10")) ||
   (rh_release && ('release 4' >< rh_release || 'release 5' >< rh_release)) ||
   (winver && (winver == '5.2' || winver == '6.0'))
   ) && build == 'MR'
 )
 {
   vulnerable = TRUE;
 }

 # HP-UX security patch (fixed in PHSS_43422)
 else if (
   hpux_ver &&
   (hpux_ver == "11.11" || hpux_ver == "11.23" || hpux_ver == "11.31") &&
   match = eregmatch(pattern:"PHSS_[0]*([1-9][0-9]*)", string:build)
 )
 {
  build_num = int(match[1]);
  if (build_num < 43422)
    vulnerable = TRUE;
 }
 # linux security patch (fixed in DPLNX_00243)
 else if (
   (
     (rh_release && ('release 4' >< rh_release || 'release 5' >< rh_release)) ||
     (sles_release && ('SLES9' >< sles_release || 'SLES10' >< sles_release || 'SLES11' >< sles_release))
   ) &&
   match = eregmatch(pattern:"DPLNX_[0]*([1-9][0-9]*)", string:build)
 )
 {
  build_num = int(match[1]);
  if (build_num < 243)
    vulnerable = TRUE;
 }
 # solaris security patch (fixed in DPSOL_00510)
 else if (
   solaris_ver &&
   (solaris_ver == "5.8" || solaris_ver == "5.9" || solaris_ver == "5.10") &&
   match = eregmatch(pattern:"DPSOL_[0]*([1-9][0-9]*)", string:build))
 {
  build_num = int(match[1]);
  if (build_num < 510)
    vulnerable = TRUE;
 }
 # windows security patch (fixed in DPWIN_00632)
 else if (
   winver &&
   (winver == '5.2' || winver == '6.0') &&
   match = eregmatch(pattern:"DPWIN_[0]*([1-9][0-9]*)", string:build)
 )
 {
   build_num = int(match[1]);
   if (build_num < 632)
     vulnerable = TRUE;
 }
}
else if ((version == "A.07.00" || version == "A.07.01") && internal_build < 103)
{
 # unpatched version == build number (only HP-UX, SLES, Windows,
 # and RHEL affected)
 if (
   (
   (hpux_ver && (hpux_ver == "11.11" || hpux_ver == "11.23") || hpux_ver =="11.31") ||
   (sles_release && ('SLES9' >< sles_release || 'SLES10' >< sles_release || 'SLES11' >< sles_release)) ||
   (rh_release && ('release 4' >< rh_release || 'release 5' >< rh_release)) ||
   (winver && (winver == '5.2' || winver == '6.0'))
   ) && build == 'MR'
 )
 {
   vulnerable = TRUE;
 }

 # linux security patch (fixed in DPLNX_00235)
 else if (
   (
     (rh_release && ('release 4' >< rh_release || 'release 5' >< rh_release)) ||
     (sles_release && ('SLES9' >< sles_release || 'SLES10' >< sles_release || 'SLES11' >< sles_release))
   ) &&
   match = eregmatch(pattern:"DPLNX_[0]*([1-9][0-9]*)", string:build)
 )
 {
  build_num = int(match[1]);
  if (build_num < 235)
    vulnerable = TRUE;
 }
 # HP-UX security patch (fixed in PHSS_43315)
 else if (
   hpux_ver &&
   (hpux_ver == "11.11" || hpux_ver == "11.23" || hpux_ver == "11.31") &&
   match = eregmatch(pattern:"PHSS_[0]*([1-9][0-9]*)", string:build)
 )
 {
  build_num = int(match[1]);
  if (build_num < 43315)
    vulnerable = TRUE;
 }
 # Windows security patch (fixed in DPWIN_00624)
 else if (
   winver &&
   (winver == '5.2' || winver == '6.0') &&
   match = eregmatch(pattern:"DPWIN_[0]*([1-9][0-9]*)", string:build)
 )
 {
   build_num = int(match[1]);
   if (build_num < 624)
     vulnerable = TRUE;
 }
}

if (vulnerable)
{
  if (report_verbosity > 0)
  {
    report = '\n  Cell server version : '+version+
             '\n  Cell server build   : '+build+
             '\n';
    security_hole(port:port, extra:report);
  }
  else security_hole(port);
}
else
{
  audit(AUDIT_LISTEN_NOT_VULN, "HP Data Protector Cell Server", port, version + "(build " + build + ")");
}