TippingPoint Digital Vaccine Laboratories
DID YOU KNOW... Frost and Sullivan announced in their Feb. 2007 report, "Analysis of Vulnerability Discovery and Disclosure", that TippingPoint was the fastest growing discoverer of new vulnerabilities and the leader in the discovery of both high-severity and Microsoft vulnerabilities.

ZDI Public Disclosure: HP



These vulnerabilities are being published as per the ZDI disclosure changes announced in August of 2010.

ZDI-CAN-418


Title:
Hewlett-Packard Data Protector Client EXEC_CMD omni_chk_ds.sh Remote Code Execution Vulnerability

Advisory:
This vulnerability allows an attacker to execute remote code on vulnerable installations of the Hewlett-Packard Data Protector client. User interaction is not required to exploit this vulnerability.

The specific flaw exists within the filtering of the EXEC_CMD command. The Data Protector client only verifies file names, not their contents. By supplying malicious code within specific script files, arbitrary code execution is possible under the context of the current user.

Mitigation:
Set the client to mode 'secure' on the CRS service so only such commands could originate from the CELL server.

ZDI-CAN-419


Title:
Hewlett-Packard Data Protector Client EXEC_CMD Perl Remote Code Execution Vulnerability

Advisory:
This vulnerability allows an attacker to execute remote code on vulnerable installations of the Hewlett-Packard Data Protector client. User interaction is not required to exploit this vulnerability.

The specific flaw exists within the filtering of arguments to the EXEC_CMD command. The Data Protector client allows remote connections to execute files within its local bin directory. By supplying maliciously crafted input to the EXEC_CMD a remote attacker can interact with a Perl interpreter and execute arbitrary code under the context of the current user.

Mitigation:
Set the client to mode 'secure' on the CRS service so only such commands could originate from the CELL server.

ZDI-CAN-420


Title:
Hewlett-Packard Data Protector Client EXEC_SETUP Remote Code Execution Vulnerability

Advisory:
This vulnerability allows an attacker to execute remote code on vulnerable installations of the Hewlett-Packard Data Protector client. User interaction is not required to exploit this vulnerability.

The specific flaw exists within the implementation of the EXEC_SETUP command. This command instructs a Data Protector client to download and execute a setup file. A malicious attacker can instruct the client to access a file off of a share thus executing arbitrary code under the context of the current user.

Mitigation:
Set the client to mode 'secure' on the CRS service so only such commands could originate from the CELL server. Additionally, as the affected clients must retrieve the malicious file off of an SMB share, this vulnerability can be mitigated by ensuring no such requests are attempted via an untrusted network. This can be done at the network level with a firewall or other similar technology.

ZDI-CAN-417


Title:
Hewlett-Packard Data Protector Cell Manager Service Authentication Bypass Vulnerability

Advisory:
This vulnerability allows an attacker to execute remote code on vulnerable installations of Hewlett-Packard Data Protector. User interaction is not required to exploit this vulnerability.

The specific flaw exists within the Cell Manager Service which listens by default on a random TCP port. The crs.exe process fails to properly validate supplied username, domain, and hostname credentials. A remote attacker can leverage this flaw to execute code on all Data Protector clients.

Mitigation:
Due to the fact that this vulnerability utilizes built-in static credentials, any network traffic associated with the username "java", domain "applet" and client "webreporting" can be blocked via a network traffic filtering device such as an IDS/IPS.



Tags:
Published On: 2011-02-07 16:54:56

Comments post a comment

No comments.
Trackback