HP Data Protector Client Command Execution Vulnerability (June 2, 2011)
HP OpenView Storage Data Protector is a backup solution that provides reliable data protection and high accessibility for fast growing business data. Data Protector offers comprehensive backup and restore functionality specifically tailored for enterprise-wide and distributed environments. The Data Protector has the folloiwng major features:
- Scalable and Highly Flexible Architecture
- Supporting Mixed Environments
- Easy Installation for Mixed Environments
- Easy Central Administration
- Easy Restore
- High Availability Support
HP Data Protector Architecture is based on the concept of a cell: a network environment that contains a Cell Manager, clients, and backup agents. The backup agents provide the Data Protector Backup Client Service which is implemented by the OmniInet process. The OmniInet process (omniinet.exe) is responsible for communication between systems in the cell as well as for starting other processes that are used for backup and restore operations. The service is started when the Data Protector is installed on a system.
The backup agent supports various message types in its communication with clients. The message is made up of multiple variable length strings. Each string is terminated with a NULL character. The strings may be ASCII or Unicode encoded. The encoding is determined by an optional two byte field at offset 4 in the message. The possible values are shown below:
Value | Represents |
---|---|
0xFFFE | Unicode (UTF-16) Little Endian byte order |
0xFEFF | Unicode (UTF-16) Big Endian byte order |
none | ASCII |
A command execution vulnerability exists while HP Data Protector Client handles the above described message. A remote unauthenticated attacker can exploit this vulnerability by sending a specially crafted message to the HP DataProtector Client. Successful exploitation will result in command execution with SYSTEM privileges.
SonicWALL UTM team has researched this vulnerability and created the following IPS signatures for them:
- 6612 Generic Server Application Directory Traversal 5
- 6613 Generic Server Application Directory Traversal 6
This vulnerability is referred by CVE as CVE-2011-0923.