HP Data Protector Client Command Execution Vulnerability (June 2, 2011)

By

HP OpenView Storage Data Protector is a backup solution that provides reliable data protection and high accessibility for fast growing business data. Data Protector offers comprehensive backup and restore functionality specifically tailored for enterprise-wide and distributed environments. The Data Protector has the folloiwng major features:

  • Scalable and Highly Flexible Architecture
  • Supporting Mixed Environments
  • Easy Installation for Mixed Environments
  • Easy Central Administration
  • Easy Restore
  • High Availability Support

HP Data Protector Architecture is based on the concept of a cell: a network environment that contains a Cell Manager, clients, and backup agents. The backup agents provide the Data Protector Backup Client Service which is implemented by the OmniInet process. The OmniInet process (omniinet.exe) is responsible for communication between systems in the cell as well as for starting other processes that are used for backup and restore operations. The service is started when the Data Protector is installed on a system.

The backup agent supports various message types in its communication with clients. The message is made up of multiple variable length strings. Each string is terminated with a NULL character. The strings may be ASCII or Unicode encoded. The encoding is determined by an optional two byte field at offset 4 in the message. The possible values are shown below:

Value Represents
0xFFFE Unicode (UTF-16) Little Endian byte order
0xFEFF Unicode (UTF-16) Big Endian byte order
none ASCII

A command execution vulnerability exists while HP Data Protector Client handles the above described message. A remote unauthenticated attacker can exploit this vulnerability by sending a specially crafted message to the HP DataProtector Client. Successful exploitation will result in command execution with SYSTEM privileges.

SonicWALL UTM team has researched this vulnerability and created the following IPS signatures for them:

  • 6612 Generic Server Application Directory Traversal 5
  • 6613 Generic Server Application Directory Traversal 6

This vulnerability is referred by CVE as CVE-2011-0923.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.