HP Data Protector Information Disclosure (Nov 23, 2011)


HP Data Protector Media Operations facilitates tracking and management of storage media, as well as data recovery. It tracks online and offline media such as magnetic tapes. HP Data Protector Media Operations includes an administration GUI which can be installed on multiple hosts allowing several administrators to manage Media Operations.

The communication protocol utilized by the server and its clients is proprietary and not publicly documented. The default communication port for the server is TCP 19813. Messages to the server have have the following structure:

 Offset	Size(bytes)	Description ------- --------------- ---------------------------------------- 0x0000	1 		Opcode 0x0001	3		unknown 0x0004	4		record size (x) 0x0008	4		unknown 0x000C	x		record data 

All multi-byte values are represented in big endian byte order. Several records are usually transferred together in a single packet. Sub records are contained in the record data field of a record structure. Records having an Opcode of 0x03, and a size value greater than four, have the following sub record structure:

 Offset	Size(bytes)	Description ------- --------------- -------------------------------- 0x0000	4		Opcode 0x0001	1		record size (y) 0x0004	y		filename 

Sub records of the above form are possible file requests, which cause the server to return the contents of the file specified in the filename field. The file path resolves relative to the base directory of the server. This base directory is configurable upon product installation. If the record size of a 0x03 record is of a certain specific value, the request is interpreted as a directory listing request, and the contents of the base directory are returned to the client.

An information disclosure vulnerability exists in HP Data Protector, when handling file requests. The process retrieves the filename and appends it to the base directory without any sanitization. As such, directory traversal sequences can be used to traverse to any file on the filesystem. Consequently, the contents of any file will be returned to the client that initiated the file request. A remote, unauthenticated attacker could exploit this vulnerability to obtain confidential information that could be later utilized to compromise other resources.

SonicWALL has released a generic IPS signature to address this issue. The following signature was released:

  • 7175 – HP Data Protector Media Operations Directory Traversal Attempt.
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.