HP Data Protector Information Disclosure

November 23, 2011

HP Data Protector Media Operations facilitates tracking and management of storage media, as well as data recovery. It tracks online and offline media such as magnetic tapes. HP Data Protector Media Operations includes an administration GUI which can be installed on multiple hosts allowing several administrators to manage Media Operations.

The communication protocol utilized by the server and its clients is proprietary and not publicly documented. The default communication port for the server is TCP 19813. Messages to the server have have the following structure:

 Offset	Size(bytes)	Description ------- --------------- ---------------------------------------- 0x0000	1 		Opcode 0x0001	3		unknown 0x0004	4		record size (x) 0x0008	4		unknown 0x000C	x		record data 

All multi-byte values are represented in big endian byte order. Several records are usually transferred together in a single packet. Sub records are contained in the record data field of a record structure. Records having an Opcode of 0x03, and a size value greater than four, have the following sub record structure:

 Offset	Size(bytes)	Description ------- --------------- -------------------------------- 0x0000	4		Opcode 0x0001	1		record size (y) 0x0004	y		filename 

Sub records of the above form are possible file requests, which cause the server to return the contents of the file specified in the filename field. The file path resolves relative to the base directory of the server. This base directory is configurable upon product installation. If the record size of a 0x03 record is of a certain specific value, the request is interpreted as a directory listing request, and the contents of the base directory are returned to the client.

An information disclosure vulnerability exists in HP Data Protector, when handling file requests. The process retrieves the filename and appends it to the base directory without any sanitization. As such, directory traversal sequences can be used to traverse to any file on the filesystem. Consequently, the contents of any file will be returned to the client that initiated the file request. A remote, unauthenticated attacker could exploit this vulnerability to obtain confidential information that could be later utilized to compromise other resources.

SonicWALL has released a generic IPS signature to address this issue. The following signature was released:

  • 7175 - HP Data Protector Media Operations Directory Traversal Attempt.