TippingPoint Zero Day Initiative

(0Day) Hewlett-Packard Virtual SAN Appliance hydra.exe Login Request Remote Code Execution Vulnerability

ZDI-11-111: March 23rd, 2011


CVSS Score

Affected Vendors

Affected Products

    Virtual SAN Appliance

Vulnerability Details

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Hewlett-Packard Virtual SAN appliance. Authentication is not required to exploit this vulnerability.

The flaw exists within the hydra.exe component which listens by default on port 13838. When parsing a login request the Hydra daemon will call sscanf() using fixed-length stack buffers and no length checks. A remote attacker can exploit this vulnerability to execute arbitrary code under the context of the SYSTEM service.

Vendor Response

Hewlett-Packard states:

March 23, 2011 - This vulnerability is being disclosed publicly without a patch in accordance with the ZDI 180 day deadline.

-- Mitigations:
This vulnerability could be mitigated by administrators by restricting communication with the hydra agent to known client IP addresses.

Disclosure Timeline

    2010-09-24 - Vulnerability reported to vendor
    2011-03-23 - Coordinated public release of advisory


This vulnerability was discovered by:
    Nicolas Gregoire of Agarri (www.agarri.fr)