SecuriTeam - Veritas Backup Exec Agent Browser Registration Request Buffer Overflow

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Ask the Team
Mailing Lists
Advertising Info
Advisories
About SecuriTeam
Blogs

Brought to you by:

Suppliers of:

SecuriTeam in Your Inbox

New vulnerability?
New tool?
Tell us
(Our PGP key).

Backup Exec is a next generation backup and restore solution for Microsoft Windows server environments.

Remote exploitation of a stack-based buffer overflow vulnerability in Veritas Backup Exec allows attackers to execute arbitrary code.

Credit:
The information has been provided by iDEFENSE Security Labs.
The original article can be found at: http://www.idefense.com/application/poi/display?id=169

Website Security Scan	Code Vulnerability Test	Network Assessment Tool
Detect hidden vulnerabilities	Exhaustive automated testing	Real-time, continuous security
Get guidance from professionals	of internal or 3rd party code.	scanning for your entire network

Protect your website!
Use an External Vulnerability Scanner!
Nothing to install. First report in 1 hour!
www.beyondsecurity.com/vulnerability-scanner

Vulnerable Systems:
* Veritas Backup Exec Agent version 9.1 for Windows

Immune Systems:
* Veritas Backup Exec Agent version 9.1.4691 Hotfix 40

CVE Information:
CAN-2004-1172 - Browser Registration Request Buffer Overflow

The vulnerability exists within the function responsible for receiving and parsing registration requests. The registration request packet contains the hostname and connecting TCP port of the client which is stored in an array on the stack. An attacker can send a registration request with an overly long hostname value to overflow the array and take control of the saved return address, thereby executing arbitrary code.

Impact
Successful exploitation does not require authentication thereby allowing any remote attacker to execute arbitrary code under the privileges of the Backup Exec Agent Browser (benetns.exe) process which is usually a domain administrative account.

Workaround
Use a firewall to restrict incoming connections to trusted workstations running the Backup Exec client software.

Vendor Status:
The vendor has released a hotfix that addresses this vulnerability.

8.60.3878 Hotfix 68 - Backup Exec (Buffer overflow creates a security hole in Agent Browser):
http://seer.support.veritas.com/docs/273422.htm

9.1.4691 Hotfix 40 - Backup Exec (Buffer overflow creates a security hole in Agent Browser; Licensed Storage Central becomes Eval when Backup Exec 9.1 is uninstalled)
http://seer.support.veritas.com/docs/273420.htm

Note: Requires Backup Exec 9.1.4691 Service Pack 1.

Disclosure Timeline:
11/02/2004 - Initial vendor contact
12/16/2004 - Initial vendor response
12/16/2004 - Public disclosure

	SAP MaxDB Malformed Handshake Request Remote Code Execution Vulnerability
	Dojo Toolkit SDK Multiple DOM-Based XSS Vulnerabilities
	Microsoft Indeo Codec Memory Corruption Vulnerability
	HP DDMI Execution of Arbitrary Code
	Microsoft Windows License Logging Service Heap Corruption Vulnerability
	Microsoft Office Excel Code Execution Vulnerabilities
	Microsoft SharePoint 2007 ASP.NET Source Code Disclosure
	Microsoft Windows Local Security Authority Integer Overflow Vulnerability
	Windows Kernel Multiple Vulnerabilities
	Microsoft Windows ActiveX Indexing Service Memory Corruption Vulnerability
	Microsoft IIS FTP Service Code Execution and DoS Vulnerability
	Microsoft GDI+ Multiple Vulnerabilities
	Microsoft .NET Common Language Runtime Multiple Vulnereabilities
	Microsoft Active Template Library ActiveX Controls Multiple Vulnerabilities
	ActiveX Active Template Library Initialization Vulnerability