[Full-disclosure] VERITAS NETBACKUP 5.1 'TIME_STAMP' VULNERABILITY

ad_at_class101.org
Date: 07/22/05

  • Next message: Cesar: "[Full-disclosure] [Argeniss] Oracle 9R2 Unpatched vulnerability on CWM2_OLAP_AW_AWUTIL package"
    Date: Fri, 22 Jul 2005 23:07:19 +0200
    To: full-disclosure@lists.grok.org.uk
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Update: Contact as finally been ok thanx secfocus and hotfix probably
    coming soon.

    VERITAS NETBACKUP 5.1 'TIME_STAMP' VULNERABILITY

    Date: 07/2005
    Risk: Low/Medium
    Soft: NetBackup 5.1
    OS : All supported win32
    Fix : coming soon

    I. VULNERABILITY

    NETBACKUP as his brother BEXEC runs a NDMP server to 10000/TCP. This
    same service is calling another executable
    when doing some particular requests. This is possible to produce an
    access violation with the help of
    this last executable while sending a 'CONFIG' message request to the
    NDMP server with a timestamp in the ndmpheader out of range.

    enum ndmp_message_type
    {
         NDMP_REQUEST
    };
    struct ndmp_header
    {
         u_long sequence; (local counter that starts at 1 and
    increases by 1 for every message sent)
         u_long time_stamp; (in seconds since 00:00:00 GMT,
    Jan 1, 1970)
         ndmp_message_type message_type; (request or reply message)
         ndmp_message message; (tape data config etc)
         u_long reply_sequence; (number from the request
    message to which the reply is associated)
         ndmp_error error; (verbose)
    };

    II. PROOF OF CONCEPT

    Not published, probably soon on a forum nor mailing list, else when
    you know of the ndmp protocol, this is not that
    hard to trigger it by yourself.

    III. RISK

    Does not looks that big at a first look but my 10$ to this that it
    doens't smell good unreadable datas at 0x00000000, I have maybe missed
    up
    a field to overwrite during my tests letting us to force the
    executable to read malicious code, if yes, this might be critical,
    because the main service
    does not crash, allowing multiple hacking attempts.

    IV. DISCOVERY

    HAT-SQUAD.com

    V. GREETINGS

    Nima,Behrang,strcpy
    To SuperList [at] class101.org :D
    To the spammer SPIKEr tom ferris ;-)))))
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.2rc2 (MingW32)

    iQIVAwUBQuFgAa+LRXunxpxfAQIB8w/8CW/dFeFWL1IyTvDT92NzuMmw0cb0hGp8
    OrvtegfUU3gQd4tGYYxHUfFOy9r4FyYqYg9/+cZZP3zJcqcmVh2rBvx5ijjCKJIB
    UKAjz7PbSil5LZC+74Ybz3B4mUVxfb9tlT+Ph23YdITgYQmuxZAeglBrGX8ZkI9x
    dmQ+pmBSTaYEnByKt0AvAZJ94Fzj2KKEwQqZ596suHLYwa+RtJrUOxYFU+AReoom
    6Ht//diGnQPuzq61xDiIGrVVPasHIr89tLEQAr3EveyWY29zK9byHyFXx/yHedY0
    H0neTPStrg+DM6wNZpZjDANdKhLZo93EH9gi4h6yj9VwCbvIhkDQWTFzqltdvPBV
    WMTk6sXMdVS2OSo+D1pelQCmgdWde89XF47lR7h3dy2vMjkZnu3C59cTZDT+tMoO
    MQglVPjsK+WU+FzG/NEp30jUOq1TOa+TK8s3ny1Ea8j2uOpfme1HjD1seD1i9k1/
    M5b13zEKvil2IPa8UxKP2orBhSQ6oPSsZ2bamGAPyc8xSK65wGplwxRj9jTHpmQU
    ZOh9rQBX9bWzER4jdlKPR5t0PIqv5uOHLFJ6l/VxXi4k/9SRsobkVcbLHZHxJbQT
    hJ2KYjKELhZKRXyDHNin6GhLwrGSpqanPLE6zYSWxN54LKWcCvzmtoYcA6fG1o6/
    6T1WD0FHbn4=
    =exv+
    -----END PGP SIGNATURE-----

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/


  • Next message: Cesar: "[Full-disclosure] [Argeniss] Oracle 9R2 Unpatched vulnerability on CWM2_OLAP_AW_AWUTIL package"