[NT] Veritas Backup Exec Agent Browser Registration Request Buffer Overflow
From: SecuriTeam (support_at_securiteam.com)
Date: 12/19/04
- Previous message: SecuriTeam: "[EXPL] phpBB2 Information Leak due to Unserializer"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 19 Dec 2004 19:11:54 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Veritas Backup Exec Agent Browser Registration Request Buffer Overflow
------------------------------------------------------------------------
SUMMARY
<http://veritas.com/Products/www?c=product&refId=57> Backup Exec is a
next generation backup and restore solution for Microsoft Windows server
environments.
Remote exploitation of a stack-based buffer overflow vulnerability in
Veritas Backup Exec allows attackers to execute arbitrary code.
DETAILS
Vulnerable Systems:
* Veritas Backup Exec Agent version 9.1 for Windows
Immune Systems:
* Veritas Backup Exec Agent version 9.1.4691 Hotfix 40
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1172>
CAN-2004-1172 - Browser Registration Request Buffer Overflow
The vulnerability exists within the function responsible for receiving and
parsing registration requests. The registration request packet contains
the hostname and connecting TCP port of the client which is stored in an
array on the stack. An attacker can send a registration request with an
overly long hostname value to overflow the array and take control of the
saved return address, thereby executing arbitrary code.
Impact
Successful exploitation does not require authentication thereby allowing
any remote attacker to execute arbitrary code under the privileges of the
Backup Exec Agent Browser (benetns.exe) process which is usually a domain
administrative account.
Workaround
Use a firewall to restrict incoming connections to trusted workstations
running the Backup Exec client software.
Vendor Status:
The vendor has released a hotfix that addresses this vulnerability.
8.60.3878 Hotfix 68 - Backup Exec (Buffer overflow creates a security hole
in Agent Browser):
<http://seer.support.veritas.com/docs/273422.htm>
http://seer.support.veritas.com/docs/273422.htm
9.1.4691 Hotfix 40 - Backup Exec (Buffer overflow creates a security hole
in Agent Browser; Licensed Storage Central becomes Eval when Backup Exec
9.1 is uninstalled)
<http://seer.support.veritas.com/docs/273420.htm>
http://seer.support.veritas.com/docs/273420.htm
Note: Requires Backup Exec 9.1.4691 Service Pack 1.
Disclosure Timeline:
11/02/2004 - Initial vendor contact
12/16/2004 - Initial vendor response
12/16/2004 - Public disclosure
ADDITIONAL INFORMATION
The information has been provided by
<mailto:idlabs-advisories@idefense.com> iDEFENSE Security Labs.
The original article can be found at:
<http://www.idefense.com/application/poi/display?id=169>
http://www.idefense.com/application/poi/display?id=169
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[EXPL] phpBB2 Information Leak due to Unserializer"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- [NT] w3wp DoS
... The following security advisory is sent to the securiteam mailing list, and
can be found at the SecuriTeam web site: http://www.securiteam.com ... 1/12/2006 - Vendor requested
for additional info ... recv(conn_socket, szBuffer, 256, 0); ... (Securiteam) - [NEWS] Everybuddy Vulnerable to a DoS Attack (Long Message)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... sub Message { ...
After numerous attempts to contact the vendor (in some cases the vendor ... (Securiteam) - [NEWS] HAURI Anti-Virus Directory Traversal
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... * ViRobot Advanced Server
... The vendor has released a patch for ViRobot Linux Server 2.0: ... (Securiteam) - [UNIX] Happymall E-Commerce Input Validation Flaw Lets Remote Users Execute Arbitrary Commands
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Revin Aldi reported an input
validation vulnerability in the Happymall ... The vendor reports that the 'member_html.cgi'
script is also affected. ... (Securiteam) - [UNIX] Multiple Vendor xzgv PRF Parsing Integer Overflow Vulnerability
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Remote exploitation of an integer
overflow vulnerability in various ... Vendor Response: ... (Securiteam)
