 | |
| |||||||
| Home | Register | Projects | Blogs | FAQ | Calendar | Search | Today's Posts | Mark Forums Read | Free Directory | Free DNSReport | Tags |
| Notices |
| Security discussions Discuss about the computer security in general |
VERITAS NETBACKUP 5.1 'TIME_STAMP' VULNERABILITYThis is a discussion on "VERITAS NETBACKUP 5.1 'TIME_STAMP' VULNERABILITY" within the Security discussions part of the Computer Security: Discussions section; VERITAS NETBACKUP 5.1 'TIME_STAMP' VULNERABILITY Date: 07/2005 Risk: Low/Medium Soft: VERITAS OS : All supported win32 I. VULNERABILITY NETBACKUP as his brother BEXEC runs a NDMP server to 10000/TCP. This same service is calling another executable when ... |
 |
| | LinkBack | Thread Tools | Display Modes |
22-07-05
| |||
| |||
 VERITAS NETBACKUP 5.1 'TIME_STAMP' VULNERABILITY VERITAS NETBACKUP 5.1 'TIME_STAMP' VULNERABILITY Date: 07/2005 Risk: Low/Medium Soft: VERITAS OS : All supported win32 I. VULNERABILITY NETBACKUP as his brother BEXEC runs a NDMP server to 10000/TCP. This same service is calling another executable when doing some particular requests. This is possible to produce an access violation with the help of this last executable while sending a 'CONFIG' message request to the NDMP server with a timestamp in the ndmpheader out of range. enum ndmp_message_type { NDMP_REQUEST }; struct ndmp_header { u_long sequence; (local counter that starts at 1 and increases by 1 for every message sent) u_long time_stamp; (in seconds since 00:00:00 GMT, Jan 1, 1970) ndmp_message_type message_type; (request or reply message) ndmp_message message; (tape data config etc) u_long reply_sequence; (number from the request message to which the reply is associated) ndmp_error error; (verbose) }; II. PROOF OF CONCEPT Not published, probably soon on a forum nor mailing list, else when you know of the ndmp protocol, this is not that hard to trigger it by yourself. III. RISK Does not looks that big at a first look but my 10$ to this that it doens't smell good unreadable datas at 0x00000000, I have maybe missed up a field to overwrite during my tests letting us to force the executable to read malicious code, if yes, this might be critical, because the main service does not crash, allowing multiple hacking attempts. IV. DISCOVERY HAT-SQUAD.com V. GREETINGS Nima,Behrang,strcpy To SuperList [at] class101.org :D To the spammer SPIKEr tom ferris ;-)))))  |
| Sponsor | ||
| ||
| |
|
22-07-05
| ||||
| ||||
| nice one, I guess there is no hotfix ;] |
|
23-07-05
| |||
| |||
| This is gonna be nice when it releases and if there is no hotfix yet then it is going to be even better. If you find it somewere please post it here for us to look at and to play around with  |
|
23-07-05
| ||||
| ||||
| |
|
24-07-05
| |||
| |||
| wise discovery ,, no chance to get a shell  , (or there is a chance !  )but still dangrous , thats the way dont call em until they take us serious , 90% this happens when there is no source and they think we have no idea what they did , in open-source community you will get a good and fast response . |
|
28-07-05
| ||||
| ||||
| no chance nor maybe we aren't enough good to get a shell , during my tests, I was able to load a huge buffer into the heap but never been able to control what i'd like to  |
|
10-08-05
| ||||
| ||||
| Code: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: BID 14355, http://www.securityfocus.com/bid/14355, Risk: Very Low to minimal Affected product: Veritas NetBackup minimal impact only This issue does NOT affect Veritas Backup Exec Symantec engineers have thoroughly reviewed the issue as posted to the bugtraq mailing list. Passing a CONFIG request with a malformed timestamp in the ndmpheader does result in a segment fault killing the current listening process spawned when the connection attempt is made. However, the only process affected is the child process spawned separately for each connection attempt by the underlying agent. The agent is NOT impacted and will continue to spawn processes to handle additional connection requests as they are received. Although this minor issue causes no functionality problems with the product, Symantec engineers are reviewing options to address it in future updates. Symantec takes the security of our products seriously and adheres to responsible disclosure. Our response policy and pgp key for secure communications are available from http://www.symantec.com/security <http://www.symantec.com/security>. Symantec will work responsibly with anyone who believes they have found a security issue in a Symantec product to validate the problem and coordinate any response deemed necessary. Please contact secure (at) symantec (dot) com concerning security issues with Symantec products. -----BEGIN PGP SIGNATURE----- Version: PGP 8.0.2 iQA/AwUBQvkPupIF/uvuJQrOEQI90ACeIy4dEs9FkPQprGX59D3oQE6HJm0AoLve yO0IRcuEJt5g6JLU+e8dtSx7 =arj9 -----END PGP SIGNATURE----- Credit: Discovery is credited to . here: Credit: Discovery is credited to Hat-Squad (class101) |
|
10-08-05
| ||||
| ||||
| yeah they think they are leet since they have been acquired by Symantec, for me they are just a slow big database, no much respect about their work, look at theire list bugtraq, a nice shit moderated by mr Ahmad, I have read on the web that dude was in a defacement persian crew in the old time to show you the leet skill.. Your ignore has prolly something to do with with your name linked to a gay defacement crew so IHS :> |
| Sponsor | ||
| ||
| |
|
| | |
| netbackup, time_stamp, veritas, vulnerability | |
| Thread Tools | |
| Display Modes | |
Linear Mode
| |
Similar Threads | ||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Microsoft Excel File Format Parsing Vulnerability | J-A | Security discussions | 2 | 15-03-06 03:51 |
| VERITAS NetBackup Format Strings Remote Exploit [linux] | shapeshifter | Public | 0 | 20-10-05 14:22 |
| New eEye Upcoming Advisory | clark | Security discussions | 8 | 26-07-05 01:47 |
