VERITAS NETBACKUP 5.1 'TIME_STAMP' VULNERABILITY

Date: 07/2005
Risk: Low/Medium
Soft: VERITAS
OS : All supported win32

I. VULNERABILITY

NETBACKUP as his brother BEXEC runs a NDMP server to 10000/TCP. This same service is calling another executable
when doing some particular requests. This is possible to produce an access violation with the help of
this last executable while sending a 'CONFIG' message request to the NDMP server with a timestamp in the ndmpheader out of range.

enum ndmp_message_type
{
NDMP_REQUEST
};
struct ndmp_header
{
u_long sequence; (local counter that starts at 1 and increases by 1 for every message sent)
u_long time_stamp; (in seconds since 00:00:00 GMT, Jan 1, 1970)
ndmp_message_type message_type; (request or reply message)
ndmp_message message; (tape data config etc)
u_long reply_sequence; (number from the request message to which the reply is associated)
ndmp_error error; (verbose)
};

II. PROOF OF CONCEPT

Not published, probably soon on a forum nor mailing list, else when you know of the ndmp protocol, this is not that
hard to trigger it by yourself.

III. RISK

Does not looks that big at a first look but my 10$ to this that it doens't smell good unreadable datas at 0x00000000, I have maybe missed up
a field to overwrite during my tests letting us to force the executable to read malicious code, if yes, this might be critical, because the main service
does not crash, allowing multiple hacking attempts.

IV. DISCOVERY

HAT-SQUAD.com

V. GREETINGS

Nima,Behrang,strcpy
To SuperList [at] class101.org :D
To the spammer SPIKEr tom ferris ;-)))))

nice one, I guess there is no hotfix ;]

This is gonna be nice when it releases and if there is no hotfix yet then it is going to be even better. If you find it somewere please post it here for us to look at and to play around with ;)

white poc

http://heapoverflow.com/poc.jpg
http://heapoverflow.com/poc2.jpg

hehe

nice discovery ;D
poor symantec guys... haha, now they will listen the call ;)

wise discovery ,, no chance to get a shell :( , (or there is a chance ! :D)
but still dangrous , thats the way dont call em until they take us serious ,
90% this happens when there is no source and they think we have no idea what they did , in open-source community you will get a good and fast response .

no chance nor maybe we aren't enough good to get a shell , during my tests, I was able to load a huge buffer into the heap but never been able to control what i'd like to :)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Reference: BID 14355, http://www.securityfocus.com/bid/14355,

Risk: Very Low to minimal

Affected product: Veritas NetBackup minimal impact only

This issue does NOT affect Veritas Backup Exec

Symantec engineers have thoroughly reviewed the issue as posted to
the bugtraq mailing list.

Passing a CONFIG request with a malformed timestamp in the ndmpheader
does result in a segment fault killing the current listening process
spawned when the connection attempt is made. However, the only
process affected is the child process spawned separately for each
connection attempt by the underlying agent. The agent is NOT
impacted and will continue to spawn processes to handle additional
connection requests as they are received. Although this minor issue
causes no functionality problems with the product, Symantec engineers
are reviewing options to address it in future updates.

Symantec takes the security of our products seriously and adheres to
responsible disclosure. Our response policy and pgp key for secure
communications are available from http://www.symantec.com/security
<http://www.symantec.com/security>.

Symantec will work responsibly with anyone who believes they have
found a security issue in a Symantec product to validate the problem
and coordinate any response deemed necessary.

Please contact secure (at) symantec (dot) com concerning security
issues with Symantec products.

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2

iQA/AwUBQvkPupIF/uvuJQrOEQI90ACeIy4dEs9FkPQprGX59D3oQE6HJm0AoLve
yO0IRcuEJt5g6JLU+e8dtSx7
=arj9
-----END PGP SIGNATURE-----


at secfocus:

Credit: Discovery is credited to .

here:

Credit: Discovery is credited to Hat-Squad (class101)

;)

heh
I dont like those silly secfocus guys !
did you know that they simply ignore our reports cause we are from ---- ?

yeah they think they are leet since they have been acquired by Symantec, for me they are just a slow big database, no much respect about their work, look at theire list bugtraq, a nice shit moderated by mr Ahmad, I have read on the web that dude was in a defacement persian crew in the old time to show you the leet skill.. Your ignore has prolly something to do with with your name linked to a gay defacement crew so IHS :>

lol . I didnt know about that mr ahmad !
and thats why I forced IHS dudes to stop defacing , and I think its about half of a year that they dont deface :) , instead of that they are focusing on vuln dev and exploiting i.e. : http://secunia.com/advisories/16362 and those IBM/AIX codes which many of em havent been pubed yet :>
their ignorance is simply because our ip is listed in black countries and we get the mails back to ourselves , anyway I dont give a shit about that .