Veritas Backup Exec注册请求远程缓冲区溢出漏洞

发布日期：2004-12-16
更新日期：2004-12-20

受影响系统：

Veritas Backup Exec 9.1

描述：

---

BUGTRAQ ID: 11974
CVE(CAN) ID: CVE-2004-1172

Veritas Backup Exec是新一代备份和恢复解决方案。

Veritas Backup Exec在处理注册请求时存在缓冲区溢出问题，远程攻击者可以利用这个漏洞以进程权限在系统上执行任意指令。

问题存在于Veritas Backup Exec处理接收和解析注册请求的函数中，注册请求包包含主机名和客户端连接的TCP端口，并保存在堆栈中，攻击者可以发送带有超长主机名的注册请求溢出数组，控制返回地址以进程权限在系统上执行任意指令。

<*来源：Patrik Karlsson （Patrik.Karlsson@ixsecurity.com）

链接：http://www.idefense.com/application/poi/display?id=169&type=vulnerabilities&flashstatus=true
*>

测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

/*
VERITAS Backup Exec v9.1.4691.SP1
v9.1.4691.SP0
v8.5.3572
Agent Browser Service, Remote Stack Overflow

Highly Critical

All credits to:

-iDEFENSE(discovery-www.iDEFENSE.com),
-Thor Doomen(iat-syscall[at]inbox.lv),
-H.D. Moore(scode-www.metasploit.com),
-Matt Miller(scode-www.hick.org)

ExtraNotes:

All my tests/debugs where a bit long (some days) firstly due to the big size
of Backup Exec and the unstability accross differents windows versions
to make working that IAT method with 100% success and the difficulty to
debug it.
(As a recall, due to the 60 bytes only free, a tiny shellcode is send in
first to scan
the recv function of benetns.exe and jump to the data submitted during the
second send,
thanx syscall. Let's think large now. Imagine that you exploits the hole and
you submit
the shellcode 5 minutes later, the service will hang on to death of course
until a kill,
now imagine that you exploits the hole and you submit the shellcode too
faslty for the,
computer processing, the shellcode can be missed, wont be executed again,
sometimes yes/no, but really unstable.
Hopefully (or unfortunely for you admin :>) I'm here to optimize it and make
it 100% working, universal,
stable whatever you want for the good fortune of script kiddies and to show
what mean working to my good
friends ka-odick :>
Tries
Machine Bind / Rverse / Success

(2x) Win2k SP4 Server English 10 10 20
(1x) Win2k SP4 Pro English 5 5 10
(1x) WinXP SP1 Pro English 5 5 10
(1x) WinXP SP1a Pro English 5 5 10
(3x) Win2003 SP0 Server English 5 5 10
(1x) Win2003 SP0 Server Ita. 5 5 10
(1x) NT4 Server English. 5 5 10

= Universal

v0.1:
C code based on Thor Doomen's code posted at the metasploit mailing list,
excellent in the method, but super unstable to not say not working when
used,
made some changes.

v0.2:
fix of the first big problem , the missed shellcode accross differents
windows,
fixed by flooding benetns with more sends, timer really small, this is
important.
padding 1 nop to the reverse shellcode as needed, else crash on reverse.

v0.3:
universal esi call across v9.1 SP0 and SP1, for the good fortune of script
kiddies.

v0.4:
As a warning, this poc v0.4 as been tested working by an anonymous tester
(never mentionned there)
on some organisations such nasa, states/edus, it's urgent to update 1 month
after the advisory, sleepers.

Tips: -make sure that your ip is safe of null bytes in reverse mode.
-make sure that you targets the good version of Backup Exec,
else you crash it.
-Backup Exec v10.0 is now available, get it at www.veritas.com.
-Visit dfind.kd-team.com for a patched benetns.exe, quick solution
for an urgent update. (extracted from the hotfix at www.veritas.com)
Backup Exec 9.x is tested safe after replacing the .exe

Greetings:
Nima Majidi
Behrang Fouladi
Pejman
keystr0ke
JGS
DiabloHorn
kimatrix
NaV
New Metasploit v2.3 (http://www.metasploit.com/)
and all idlers of #n3ws on Eris Free Network.

by class101 [at] hat-squad.com
answering to all stupid questions that I got & will have, no I'm not persian

文章整理：西部数码--专业提供域名注册、虚拟主机服务
http://www.west263.com
以上信息与文章正文是不可分割的一部分,如果您要转载本文章,请保留以上信息，谢谢!