what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

veritasNetbackup.txt

veritasNetbackup.txt
Posted Jul 23, 2005
Site hat-squad.com

Veritas Netbackup 5.1 suffers from a TIME_STAMP vulnerability that can cause an access violation.

tags | advisory
SHA-256 | 8038375fda61dd8bab4f1e82b344c368ec2edb2ca5230144ad613185491a8ef7

veritasNetbackup.txt

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Update: Contact as finally been ok thanx secfocus and hotfix probably
coming soon.


VERITAS NETBACKUP 5.1 'TIME_STAMP' VULNERABILITY

Date: 07/2005
Risk: Low/Medium
Soft: NetBackup 5.1
OS : All supported win32
Fix : coming soon



I. VULNERABILITY

NETBACKUP as his brother BEXEC runs a NDMP server to 10000/TCP. This
same service is calling another executable
when doing some particular requests. This is possible to produce an
access violation with the help of
this last executable while sending a 'CONFIG' message request to the
NDMP server with a timestamp in the ndmpheader out of range.

enum ndmp_message_type
{
NDMP_REQUEST
};
struct ndmp_header
{
u_long sequence; (local counter that starts at 1 and
increases by 1 for every message sent)
u_long time_stamp; (in seconds since 00:00:00 GMT,
Jan 1, 1970)
ndmp_message_type message_type; (request or reply message)
ndmp_message message; (tape data config etc)
u_long reply_sequence; (number from the request
message to which the reply is associated)
ndmp_error error; (verbose)
};

II. PROOF OF CONCEPT

Not published, probably soon on a forum nor mailing list, else when
you know of the ndmp protocol, this is not that
hard to trigger it by yourself.

III. RISK

Does not looks that big at a first look but my 10$ to this that it
doens't smell good unreadable datas at 0x00000000, I have maybe missed
up
a field to overwrite during my tests letting us to force the
executable to read malicious code, if yes, this might be critical,
because the main service
does not crash, allowing multiple hacking attempts.

IV. DISCOVERY

HAT-SQUAD.com

V. GREETINGS

Nima,Behrang,strcpy
To SuperList [at] class101.org :D
To the spammer SPIKEr tom ferris ;-)))))
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2rc2 (MingW32)

iQIVAwUBQuFgAa+LRXunxpxfAQIB8w/8CW/dFeFWL1IyTvDT92NzuMmw0cb0hGp8
OrvtegfUU3gQd4tGYYxHUfFOy9r4FyYqYg9/+cZZP3zJcqcmVh2rBvx5ijjCKJIB
UKAjz7PbSil5LZC+74Ybz3B4mUVxfb9tlT+Ph23YdITgYQmuxZAeglBrGX8ZkI9x
dmQ+pmBSTaYEnByKt0AvAZJ94Fzj2KKEwQqZ596suHLYwa+RtJrUOxYFU+AReoom
6Ht//diGnQPuzq61xDiIGrVVPasHIr89tLEQAr3EveyWY29zK9byHyFXx/yHedY0
H0neTPStrg+DM6wNZpZjDANdKhLZo93EH9gi4h6yj9VwCbvIhkDQWTFzqltdvPBV
WMTk6sXMdVS2OSo+D1pelQCmgdWde89XF47lR7h3dy2vMjkZnu3C59cTZDT+tMoO
MQglVPjsK+WU+FzG/NEp30jUOq1TOa+TK8s3ny1Ea8j2uOpfme1HjD1seD1i9k1/
M5b13zEKvil2IPa8UxKP2orBhSQ6oPSsZ2bamGAPyc8xSK65wGplwxRj9jTHpmQU
ZOh9rQBX9bWzER4jdlKPR5t0PIqv5uOHLFJ6l/VxXi4k/9SRsobkVcbLHZHxJbQT
hJ2KYjKELhZKRXyDHNin6GhLwrGSpqanPLE6zYSWxN54LKWcCvzmtoYcA6fG1o6/
6T1WD0FHbn4=
=exv+
-----END PGP SIGNATURE-----


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close