Monday, June 27, 2005

[NT] Veritas Backup Multiple Vulnerabilities (Multiple DoS, Buffer Overflow, Remote Access)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

Veritas Backup Multiple Vulnerabilities (Multiple DoS, Buffer Overflow,
Remote Access)
------------------------------------------------------------------------

SUMMARY

" <http://veritas.com/Products/www?c=product&refId=57> VERITAS Backup Exec
for Windows Servers is the Gold Standard in Windows data protection
providing comprehensive, cost-effective, and certified backup and recovery
- including the fastest disk-based recovery. "

A buffer overflow vulnerability within Veritas's Backup Exec allows remote
attackers to execute arbitrary code. Remote exploitation of a denial of
service condition within Veritas's Backup Exec allows attackers to crash
the vulnerable service.

DETAILS

Vulnerable Systems:
* Veritas Backup version 10.0 SP1 for NDMLSRVR.DLL DoS
* Veritas Backup version 10.0
* Veritas Backup version 9.1

Immune Systems:
* Backup Exec 10.0 for Windows Servers rev. 5520
* Backup Exec 9.1.1156 for NetWare Servers

Buffer Overflow:
The Veritas Backup Exec Agent listens on TCP port 10000 and is responsible
for accepting connections from the backup server when a backup is to
occur. Typically the agent would be installed on most servers and
important workstations in an enterprise environment.

Veritas Backup Exec uses the standard NMDP protocol to communicate with
the listening agents. The NMDP protocol allows multiple authentication
types, including support for Windows user credentials.

The vulnerability specifically exists because of insufficient input
validation on CONNECT_CLIENT_AUTH requests. CONNECT_CLIENT_AUTH requests
sent with an authentication method type "3," indicating Windows user
credentials, and an overly long password argument can overflow the buffer
and lead to arbitrary code execution. The overflow will copy the
user-supplied password to the stack until it attempts to run off the page
of memory. At this point, the SEH frame will be overwritten and the
program will jump to a user-defined location when the page fault occurs.

Debugger output showing control of execution from the SEH frame is
detailed as follows:
(1d8.b1c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.

eax=00002001 ebx=0032ad78 ecx=0000037e
edx=00fbedf8 esi=01045928 edi=00fc0000
eip=0141b77f esp=00fbedd8 ebp=0032c040 iopl=0
nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206

*** ERROR: Symbol file could not be found. Defaulted to export symbols
for C:\Program Files\VERITAS\Backup Exec\NT\beclass.dll -
beclass!DeasciifyAndDecrypt+0xaf:

0141b77f f3a5 rep movsd ds:01045928=39784638 es:00fc0000=????????
0:005> g

(1d8.b1c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.

eax=00000000 ebx=00000000 ecx=41424344
edx=7c9037d8 esi=00000000 edi=00000000
eip=41424344 esp=00fbea08 ebp=00fbea28 iopl=0
nv up ei pl zr na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
41424344 ?? ???
0:005> kp
ChildEBP RetAddr
WARNING: Frame IP not in any known module. Following frames may be
wrong.
00fbea04 7c9037bf 0x41424344
00fbea28 7c90378b ntdll!RtlConvertUlongToLargeInteger+0x7a
00fbead8 7c90eafa ntdll!RtlConvertUlongToLargeInteger+0x46
0032c040 0032b470 ntdll!KiUserExceptionDispatcher+0xe
00000003 00000000 0x32b470

Exploitation does not require authentication, thereby allowing any remote
attacker to execute arbitrary code under the privileges of the Backup Exec
Agent Browser (benetns.exe) process, which is usually a domain
administrative account. Exploitation can occur fairly reliably since the
overflow is able to control code execution via the structured exception
handler.

DoS 1:
The Veritas Backup Exec Agent listens on TCP port 10000 and is responsible
for accepting connections from the backup server when a backup is to
occur. Typically the agent would be installed on most servers and
important workstations in an enterprise environment. Veritas Backup Exec
uses the standard NMDP protocol to communicate with the listening agents.

The vulnerability specifically exists within NDMLSRVR.DLL due to a null
pointer dereference upon parsing of a maliciously crafted packet at the
following instruction:
0x01053355 MOVZX EAX, WORD PTR [ESI]

An unhandled exception occurs resulting in a crash of the program and a
denial of service condition. Exploitation does not require authentication,
thereby allowing any remote attacker to cause the denial of service and
disruption of backup capabilities.

DoS 2:
The Veritas Backup Exec Agent listens on TCP port 10000 and is responsible
for accepting connections from the backup server when a backup is to
occur. Typically the agent would be installed on most servers and
important workstations in an enterprise environment. Veritas Backup Exec
uses the standard NMDP protocol to communicate with the listening agents.

The vulnerability specifically exists because of improper handling of
request packets with an unexpected "Error Status" value. Specifically, any
Error Status other than "0" will cause a null pointer dereference,
resulting in an unhandled exception as can be seen as follows.

eax=00000000 ebx=0032ac08 ecx=00000000
edx=0098a930 esi=0032e1e8 edi=009b5770
eip=008f1c84 esp=00fbfb58 ebp=0032ac30 iopl=0
nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202

*** ERROR: Symbol file could not be found.
Defaulted to export symbols for
C:\Program Files\VERITAS\Backup Exec\NT\ndmpsrvr.dll -
ndmpsrvr+0x21c84:

008f1c84 8b00 mov eax,[eax] ds:0023:00000000=????????

The unhandled exception will result in a crash of the program and a denial
of service condition. Exploitation does not require authentication,
thereby allowing any remote attacker to cause the denial of service and
disruption of backup capabilities.

Remote Access:
The problem specifically exists within some RPC handlers defined in
beserver.exe. The Backup Exec Server service registers an RPC interface on
a TCP endpoint with ID 93841fd0-16ce-11ce-850d-02608c44967b on port 6106.
The following assembly snippet from beserver.exe version 10.0.5484.0 shows
the server-side RPC dispatch table for this interface:

rpc_dispatch_table_1
.text:00425E28 dd offset rpc_sub_1
.text:00425E2C dd offset rpc_sub_2
.text:00425E30 dd offset rpc_sub_3
.text:00425E34 dd offset rpc_sub_4
.text:00425E38 dd offset rpc_sub_5 ; registry read
.text:00425E3C dd offset rpc_sub_6 ; registry write
.text:00425E40 dd offset rpc_sub_7 ; registry delete
.text:00425E44 dd offset rpc_sub_8 ; registry enum
.text:00425E48 dd offset rpc_sub_9
.text:00425E4C dd offset rpc_sub_10
.text:00425E50 dd offset rpc_sub_11
.text:00425E54 dd offset null_sub
.text:00425E58 dd offset null_sub

The above marked routines allow unauthenticated remote attackers to
connect to the RPC endpoint and arbitrarily create, modify, delete and
read keys. An attacker needs only to reverse engineer the Microsoft
Interface Description Language (IDL) for the target routine and create a
custom client to connect to and manipulate the server. The IDL
definition for rpc_sub_6 is:
long rpc_sub_6 (
/* 04 */ [in] [string] wchar_t *sub_key,
/* 08 */ [in] [string] wchar_t *value_name,
/* 0C */ [in] long type,
/* 10 */ [in] long len_data,
/* 14 */ [in,out] [size_is(len_data)] byte *data,
/* 18 */ [in] long len_hkey,
/* 1C */ [in] [size_is(len_hkey)] byte *hkey
);

Successful exploitation of the described vulnerability allows
unauthenticated remote attackers to connect to and arbitrarily modify the
target systems registry under the privileges of the 'Administrator' user.
Registry write access can be leveraged in a number of ways to further
compromise the target system. A simple vector would involve writing values
to startup keys with UNC paths to malicious binaries.

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0771>
CAN-2005-0771
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0772>
CAN-2005-0772
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0773>
CAN-2005-0773

Disclosure Timeline:
03/16/2005 - Initial vendor notification about Buffer Overflow and about
Remote DoS vulnerabilities
03/18/2005 - Initial vendor notification for Remote Access vulnerability
03/30/2005 - Initial vendor response for the Buffer Overflow, Remote
Access and Remote DoS vulnerabilities
05/13/2005 - Initial vendor notification about NDMLSRVR.DLL DoS
vulnerability and initial vendor response
06/22/2005 - Coordinated public disclosure

ADDITIONAL INFORMATION

The information has been provided by
<mailto:idlabs-advisories@idefense.com> iDEFENSE.
The original article can be found at:
<http://www.idefense.com/application/poi/display?id=269&type=vulnerabilities> http://www.idefense.com/application/poi/display?id=269&type=vulnerabilities,

<http://www.idefense.com/application/poi/display?id=270&type=vulnerabilities> http://www.idefense.com/application/poi/display?id=270&type=vulnerabilities,

<http://www.idefense.com/application/poi/display?id=271&type=vulnerabilities> http://www.idefense.com/application/poi/display?id=271&type=vulnerabilities,

<http://www.idefense.com/application/poi/display?id=272&type=vulnerabilities> http://www.idefense.com/application/poi/display?id=272&type=vulnerabilities
The vendor advisory can be found at:
<http://seer.support.veritas.com/docs/277485.htm>
http://seer.support.veritas.com/docs/277485.htm
<http://seer.support.veritas.com/docs/276533.htm>
http://seer.support.veritas.com/docs/276533.htm
<http://seer.support.veritas.com/docs/276604.htm>
http://seer.support.veritas.com/docs/276604.htm
<http://seer.support.veritas.com/docs/276605.htm>
http://seer.support.veritas.com/docs/276605.htm

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

No comments:

Post a Comment