lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <6.2.3.4.2.20050722230401.02f1b310@72.36.154.154> Date: Fri Jul 22 22:11:29 2005 From: ad at class101.org (ad@...ss101.org) Subject: VERITAS NETBACKUP 5.1 'TIME_STAMP' VULNERABILITY -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Update: Contact as finally been ok thanx secfocus and hotfix probably coming soon. VERITAS NETBACKUP 5.1 'TIME_STAMP' VULNERABILITY Date: 07/2005 Risk: Low/Medium Soft: NetBackup 5.1 OS : All supported win32 Fix : coming soon I. VULNERABILITY NETBACKUP as his brother BEXEC runs a NDMP server to 10000/TCP. This same service is calling another executable when doing some particular requests. This is possible to produce an access violation with the help of this last executable while sending a 'CONFIG' message request to the NDMP server with a timestamp in the ndmpheader out of range. enum ndmp_message_type { NDMP_REQUEST }; struct ndmp_header { u_long sequence; (local counter that starts at 1 and increases by 1 for every message sent) u_long time_stamp; (in seconds since 00:00:00 GMT, Jan 1, 1970) ndmp_message_type message_type; (request or reply message) ndmp_message message; (tape data config etc) u_long reply_sequence; (number from the request message to which the reply is associated) ndmp_error error; (verbose) }; II. PROOF OF CONCEPT Not published, probably soon on a forum nor mailing list, else when you know of the ndmp protocol, this is not that hard to trigger it by yourself. III. RISK Does not looks that big at a first look but my 10$ to this that it doens't smell good unreadable datas at 0x00000000, I have maybe missed up a field to overwrite during my tests letting us to force the executable to read malicious code, if yes, this might be critical, because the main service does not crash, allowing multiple hacking attempts. IV. DISCOVERY HAT-SQUAD.com V. GREETINGS Nima,Behrang,strcpy To SuperList [at] class101.org :D To the spammer SPIKEr tom ferris ;-))))) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2rc2 (MingW32) iQIVAwUBQuFgAa+LRXunxpxfAQIB8w/8CW/dFeFWL1IyTvDT92NzuMmw0cb0hGp8 OrvtegfUU3gQd4tGYYxHUfFOy9r4FyYqYg9/+cZZP3zJcqcmVh2rBvx5ijjCKJIB UKAjz7PbSil5LZC+74Ybz3B4mUVxfb9tlT+Ph23YdITgYQmuxZAeglBrGX8ZkI9x dmQ+pmBSTaYEnByKt0AvAZJ94Fzj2KKEwQqZ596suHLYwa+RtJrUOxYFU+AReoom 6Ht//diGnQPuzq61xDiIGrVVPasHIr89tLEQAr3EveyWY29zK9byHyFXx/yHedY0 H0neTPStrg+DM6wNZpZjDANdKhLZo93EH9gi4h6yj9VwCbvIhkDQWTFzqltdvPBV WMTk6sXMdVS2OSo+D1pelQCmgdWde89XF47lR7h3dy2vMjkZnu3C59cTZDT+tMoO MQglVPjsK+WU+FzG/NEp30jUOq1TOa+TK8s3ny1Ea8j2uOpfme1HjD1seD1i9k1/ M5b13zEKvil2IPa8UxKP2orBhSQ6oPSsZ2bamGAPyc8xSK65wGplwxRj9jTHpmQU ZOh9rQBX9bWzER4jdlKPR5t0PIqv5uOHLFJ6l/VxXi4k/9SRsobkVcbLHZHxJbQT hJ2KYjKELhZKRXyDHNin6GhLwrGSpqanPLE6zYSWxN54LKWcCvzmtoYcA6fG1o6/ 6T1WD0FHbn4= =exv+ -----END PGP SIGNATURE-----
Powered by blists - more mailing lists