lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <6.2.3.4.2.20050722230401.02f1b310@72.36.154.154>
Date: Fri Jul 22 22:11:29 2005
From: ad at class101.org (ad@...ss101.org)
Subject: VERITAS NETBACKUP 5.1 'TIME_STAMP' VULNERABILITY

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Update: Contact as finally been ok thanx secfocus and hotfix probably 
coming soon.


VERITAS NETBACKUP 5.1 'TIME_STAMP' VULNERABILITY

Date: 07/2005
Risk: Low/Medium
Soft: NetBackup 5.1
OS  : All supported win32
Fix : coming soon



I. VULNERABILITY

NETBACKUP as his brother BEXEC runs a NDMP server to 10000/TCP. This 
same service is calling another executable
when doing some particular requests. This is possible to produce an 
access violation with the help of
this last executable while sending a 'CONFIG' message request to the 
NDMP server with a timestamp in the ndmpheader out of range.

enum ndmp_message_type
{
     NDMP_REQUEST
};
struct ndmp_header
{
     u_long            sequence; (local counter that starts at 1 and 
increases by 1 for every message sent)
     u_long            time_stamp;  (in seconds since 00:00:00 GMT, 
Jan 1, 1970)
     ndmp_message_type message_type; (request or reply message)
     ndmp_message      message; (tape data config etc)
     u_long            reply_sequence; (number from the request 
message to which the reply is associated)
     ndmp_error        error; (verbose)
};

II. PROOF OF CONCEPT

Not published, probably soon on a forum nor mailing list, else when 
you know of the ndmp protocol, this is not that
hard to trigger it by yourself.

III. RISK

Does not looks that big at a first look but my 10$ to this that it 
doens't smell good unreadable datas at 0x00000000, I have maybe missed 
up
a field to overwrite during my tests letting us to force the 
executable to read malicious code, if yes, this might be critical, 
because the main service
does not crash, allowing multiple hacking attempts.

IV. DISCOVERY

HAT-SQUAD.com

V. GREETINGS

Nima,Behrang,strcpy
To SuperList [at] class101.org :D
To the spammer SPIKEr tom ferris ;-)))))
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2rc2 (MingW32)

iQIVAwUBQuFgAa+LRXunxpxfAQIB8w/8CW/dFeFWL1IyTvDT92NzuMmw0cb0hGp8
OrvtegfUU3gQd4tGYYxHUfFOy9r4FyYqYg9/+cZZP3zJcqcmVh2rBvx5ijjCKJIB
UKAjz7PbSil5LZC+74Ybz3B4mUVxfb9tlT+Ph23YdITgYQmuxZAeglBrGX8ZkI9x
dmQ+pmBSTaYEnByKt0AvAZJ94Fzj2KKEwQqZ596suHLYwa+RtJrUOxYFU+AReoom
6Ht//diGnQPuzq61xDiIGrVVPasHIr89tLEQAr3EveyWY29zK9byHyFXx/yHedY0
H0neTPStrg+DM6wNZpZjDANdKhLZo93EH9gi4h6yj9VwCbvIhkDQWTFzqltdvPBV
WMTk6sXMdVS2OSo+D1pelQCmgdWde89XF47lR7h3dy2vMjkZnu3C59cTZDT+tMoO
MQglVPjsK+WU+FzG/NEp30jUOq1TOa+TK8s3ny1Ea8j2uOpfme1HjD1seD1i9k1/
M5b13zEKvil2IPa8UxKP2orBhSQ6oPSsZ2bamGAPyc8xSK65wGplwxRj9jTHpmQU
ZOh9rQBX9bWzER4jdlKPR5t0PIqv5uOHLFJ6l/VxXi4k/9SRsobkVcbLHZHxJbQT
hJ2KYjKELhZKRXyDHNin6GhLwrGSpqanPLE6zYSWxN54LKWcCvzmtoYcA6fG1o6/
6T1WD0FHbn4=
=exv+
-----END PGP SIGNATURE-----


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ