Vulnerabilities > CVE-2004-1172 - Remote Buffer Overflow vulnerability in VERITAS Backup Exec Agent Browser
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Stack-based buffer overflow in the Agent Browser in Veritas Backup Exec 8.x before 8.60.3878 Hotfix 68, and 9.x before 9.1.4691 Hotfix 40, allows remote attackers to execute arbitrary code via a registration request with a long hostname.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 5 |
Exploit-Db
description Veritas Backup Exec Agent 8.x/9.x Browser Overflow (c version). CVE-2004-1172. Remote exploit for windows platform id EDB-ID:750 last seen 2016-01-31 modified 2005-01-11 published 2005-01-11 reporter class101 source https://www.exploit-db.com/download/750/ title Veritas Backup Exec Agent 8.x/9.x - Browser Overflow C description Veritas Backup Exec Name Service Overflow. CVE-2004-1172. Remote exploit for windows platform id EDB-ID:16331 last seen 2016-02-01 modified 2010-06-22 published 2010-06-22 reporter metasploit source https://www.exploit-db.com/download/16331/ title Veritas Backup Exec Name Service Overflow
Metasploit
| description | This module exploits a vulnerability in the Veritas Backup Exec Agent Browser service. This vulnerability occurs when a recv() call has a length value too long for the destination stack buffer. By sending an agent name value of 63 bytes or more, we can overwrite the return address of the recv function. Since we only have ~60 bytes of contiguous space for shellcode, a tiny findsock payload is sent which uses a hardcoded IAT address for the recv() function. This payload will then roll the stack back to the beginning of the page, recv() the real shellcode into it, and jump to it. This module has been tested against Veritas 9.1 SP0, 9.1 SP1, and 8.6. |
| id | MSF:EXPLOIT/WINDOWS/BACKUPEXEC/NAME_SERVICE |
| last seen | 2020-06-01 |
| modified | 2017-07-24 |
| published | 2005-12-05 |
| references | |
| reporter | Rapid7 |
| source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/backupexec/name_service.rb |
| title | Veritas Backup Exec Name Service Overflow |
Nessus
NASL family Gain a shell remotely NASL id VERITAS_BACKUP_EXEC_OVERFLOW2.NASL description The remote host is running a version of VERITAS Backup Exec Agent Browser which is vulnerable to a remote buffer overflow. An attacker may exploit this flaw to execute arbitrary code on the remote host or to disable this service remotely. To exploit this flaw, an attacker would need to send a specially crafted packet to the remote service. last seen 2020-06-01 modified 2020-06-02 plugin id 16232 published 2005-01-24 reporter This script is Copyright (C) 2005-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/16232 title VERITAS Backup Exec Agent Browser Registration Request Remote Overflow NASL family Windows NASL id VERITAS_BACKUP_EXEC_OVERFLOW.NASL description The version of Veritas Backup Exec Agent Browser installed on the remote host is 8.x prior to 8.60.3878 hotfix 68, 9.0.x prior to 9.0.4454 hotfix 30, or 9.1.x prior to 9.1.4691 hotfix 40. It is, therefore, affected by a remote code execution vulnerability in the registration service (benetns.exe) due to a failure to validate the client hostname field during the registration process. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to cause a stack-based buffer overflow, resulting in the execution of arbitrary code. last seen 2020-06-01 modified 2020-06-02 plugin id 16230 published 2005-01-24 reporter This script is Copyright (C) 2005-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/16230 title Veritas Backup Exec Agent Browser 8.x < 8.60.3878 HF 68 / 9.0.x < 9.0.4454 HF 30 / 9.1.x < 9.1.4691 HF 40 RCE
Packetstorm
| data source | https://packetstormsecurity.com/files/download/83019/name_service.rb.txt |
| id | PACKETSTORM:83019 |
| last seen | 2016-12-05 |
| published | 2009-11-26 |
| reporter | H D Moore |
| source | https://packetstormsecurity.com/files/83019/Veritas-Backup-Exec-Name-Service-Overflow.html |
| title | Veritas Backup Exec Name Service Overflow |
Saint
| bid | 11974 |
| description | VERITAS Backup Exec Agent Browser hostname buffer overflow |
| id | misc_backupexec |
| osvdb | 12418 |
| title | backup_exec_agent_browser_hostname |
| type | remote |
References
- http://secunia.com/advisories/13495/
- http://seer.support.veritas.com/docs/273419.htm
- http://seer.support.veritas.com/docs/273420.htm
- http://seer.support.veritas.com/docs/273422.htm
- http://seer.support.veritas.com/docs/273850.htm
- http://www.frsirt.com/exploits/20050111.101_BXEC.cpp.php
- http://www.idefense.com/application/poi/display?id=169
- http://www.kb.cert.org/vuls/id/907729
- http://www.securityfocus.com/bid/11974
- https://exchange.xforce.ibmcloud.com/vulnerabilities/18506