Vulnerabilities > CVE-2005-2611 - Unspecified vulnerability in Symantec Veritas Backup Exec, Backup Exec Remote Agent and Netbackup

047910
CVSS 10.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
symantec-veritas
critical
nessus
exploit available
metasploit
NVD
Published: 2005-08-17
Updated: 2017-07-11

Summary

VERITAS Backup Exec for Windows Servers 8.6 through 10.0, Backup Exec for NetWare Servers 9.0 and 9.1, and NetBackup for NetWare Media Server Option 4.5 through 5.1 uses a static password during authentication from the NDMP agent to the server, which allows remote attackers to read and write arbitrary files with the backup server.

Vulnerable Configurations

Part Description Count
Application
Symantec_Veritas
57

Exploit-Db

descriptionVeritas Backup Exec Remote File Access Exploit (windows). CVE-2005-2611. Remote exploit for windows platform
idEDB-ID:1147
last seen2016-01-31
modified2005-08-11
published2005-08-11
reporterN/A
sourcehttps://www.exploit-db.com/download/1147/
titleVeritas Backup Exec Remote File Access Exploit windows

Metasploit

descriptionThis module abuses a logic flaw in the Backup Exec Windows Agent to download arbitrary files from the system. This flaw was found by someone who wishes to remain anonymous and affects all known versions of the Backup Exec Windows Agent. The output file is in 'MTF' format, which can be extracted by the 'NTKBUp' program listed in the references section. To transfer an entire directory, specify a path that includes a trailing backslash.
idMSF:AUXILIARY/ADMIN/BACKUPEXEC/DUMP
last seen2020-05-22
modified2020-05-12
published2006-12-03
references
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/backupexec/dump.rb
titleVeritas Backup Exec Windows Remote File Access

Nessus

NASL familyMisc.
NASL idVERITAS_AGENT_DEFAULT_ACCOUNT.NASL
descriptionThe remote host is running a version of VERITAS Backup Exec Agent which is configured with a default root account. An attacker may exploit this flaw to retrieve files from the remote host.
last seen2020-06-01
modified2020-06-02
plugin id19427
published2005-08-12
reporterThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/19427
titleVERITAS Backup Exec Remote Agent Static Password Arbitrary File Download
code
#
# (C) Tenable Network Security, Inc.
#

# Credit for the default root account values:
# - Metsaploit and an anonymous contributor


include("compat.inc");

if (description)
{
 script_id(19427);
 script_version("1.22");
 script_cvs_date("Date: 2018/08/06 14:03:14");

 script_cve_id("CVE-2005-2611");
 script_bugtraq_id(14551);

 script_name(english:"VERITAS Backup Exec Remote Agent Static Password Arbitrary File Download");
 script_summary(english:"Test the VERITAS Backup Exec Agent Default Account");

 script_set_attribute(attribute:"synopsis", value:
"It is possible to retrieve/delete files on the remote host." );
 script_set_attribute(attribute:"description", value:
"The remote host is running a version of VERITAS Backup Exec Agent
which is configured with a default root account. 

An attacker may exploit this flaw to retrieve files from the remote
host." );
 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e9b1913d" );
 script_set_attribute(attribute:"see_also", value:"http://seer.support.veritas.com/docs/278434.htm" );
 script_set_attribute(attribute:"solution", value:
"Update the product as described in the vendor advisory referenced above." );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value: "2005/08/12");
 script_set_attribute(attribute:"plugin_publication_date", value: "2005/08/12");

 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_set_attribute(attribute:"cpe", value:"cpe:/a:symantec:veritas_backup_exec");
 script_end_attributes();
 
 script_category(ACT_GATHER_INFO);
 script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");
 script_family(english:"Misc.");
 if ( NASL_LEVEL >= 3000 ) script_dependencie("veritas_agent_bypass.nbin");
 script_exclude_keys("Veritas/BackupExecAgent/Bypass");
 script_require_ports(10000);
 exit(0);
}

if ( get_kb_item("Veritas/BackupExecAgent/Bypass") ) exit(0);

port = 10000;

#
# WebMin also listens on port 10000
#
if ( (banner = get_kb_item("www/banner/10000")) && "Server: MiniServ" >< banner ) exit(0);



connect_open_request = raw_string(
	0x80, 0x00, 0x00, 0x1C, 0x00, 0x00, 0x00, 0x01, 0x42, 0xBA, 0xF9, 0x91, 0x00, 0x00, 0x00, 0x00, 
	0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03
);


connect_client_auth_request = raw_string (
	0x80, 0x00, 0x00, 0x34, 0x00, 0x00, 0x00, 0x01, 0x42, 0xBA, 0xF9, 0x91, 0x00, 0x00, 0x00, 0x00,
	0x00, 0x00, 0x09, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02,
	0x00, 0x00, 0x00, 0x04, 0x72, 0x6F, 0x6F, 0x74, 0xB4, 0xB8, 0x0F, 0x26, 0x20, 0x5C, 0x42, 0x34,
	0x03, 0xFC, 0xAE, 0xEE, 0x8F, 0x91, 0x3D, 0x6F);

connect_client_auth_reply = raw_string (
	0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x09, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
	0x00, 0x00, 0x00, 0x00);

if (!get_port_state(port))
  exit (0);

soc = open_sock_tcp (port);
if (!soc) exit (0);

buf = recv (socket:soc, length:40);
send (socket:soc, data:connect_open_request);
buf = recv (socket:soc, length:32);
send (socket:soc, data:connect_client_auth_request);
buf = recv (socket:soc, length:32);
if (strlen(buf) != 32)
  exit(0);
rep = substr (buf, 12, 31);

if (connect_client_auth_reply >< rep)
  security_hole(port);

References