Vulnerabilities > CVE-2007-4346 - Resource Management Errors vulnerability in Symantec Backupexec System Recovery 11.0.6235/11.0.7170

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
PARTIAL
network
low complexity
symantec
CWE-399
nessus
NVD
Published: 2007-11-29
Updated: 2018-10-15

Summary

The Job Engine (bengine.exe) service in Symantec Backup Exec for Windows Servers (BEWS) 11d build 11.0.7170 and 11.0.6.6235 allows remote attackers to cause a denial of service (NULL dereference and service crash) via a crafted packet to port 5633/tcp.

Vulnerable Configurations

Part Description Count
Application
Symantec
2

Common Weakness Enumeration (CWE)

Nessus

NASL familyWindows
NASL idBEWS_DOS.NASL
descriptionBackup Exec for Windows Servers, a commercial backup product from Symantec, is installed on the remote host. The version of the Backup Exec Job Engine, bengine.exe, installed as part of Backup Exec for Windows Server on the remote host contains a NULL pointer dereference error when handling exceptions. Using a specially crafted packet, an attacker can leverage this issue to crash the affected service. In addition, it is affected by two overflow errors that can cause the service to enter an infinite loop, resulting in high CPU utilization and / or memory exhaustion.
last seen2020-06-01
modified2020-06-02
plugin id28361
published2007-11-29
reporterThis script is Copyright (C) 2007-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/28361
titleSymantec Backup Exec for Windows Servers Denial of Service Vulnerabilities
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(28361);
  script_version("1.15");
  script_cvs_date("Date: 2018/11/15 20:50:26");

  script_cve_id("CVE-2007-4346", "CVE-2007-4347");
  script_bugtraq_id(26028, 26029);

  script_name(english:"Symantec Backup Exec for Windows Servers Denial of Service Vulnerabilities");
  script_summary(english:"Checks version of bengine.exe");

  script_set_attribute(attribute:"synopsis", value:
"The remote Windows host contains an application that is affected by
several denial of service vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"Backup Exec for Windows Servers, a commercial backup product from
Symantec, is installed on the remote host.

The version of the Backup Exec Job Engine, bengine.exe, installed as
part of Backup Exec for Windows Server on the remote host contains a
NULL pointer dereference error when handling exceptions. Using a
specially crafted packet, an attacker can leverage this issue to crash
the affected service.

In addition, it is affected by two overflow errors that can cause the
service to enter an infinite loop, resulting in high CPU utilization
and / or memory exhaustion.");
  script_set_attribute(attribute:"see_also", value:"https://secuniaresearch.flexerasoftware.com/secunia_research/2007-74/advisory/");
  script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/484318/30/0/threaded");
  script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/484333/30/0/threaded");
  script_set_attribute(attribute:"solution", value:"Apply the appropriate hotfix according to the vendor advisories above.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(189, 399);

  script_set_attribute(attribute:"plugin_publication_date", value:"2007/11/29");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:symantec:veritas_backup_exec");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.");

  script_dependencies("smb_hotfixes.nasl");
  script_require_keys("SMB/Registry/Enumerated");
  script_require_ports(139, 445);

  exit(0);
}


include("smb_func.inc");
include("smb_hotfixes.inc");
include("audit.inc");


if (!get_kb_item("SMB/Registry/Enumerated")) exit(0);


# Connect to the appropriate share.
port    =  kb_smb_transport();
login   =  kb_smb_login();
pass    =  kb_smb_password();
domain  =  kb_smb_domain();

if(! smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init');
rc = NetUseAdd(login:login, password:pass, domain:domain, share:"IPC$");
if (rc != 1) {
  NetUseDel();
  exit(0);
}


# Connect to remote registry.
hklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE);
if (isnull(hklm))
{
  NetUseDel();
  exit(0);
}


# Make sure it's installed.
path = NULL;

key = "SOFTWARE\Symantec\Backup Exec for Windows\Backup Exec\11.0\Install";
key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
if (!isnull(key_h))
{
  value = RegQueryValue(handle:key_h, item:"Path");
  if (!isnull(value))
  {
    path = value[1];
    path = ereg_replace(pattern:"^(.+)\\$", replace:"\1", string:path);
  }

  RegCloseKey(handle:key_h);
}
RegCloseKey(handle:hklm);
if (isnull(path))
{
  NetUseDel();
  exit(0);
}


# Grab the file version of the affected file.
share = ereg_replace(pattern:"^([A-Za-z]):.*", replace:"\1$", string:path);
exe = ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1\bengine.exe", string:path);
NetUseDel(close:FALSE);

rc = NetUseAdd(login:login, password:pass, domain:domain, share:share);
if (rc != 1)
{
  NetUseDel();
  exit(0);
}

fh = CreateFile(
  file:exe,
  desired_access:GENERIC_READ,
  file_attributes:FILE_ATTRIBUTE_NORMAL,
  share_mode:FILE_SHARE_READ,
  create_disposition:OPEN_EXISTING
);
ver = NULL;
if (!isnull(fh))
{
  ver = GetFileVersion(handle:fh);
  CloseFile(handle:fh);
}
NetUseDel();


# Check the version number.
if (!isnull(ver) && 11 == ver[0] && 0 == ver[1])
{
  if (7170 == ver[2]) fix = "11.0.7170.25";
  else if (6235 == ver[2]) fix = "11.0.6235.29";
  else exit(0);

  fix = split(fix, sep:'.', keep:FALSE);
  for (i=0; i<4; i++)
    fix[i] = int(fix[i]);

  for (i=0; i<max_index(ver); i++)
    if ((ver[i] < fix[i]))
    {
      security_hole(port);
      break;
    }
    else if (ver[i] > fix[i])
      break;
}

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 26028 CVE(CAN) ID: CVE-2007-4346 Symantec Backup Exec是一款全面的数据备份解决方案。 Backup Exec的Job引擎服务(bengine.exe)中存在空指针引用漏洞,远程攻击者可能利用此漏洞导致服务不可用。 如果远程攻击者向该服务的默认5633/TCP端口发送了畸形报文并触发了异常的话,就可能触发这个漏洞,导致监听的服务崩溃。 Symantec Backup Exec for Windows Servers 11d 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href=http://support.veritas.com/docs/294241 target=_blank>http://support.veritas.com/docs/294241</a> <a href=http://support.veritas.com/docs/294237 target=_blank>http://support.veritas.com/docs/294237</a>
idSSV:2513
last seen2017-11-19
modified2007-11-30
published2007-11-30
reporterRoot
titleSymantec Backup Exec Job引擎空指针引用拒绝服务漏洞

References