Vulnerabilities > CVE-2007-4347 - Numeric Errors vulnerability in Symantec Backupexec System Recovery 11.0.6235/11.0.7170

047910
CVSS 7.8 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
COMPLETE
network
low complexity
symantec
CWE-189
nessus
NVD
Published: 2007-11-29
Updated: 2018-10-15

Summary

Multiple integer overflows in the Job Engine (bengine.exe) service in Symantec Backup Exec for Windows Servers (BEWS) 11d build 11.0.7170 and 11.0.6.6235 allow remote attackers to cause a denial of service (CPU and memory consumption) via a crafted packet to port 5633/tcp, which triggers an infinite loop.

Vulnerable Configurations

Part Description Count
Application
Symantec
2

Common Weakness Enumeration (CWE)

Nessus

NASL familyWindows
NASL idBEWS_DOS.NASL
descriptionBackup Exec for Windows Servers, a commercial backup product from Symantec, is installed on the remote host. The version of the Backup Exec Job Engine, bengine.exe, installed as part of Backup Exec for Windows Server on the remote host contains a NULL pointer dereference error when handling exceptions. Using a specially crafted packet, an attacker can leverage this issue to crash the affected service. In addition, it is affected by two overflow errors that can cause the service to enter an infinite loop, resulting in high CPU utilization and / or memory exhaustion.
last seen2020-06-01
modified2020-06-02
plugin id28361
published2007-11-29
reporterThis script is Copyright (C) 2007-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/28361
titleSymantec Backup Exec for Windows Servers Denial of Service Vulnerabilities
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(28361);
  script_version("1.15");
  script_cvs_date("Date: 2018/11/15 20:50:26");

  script_cve_id("CVE-2007-4346", "CVE-2007-4347");
  script_bugtraq_id(26028, 26029);

  script_name(english:"Symantec Backup Exec for Windows Servers Denial of Service Vulnerabilities");
  script_summary(english:"Checks version of bengine.exe");

  script_set_attribute(attribute:"synopsis", value:
"The remote Windows host contains an application that is affected by
several denial of service vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"Backup Exec for Windows Servers, a commercial backup product from
Symantec, is installed on the remote host.

The version of the Backup Exec Job Engine, bengine.exe, installed as
part of Backup Exec for Windows Server on the remote host contains a
NULL pointer dereference error when handling exceptions. Using a
specially crafted packet, an attacker can leverage this issue to crash
the affected service.

In addition, it is affected by two overflow errors that can cause the
service to enter an infinite loop, resulting in high CPU utilization
and / or memory exhaustion.");
  script_set_attribute(attribute:"see_also", value:"https://secuniaresearch.flexerasoftware.com/secunia_research/2007-74/advisory/");
  script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/484318/30/0/threaded");
  script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/484333/30/0/threaded");
  script_set_attribute(attribute:"solution", value:"Apply the appropriate hotfix according to the vendor advisories above.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(189, 399);

  script_set_attribute(attribute:"plugin_publication_date", value:"2007/11/29");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:symantec:veritas_backup_exec");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.");

  script_dependencies("smb_hotfixes.nasl");
  script_require_keys("SMB/Registry/Enumerated");
  script_require_ports(139, 445);

  exit(0);
}


include("smb_func.inc");
include("smb_hotfixes.inc");
include("audit.inc");


if (!get_kb_item("SMB/Registry/Enumerated")) exit(0);


# Connect to the appropriate share.
port    =  kb_smb_transport();
login   =  kb_smb_login();
pass    =  kb_smb_password();
domain  =  kb_smb_domain();

if(! smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init');
rc = NetUseAdd(login:login, password:pass, domain:domain, share:"IPC$");
if (rc != 1) {
  NetUseDel();
  exit(0);
}


# Connect to remote registry.
hklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE);
if (isnull(hklm))
{
  NetUseDel();
  exit(0);
}


# Make sure it's installed.
path = NULL;

key = "SOFTWARE\Symantec\Backup Exec for Windows\Backup Exec\11.0\Install";
key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
if (!isnull(key_h))
{
  value = RegQueryValue(handle:key_h, item:"Path");
  if (!isnull(value))
  {
    path = value[1];
    path = ereg_replace(pattern:"^(.+)\\$", replace:"\1", string:path);
  }

  RegCloseKey(handle:key_h);
}
RegCloseKey(handle:hklm);
if (isnull(path))
{
  NetUseDel();
  exit(0);
}


# Grab the file version of the affected file.
share = ereg_replace(pattern:"^([A-Za-z]):.*", replace:"\1$", string:path);
exe = ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1\bengine.exe", string:path);
NetUseDel(close:FALSE);

rc = NetUseAdd(login:login, password:pass, domain:domain, share:share);
if (rc != 1)
{
  NetUseDel();
  exit(0);
}

fh = CreateFile(
  file:exe,
  desired_access:GENERIC_READ,
  file_attributes:FILE_ATTRIBUTE_NORMAL,
  share_mode:FILE_SHARE_READ,
  create_disposition:OPEN_EXISTING
);
ver = NULL;
if (!isnull(fh))
{
  ver = GetFileVersion(handle:fh);
  CloseFile(handle:fh);
}
NetUseDel();


# Check the version number.
if (!isnull(ver) && 11 == ver[0] && 0 == ver[1])
{
  if (7170 == ver[2]) fix = "11.0.7170.25";
  else if (6235 == ver[2]) fix = "11.0.6235.29";
  else exit(0);

  fix = split(fix, sep:'.', keep:FALSE);
  for (i=0; i<4; i++)
    fix[i] = int(fix[i]);

  for (i=0; i<max_index(ver); i++)
    if ((ver[i] < fix[i]))
    {
      security_hole(port);
      break;
    }
    else if (ver[i] > fix[i])
      break;
}

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 26029 CVE(CAN) ID: CVE-2007-4347 Symantec Backup Exec是一款全面的数据备份解决方案。 Backup Exec的Job引擎服务中存在两个整数溢出漏洞,远程攻击者可能利用此漏洞导致拒绝服务。 如果远程攻击者向该服务的默认5633/TCP端口发送了畸形报文的话,就可能导致服务陷入死循环,耗尽所有可用内存或消耗大量CPU资源。 Symantec Backup Exec for Windows Servers 11d Symantec -------- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href=http://support.veritas.com/docs/294241 target=_blank>http://support.veritas.com/docs/294241</a> <a href=http://support.veritas.com/docs/294237 target=_blank>http://support.veritas.com/docs/294237</a>
idSSV:2512
last seen2017-11-19
modified2007-11-30
published2007-11-30
reporterRoot
titleSymantec Backup Exec Job引擎多个整数溢出漏洞

References