Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
NetVault Buffer Overflows Let Local and Remote Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1013625 |
|
SecurityTracker URL: http://securitytracker.com/id/1013625
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Apr 1 2005
|
Impact:
Execution of arbitrary code via local system, Execution of arbitrary code via network, Root access via local system, Root access via network
|
Exploit Included: Yes
|
Version(s): 7.3 and prior versions
|
Description:
class101 from Hat-Squad.com reported two vulnerabilities in NetVault. A local or remote user can execute arbitrary code on the target system.
A vulnerability exists in the processing of the 'configure.cfg' file. A local user with access to the file can create a computername 'Name=' entry that is longer than 111 bytes. Then, when the NetVault Process Manager service starts (or restarts), a buffer overflow will be triggered and arbitrary code executed with System privileges. The default permissions of the file are read only for the Users group.
A remote user can connect to the target system on port 20031 and supply a specially crafted 'clientname' entry in the 'Available NetVault Machines' list to trigger a heap overflow and execute arbitrary code on the target server.
A demonstration exploit is available at:
http://class101.org/36/55/op.php
The vendor was notified on March 16 and March 19, 2005.
The original advisories are available at:
http://class101.org/netv-remhbof.pdf
http://class101.org/netv-locsbof.pdf
|
Impact:
A local user with write access to the 'configure.cfg' file can execute arbitrary code with System level privileges.
A remote user can execute arbitrary code on the target system.
|
Solution:
No solution was available at the time of this entry.
|
Vendor URL: www.bakbone.com/products/backup_and_restore/ (Links to External Site)
|
Cause:
Boundary error
|
Underlying OS:
Windows (2000), Windows (2003), Windows (XP)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Fri, 1 Apr 2005 16:44:51 +0200
Subject: BakBone Netvault 6.x/7.x Local Stack Buffer Overflow
|
According to their website (bakbone.com),
BakBone Netvault 6.x/7.x is a professional backup software with several offices in the
world and some pro customers as Apple, AT&T, Pirelli, LMU, HP, NIP,NASA, etc....
A Vulnerability exists in the configure.cfg file
advisory: class101.org/netv-locsbof.pdf
poc: class101.org/36/55/op.php
recommendation: to set stricts acl rules on this file.
-------------------------------------------------------------
class101
Jr. Researcher
Hat-Squad.com
-------------------------------------------------------------
According to their website (bakbone.com),
BakBone Netvault 6.x/7.x is a professional backup software with several offices in the
world and some pro customers as Apple, AT&T, Pirelli, LMU, HP, NIP,NASA, etc....
A Vulnerability exists in the netvault server
advisory: class101.org/netv-remhbof.pdf
poc: class101.org/36/55/op.php
recommendation: to block incoming connections to 20031/tcp, 20031/udp
-------------------------------------------------------------
class101
Jr. Researcher
Hat-Squad.com
-------------------------------------------------------------
|
|
Go to the Top of This SecurityTracker Archive Page
|
