Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Generic)  >   Retrospect Vendors:   EMC
EMC Retrospect Client Buffer Overflow Lets Remote Users Deny Service
SecurityTracker Alert ID:  1016136
SecurityTracker URL:
CVE Reference:   CVE-2006-2391   (Links to External Site)
Updated:  Sep 5 2009
Original Entry Date:  May 23 2006
Impact:   Denial of service via network, Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 7.5 Client for Windows; possibly earlier versions
Description:   A vulnerability was reported in EMC Retrospect. A remote user can cause denial of service conditions and may be able to execute arbitrary code.

A remote user can send specially crafted data to port 497 on the target system to trigger a buffer overflow and cause the target service to crash. A remote user can exploit this flaw to disable the backup process.

Under specific conditions, a remote user may be able to execute arbitrary code.

Luka Treiber of ACROS Security discovered this vulnerability.

The original advisory is available at:

Impact:   A remote user can cause denial of service conditions.

A remote user may be able to execute arbitrary code on the target system.

Solution:   The vendor has issued a patch.
Vendor URL: (Links to External Site)
Cause:   Boundary error
Underlying OS:  Windows (Any)

Message History:   None.

 Source Message Contents

Subject:  ACROS Security: Buffer Overflow In EMC (previously Dantz) Retroclient Service



ACROS Security Problem Report #2006-05-17-1
ASPR #2006-05-17-1: Buffer Overflow In Retroclient Service

Document ID:     ASPR #2006-05-17-1-PUB
Vendor:          EMC (
Target:          Retrospect 7.5 Client for Windows
Impact:          A buffer overflow vulnerability in Retroclient service 
                 can be exploited to crash Retrospect clients in the 
Severity:        Medium
Status:          Official patch available
Discovered by:   Luka Treiber of ACROS Security

Current version

We would like to acknowledge Eric Baize and Jamie Albertson from EMC
for extremely diligent and professional handling of the identified 


A buffer overflow vulnerability in Retroclient service can be exploited 
to crash Retrospect clients in the network. This enables an attacker to
easily disable the backup process throughout an organization.

Product Coverage

- Retrospect 7.5 Client for Windows - affected

Older versions are likely to be affected as well.


Altering content of one of the packets sent to the client during server-
client communication can result in a buffer overflow condition, which
crashes the client service.
Consequently, the automated backup process on the affected client no
longer works. Moreover, under specific circumstances this vulnerability
could be exploited for executing arbitrary code on the system running
the Retrospect client.
Note that access to corporate network is needed for exploiting this
vulnerability as it requires an attacker to establish a network
connection to a vulnerable client.

Attack Scenario:

The attacker is connected to a corporate network with his laptop. Using a 
port scanner, she locates machines with port 497 open, indicating the 
presence of Retroclient service. Using her malicious tool she mimics 
Retrospect server's behavior: simultaneously the tool connects to 
enumerated clients and sends them malicious data as described in the 
analysis above, which results in their crashing. In a short period of 
time all Retrospect clients in the network are disabled.


EMC has issued a security bulletin [1] and published a patch
which fixes this issue.


- We're not aware of any efficient workarounds for this issue.


[1] EMC Retrospect Knowledgebase


ACROS d.o.o.
Makedonska ulica 113
SI - 2000 Maribor

phone:  +386 2 3000 280
fax:    +386 2 3000 282

ACROS Security PGP Key
   [Fingerprint: FE9E 0CFB CE41 36B0 4720 C4F1 38A3 F7DD]

ACROS Security Advisories

ACROS Security Papers

ASPR Notification and Publishing Policy


The content of this report is purely informational and meant only for the
purpose of education and protection. ACROS d.o.o. shall in no event be
liable for any damage whatsoever, direct or implied, arising from use or
spread of this information. All identifiers (hostnames, IP addresses,
company names, individual names etc.) used in examples and demonstrations
are used only for explanatory purposes and have no connection with any
real host, company or individual. In no event should it be assumed that
use of these names means specific hosts, companies or individuals are
vulnerable to any attacks nor does it mean that they consent to being used
in any vulnerability tests. The use of information in this report is
entirely at user's risk.

Revision History

May 17, 2006: Initial release


(c) 2006 ACROS d.o.o. Forwarding and publishing of this document is
permitted providing the content between "[BEGIN-ACROS-REPORT]" and
"[END-ACROS-REPORT]" marks remains unchanged.



Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, LLC