[Dshield] VERITAS BACKUP AGENT VULNERABILITY *AND* 0-DAY EXPLOIT

David Taylor ltr at isc.upenn.edu
Fri Aug 12 01:14:45 GMT 2005


Hard coded root password in Network Data Management Protocol (NDMP) agent.
No patch available.  

Veritas Backup Exec Agent for Windows Remote File Access Issue
http://www.frsirt.com/english/advisories/2005/1387

Veritas Backup Exec Windows Agent Remote File Access Exploit (0day)
http://www.frsirt.com/exploits/20050811.backupexec_dump.pm.php

Port 10000

Slight increase in scans for this port
http://isc.sans.org/port_details.php?port=10000&repax=1&tarax=1&srcax=2&perc
ent=N&days=40&Redraw=

Snort Signature provided by Frank Knobbe (untested) feel free to provide
feedback
http://www.bleedingsnort.com/ bleeding-exploit.rules

alert tcp $EXTERNAL_NET any -> $HOME_NET 10000 (msg:"BLEEDING-EDGE Veritas
Backup Exec Windows Agent Remote File Access Exploit";
flow:to_server,established; content:"|b4 b8 0f 26 20 5c 42 34 03 fc ae ee 8f
91 3d 6f|"; reference:url,www.frsirt.com/english/advisories/2005/1387;
reference:url,www.frsirt.com/exploits/20050811.backupexec_dump.pm.php;
classtype:string-detect; sid:2002176; rev:1;)


==================================================
David Taylor //Sr. Information Security Specialist
University of Pennsylvania Information Security 
Philadelphia PA USA
LTR at ISC.UPENN.EDU               (215) 898-1236
http://www.upenn.edu/computing/security/
================================================== 

SANS - The Twenty Most Critical Internet Security Vulnerabilities 
http://www.sans.org/top20/

SANS - Internet Storm Center
http://isc.sans.org




More information about the list mailing list