[Dshield] VERITAS BACKUP AGENT VULNERABILITY *AND* 0-DAY EXPLOIT

Frank Knobbe frank at knobbe.us
Fri Aug 12 18:06:37 GMT 2005


On Thu, 2005-08-11 at 21:14 -0400, David Taylor wrote:
> Snort Signature provided by Frank Knobbe (untested) feel free to provide
> feedback
> http://www.bleedingsnort.com/ bleeding-exploit.rules
> 
>  sid:2002176;


The BleedingSnort sigs for the BackupExec issue have been improved. They
now also check if the attacked agent is indeed vulnerable (based on the
check the exploit performs). If you don't want the pure "attempt" to
generate an alert, add a "flowbits:noalert;" to the first sig.

Many thanks to Mark Tombaugh for his assistance with pcaps and testing.

Enjoy!
Frank


alert tcp $EXTERNAL_NET any -> $HOME_NET 10000 (msg:"BLEEDING-EDGE
EXPLOIT Backup Exec Windows Agent Remote File Access - Attempt";
flow:to_server,established; flowbits:isnotset,SID2002181; content:"|0000
0000 0000 0901 0000 0000 0000 0000 0000 0002 0000 0004 726f 6f74 b4b8
0f26 205c 4234 03fc aeee 8f91 3d6f|"; offset:8; depth:52;
flowbits:set,SID2002181;
reference:url,www.frsirt.com/english/advisories/2005/1387;
reference:url,www.frsirt.com/exploits/20050811.backupexec_dump.pm.php;
classtype:default-login-attempt; sid:2002181; rev:3;)

alert tcp $HOME_NET 10000 -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE
EXPLOIT Backup Exec Windows Agent Remote File Access - Vulnerable";
flow:from_server,established; flowbits:isset,SID2002181; content:"|0000
0001 0000 0901|"; offset:8; depth:16; content:"|0000 0000 0000 0000|";
distance:4; within:12;
reference:url,www.frsirt.com/english/advisories/2005/1387;
reference:url,www.frsirt.com/exploits/20050811.backupexec_dump.pm.php;
classtype:misc-attack; sid:2002182; rev:3;)



-- 
Ciscogate: Shame on Cisco. Double-Shame on ISS.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20050812/8f104a0d/attachment.bin


More information about the list mailing list