[Dshield] Veritas Backup Exec Windows Agent Remote File Access Exploit

Frank Knobbe frank at knobbe.us
Fri Aug 12 23:49:50 GMT 2005

On Fri, 2005-08-12 at 17:02 -0400, Mark Tombaugh wrote:
> At the moment its not just older versions. Afaict _any_ version is
> vulnerable. The logic flaw is in NDMP, the protocol behind bexec. 

Correct, but the heart of the issue is the hard coded root password,

> This exploit in particular results only in information disclosure. The
> exploit basically "backs up" any file from the backup server to the
> attackers system. 

What hasn't been discussed yet is the possibility of WRITING data to the
server. The exploit only reads data by using the "dump" command in the
DATA_START_BACKUP packet. Isn't there also a "restore" command? I mean,
if you are authenticated and authorized to BACKUP using the hard coded
root account, aren't you also able to RESTORE data to the server?

That would be ugly since it allows attackers to just restore their
rootkits onto the vulnerable system. Or download a file, modify and
upload it again. Or worse, perhaps even download the Registry, modify it
(say, add a hidden user account) and upload it again.

Anyone here familiar with the NDMP protocol that could provide more


Ciscogate: Shame on Cisco. Double-Shame on ISS.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20050812/55c91ab0/attachment.bin

More information about the list mailing list