Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] TSRT-06-01: Symantec VERITAS NetBackup vnetd Buffer Ov

from [zdi-disclosures] Network Security [Permanent Link]
Subject: [Full-disclosure] TSRT-06-01: Symantec VERITAS NetBackup vnetd Buffer Overflow Vulnerability
Date: Mon, 27 Mar 2006 12:27:14 -0800 
TSRT-06-01: Symantec VERITAS NetBackup vnetd Buffer Overflow Vulnerability
http://www.tippingpoint.com/security/advisories/TSRT-06-01.html
March 27, 2006

-- CVE ID:
CVE-2006-0991

-- Affected Vendor:
Symantec VERITAS

-- Affected Products:
VERITAS NetBackup 6.0 Client
VERITAS NetBackup 6.0 Server

-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability since January 23, 2006 by Digital Vaccine protection
filter ID 4021. For further product information on the TippingPoint IPS:

    http://www.tippingpoint.com 

-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable Symantec VERITAS NetBackup client and server installations.
Authentication is not required to exploit this vulnerability.

This specific flaw exists within specially crafted messages to the
vnetd service, listening on TCP port 13724 via opcode 6 (Request
Service).  An attacker can overrun two fixed size buffers, one on the
stack, and the other in the .data section of the executable.

In the main function of bpspsserver, a call to get_adaptable_string()
at 0x0040243A reads in a variable length string from the network in the
form of '[len][string]'. This string is then copied via a sprintf() at
0x00402458, and a swprintf() at 0x00402479 into two different fixed
sized buffers. The first buffer is on the stack and the second buffer
is a global variable.

-- Vendor Response:
Symantec engineers have addressed these issues in all currently
supported versions of NetBackup. Symantec engineers did additional
reviews and will continue on-going reviews of related file
functionality to further enhance the overall security of Veritas
NetBackup products and to eliminate any additional potential concerns.

Security updates are available for all supported products. Symantec
strongly recommends all customers immediately apply the latest
cumulative Security Pack updates or Maintenance Pack releases as
indicated for their supported product versions to protect against
threats of this nature.

http://support.veritas.com/docs/281521 

-- Disclosure Timeline:
2006.01.23 - Vulnerability reported to vendor
2006.01.23 - Digital Vaccine released to TippingPoint customers
2006.03.27 - Coordinated public release of advisory

-- Credit:
This vulnerability was discovered by the TippingPoint Security Research

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-disclosure] TSRT-06-01: Symantec VERITAS NetBackup vnetd Buffer Overflow Vulnerability, zdi-disclosures <=
Previous by Date:  [Full-disclosure] Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow), Coleman Kane
Next by Date:  [Full-disclosure] ZDI-06-006: Symantec VERITAS NetBackup Database Manager Buffer Overflow, zdi-disclosures
Previous by Thread:  [Full-disclosure] [ GLSA 200603-25 ] OpenOffice.org: Heap overflow in included libcurl, Stefan Cornelius
Next by Thread:  [Full-disclosure] ZDI-06-006: Symantec VERITAS NetBackup Database Manager Buffer Overflow, zdi-disclosures
Indexes:  [Date] [Thread] [Top] [All Lists]