Symantec Backup Exec for Windows Servers Denial of Service Vulnerabilities

2007-11-2900:00:00

www.tenable.com

Backup Exec for Windows Servers, a commercial backup product from Symantec, is installed on the remote host.

The version of the Backup Exec Job Engine, bengine.exe, installed as part of Backup Exec for Windows Server on the remote host contains a NULL pointer dereference error when handling exceptions. Using a specially crafted packet, an attacker can leverage this issue to crash the affected service.

In addition, it is affected by two overflow errors that can cause the service to enter an infinite loop, resulting in high CPU utilization and / or memory exhaustion.

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(28361);
  script_version("1.15");
  script_cvs_date("Date: 2018/11/15 20:50:26");

  script_cve_id("CVE-2007-4346", "CVE-2007-4347");
  script_bugtraq_id(26028, 26029);

  script_name(english:"Symantec Backup Exec for Windows Servers Denial of Service Vulnerabilities");
  script_summary(english:"Checks version of bengine.exe");

  script_set_attribute(attribute:"synopsis", value:
"The remote Windows host contains an application that is affected by
several denial of service vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"Backup Exec for Windows Servers, a commercial backup product from
Symantec, is installed on the remote host.

The version of the Backup Exec Job Engine, bengine.exe, installed as
part of Backup Exec for Windows Server on the remote host contains a
NULL pointer dereference error when handling exceptions. Using a
specially crafted packet, an attacker can leverage this issue to crash
the affected service.

In addition, it is affected by two overflow errors that can cause the
service to enter an infinite loop, resulting in high CPU utilization
and / or memory exhaustion.");
  script_set_attribute(attribute:"see_also", value:"https://secuniaresearch.flexerasoftware.com/secunia_research/2007-74/advisory/");
  script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/484318/30/0/threaded");
  script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/484333/30/0/threaded");
  script_set_attribute(attribute:"solution", value:"Apply the appropriate hotfix according to the vendor advisories above.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(189, 399);

  script_set_attribute(attribute:"plugin_publication_date", value:"2007/11/29");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:symantec:veritas_backup_exec");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.");

  script_dependencies("smb_hotfixes.nasl");
  script_require_keys("SMB/Registry/Enumerated");
  script_require_ports(139, 445);

  exit(0);
}


include("smb_func.inc");
include("smb_hotfixes.inc");
include("audit.inc");


if (!get_kb_item("SMB/Registry/Enumerated")) exit(0);


# Connect to the appropriate share.
port    =  kb_smb_transport();
login   =  kb_smb_login();
pass    =  kb_smb_password();
domain  =  kb_smb_domain();

if(! smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init');
rc = NetUseAdd(login:login, password:pass, domain:domain, share:"IPC$");
if (rc != 1) {
  NetUseDel();
  exit(0);
}


# Connect to remote registry.
hklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE);
if (isnull(hklm))
{
  NetUseDel();
  exit(0);
}


# Make sure it's installed.
path = NULL;

key = "SOFTWARE\Symantec\Backup Exec for Windows\Backup Exec\11.0\Install";
key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
if (!isnull(key_h))
{
  value = RegQueryValue(handle:key_h, item:"Path");
  if (!isnull(value))
  {
    path = value[1];
    path = ereg_replace(pattern:"^(.+)\\$", replace:"\1", string:path);
  }

  RegCloseKey(handle:key_h);
}
RegCloseKey(handle:hklm);
if (isnull(path))
{
  NetUseDel();
  exit(0);
}


# Grab the file version of the affected file.
share = ereg_replace(pattern:"^([A-Za-z]):.*", replace:"\1$", string:path);
exe = ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1\bengine.exe", string:path);
NetUseDel(close:FALSE);

rc = NetUseAdd(login:login, password:pass, domain:domain, share:share);
if (rc != 1)
{
  NetUseDel();
  exit(0);
}

fh = CreateFile(
  file:exe,
  desired_access:GENERIC_READ,
  file_attributes:FILE_ATTRIBUTE_NORMAL,
  share_mode:FILE_SHARE_READ,
  create_disposition:OPEN_EXISTING
);
ver = NULL;
if (!isnull(fh))
{
  ver = GetFileVersion(handle:fh);
  CloseFile(handle:fh);
}
NetUseDel();


# Check the version number.
if (!isnull(ver) && 11 == ver[0] && 0 == ver[1])
{
  if (7170 == ver[2]) fix = "11.0.7170.25";
  else if (6235 == ver[2]) fix = "11.0.6235.29";
  else exit(0);

  fix = split(fix, sep:'.', keep:FALSE);
  for (i=0; i<4; i++)
    fix[i] = int(fix[i]);

  for (i=0; i<max_index(ver); i++)
    if ((ver[i] < fix[i]))
    {
      security_hole(port);
      break;
    }
    else if (ver[i] > fix[i])
      break;
}

VendorProductVersionCPE
symantecveritas_backup_execcpe:/a:symantec:veritas_backup_exec

Vendor	Product	Version	CPE
symantec	veritas_backup_exec		cpe:/a:symantec:veritas_backup_exec

References

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4346

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4347

secuniaresearch.flexerasoftware.com/secunia_research/2007-74/advisory/

www.securityfocus.com/archive/1/484318/30/0/threaded

www.securityfocus.com/archive/1/484333/30/0/threaded

JSON

Related for BEWS_DOS.NASL