VERITAS NetBackup bpcd daemon command chaining vulnerability

2007-02-16T00:00:00
ID SAINT:55C06C01162F92924F9F505D1822BDCD
Type saint
Reporter SAINT Corporation
Modified 2007-02-16T00:00:00

Description

Added: 02/16/2007
CVE: CVE-2006-4902
BID: 21565
OSVDB: 31334

Background

VERITAS NetBackup is a backup and recovery solution for multiple platforms.

Problem

The NetBackup bpcd daemon fails to properly validate chained commands. A remote attacker could execute arbitrary commands by appending the commands to valid commands.

Resolution

Apply one of the maintenance packs referenced in the Symantec Security Advisory.

References

<http://www.kb.cert.org/vuls/id/252936>
<http://www.symantec.com/avcenter/security/Content/2006.12.13a.html>

Limitations

Exploit works on VERITAS NetBackup 5.0 and requires the target host to have the ability to connect back to SAINTexploit on ports 990/TCP and 69/UDP.

In order for the exploit to succeed, the address of the host running SAINTexploit must be present in Unicode format in the following registry key on the target:

> Key: HKEY_LOCAL_MACHINE\SOFTWARE\VERITAS\NetBackup\CurrentVersion\Config Value: Server Type: MULTI_SZ

This exploit requires the PERL threads module to be installed on the host running SAINTexploit.

Platforms

Windows