SAINT CorporationSAINT:CBC5FD489E80DC75733F2D70A36497E3VERITAS NetBackup bpcd daemon command chaining vulnerability
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.884 High
EPSS
Percentile
98.6%
Added: 02/16/2007
CVE: CVE-2006-4902
BID: 21565
OSVDB: 31334
Background
VERITAS NetBackup is a backup and recovery solution for multiple platforms.
Problem
The NetBackup bpcd daemon fails to properly validate chained commands. A remote attacker could execute arbitrary commands by appending the commands to valid commands.
Resolution
Apply one of the maintenance packs referenced in the Symantec Security Advisory.
References
<http://www.kb.cert.org/vuls/id/252936>
<http://www.symantec.com/avcenter/security/Content/2006.12.13a.html>
Limitations
Exploit works on VERITAS NetBackup 5.0 and requires the target host to have the ability to connect back to SAINTexploit on ports 990/TCP and 69/UDP.
In order for the exploit to succeed, the address of the host running SAINTexploit must be present in Unicode format in the following registry key on the target:
> Key: HKEY_LOCAL_MACHINE\SOFTWARE\VERITAS\NetBackup\CurrentVersion\Config Value: Server Type: MULTI_SZ
This exploit requires the PERL threads module to be installed on the host running SAINTexploit.
Platforms
Windows
Related
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.884 High
EPSS
Percentile
98.6%