what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Veritas Backup Exec Remote Agent For Windows Use-After-Free

Veritas Backup Exec Remote Agent For Windows Use-After-Free
Posted May 27, 2017
Authored by Matthew Daley

Veritas Backup Exec Remote Agent for Windows suffers from a use-after-free vulnerability. All versions before Backup Exec 16 FP1, Backup Exec 15 14.2.1180.3160, and Backup Exec 2014 14.1.1187.1126 are affected.

tags | advisory, remote
systems | windows
advisories | CVE-2017-8895
SHA-256 | 8ceb02397eea9ab98abf9619f4ab71f85b7ac2f8ffa9d669f5e674239b69ebd6

Veritas Backup Exec Remote Agent For Windows Use-After-Free

Change Mirror Download
Affected software: Veritas (previously Symantec) Backup Exec Remote
Agent for Windows
Affected versions: All versions before Backup Exec 16 FP1, Backup Exec
15 14.2.1180.3160, Backup Exec 2014 14.1.1187.1126

Vulnerability type: Use-after-free
Impact: Unauthenticated remote code execution as SYSTEM user
Solution: Install the latest version across all hosts with the agent installed

Website: https://www.veritas.com/product/backup-and-recovery/backup-exec
Vendor disclosure:
https://www.veritas.com/content/support/en_US/security/VTS17-006.html


Summary:

The Backup Exec Remote Agent for Windows is vulnerable to a
use-after-free in its handling of SSL/TLS-wrapped NDMP connections. If
SSL/TLS is established on a NDMP connection, ended, and finally
re-established, the agent will re-use previously freed SSL/TLS
structures. This allows for remote code execution over an
unauthenticated network connection. (Note: the requirement for
authentication given in the MITRE CVE description is incorrect; no
authentication is required.)


Detail:

The agent accepts NDMP connections on TCP port 10000. The
vendor-specific `0xF383` NDMP packet type allows for NDMP connections
to be wrapped in a SSL/TLS session. Sub-type `4` initiates the SSL/TLS
handshake; after successfully completing this the client and server
continue the NDMP session through the SSL/TLS session.

The agent makes use of OpenSSL to handle these SSL/TLS sessions. When
a SSL/TLS session is created, the agent creates necessary OpenSSL
structures, including a `struct BIO` from the connection's associated
network socket using `BIO_new_socket`. Upon the end of the SSL/TLS
session, this structure is freed by a call to `BIO_free` through a
call to `SSL_free`.

However, if a SSL/TLS connection is then re-established on the same
NDMP connection, the previously freed `BIO` is re-used in the new
SSL/TLS session even though it is no longer allocated. The `BIO` is
stored during the first connection setup and then retrieved during
second connection setup as a member of the `CSecuritySSLConnection`
class, despite the call to `SSL_free` previously freeing it. This
leads to a use-after-free as the `BIO` contains a pointer to a
structure (`BIO_METHOD *method`) of function pointers that are used to
perform operations such as reading and writing from the wrapped `BIO`
object (in this case, the network socket).

By overwriting the previously allocated `BIO` with controlled data, it
is possible to gain remote code execution when OpenSSL attempts to
call one of these function pointers.


- Matthew Daley


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close