Symantec Backup Exec 2012 Backup/Restore Data Traverses Memory with Weak ACLs
Summary
Name: Symantec Backup Exec 2012 Backup/Restore Data Traverses Memory with Weak ACLs (RW Everyone)
Release Date: 2 October 2013
Reference: NGS00347
Discoverer: Edward Torkington <edward.torkington@nccgroup.com>
Vendor: Symantec
CVE Reference: CVE-2013-4677
Systems Affected: Symantec Backup Exec 2012
Risk: Medium
Status: Published
TimeLine
Discovered: 24 July 2012
Released: 24 July 2012
Approved: 24 July 2012
Reported: 24 July 2012
Fixed: 1 August 2013
Published: 30 September 2013
Description
Authenticated low-privileged users may be able to read/write to memory
which is being used as part of the backup/restore process of the host. This
is likely to allow an authenticated attacker an opportunity to elevate
their privileges.
Technical Details
Whilst the host is being backed, the bermote.exe process creates several
sections with weak ACLs. These sections appear to contain backup and
restore information, both of which could be useful to an attacker. A PoC
was developed to dump all data seen to traverse these shared sections which
allowed for the recovery of information which would allow for privileges to
be escalated. Ten sections are created:
NDMP_SharedBuffer.{GUID}.0
NDMP_SharedBuffer.{GUID}.1
NDMP_SharedBuffer.{GUID}.2
NDMP_SharedBuffer.{GUID}.x
Permissions allow Everyone RW access to the sections.
Fix Information
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory pvid=security_advisory year= suid=20130801_00