Veritas Backup Exec Remote Agent For Windows Use-After-Free

2017.05.28
Credit: Matthew Daley
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

Affected software: Veritas (previously Symantec) Backup Exec Remote Agent for Windows Affected versions: All versions before Backup Exec 16 FP1, Backup Exec 15 14.2.1180.3160, Backup Exec 2014 14.1.1187.1126 Vulnerability type: Use-after-free Impact: Unauthenticated remote code execution as SYSTEM user Solution: Install the latest version across all hosts with the agent installed Website: https://www.veritas.com/product/backup-and-recovery/backup-exec Vendor disclosure: https://www.veritas.com/content/support/en_US/security/VTS17-006.html Summary: The Backup Exec Remote Agent for Windows is vulnerable to a use-after-free in its handling of SSL/TLS-wrapped NDMP connections. If SSL/TLS is established on a NDMP connection, ended, and finally re-established, the agent will re-use previously freed SSL/TLS structures. This allows for remote code execution over an unauthenticated network connection. (Note: the requirement for authentication given in the MITRE CVE description is incorrect; no authentication is required.) Detail: The agent accepts NDMP connections on TCP port 10000. The vendor-specific `0xF383` NDMP packet type allows for NDMP connections to be wrapped in a SSL/TLS session. Sub-type `4` initiates the SSL/TLS handshake; after successfully completing this the client and server continue the NDMP session through the SSL/TLS session. The agent makes use of OpenSSL to handle these SSL/TLS sessions. When a SSL/TLS session is created, the agent creates necessary OpenSSL structures, including a `struct BIO` from the connection's associated network socket using `BIO_new_socket`. Upon the end of the SSL/TLS session, this structure is freed by a call to `BIO_free` through a call to `SSL_free`. However, if a SSL/TLS connection is then re-established on the same NDMP connection, the previously freed `BIO` is re-used in the new SSL/TLS session even though it is no longer allocated. The `BIO` is stored during the first connection setup and then retrieved during second connection setup as a member of the `CSecuritySSLConnection` class, despite the call to `SSL_free` previously freeing it. This leads to a use-after-free as the `BIO` contains a pointer to a structure (`BIO_METHOD *method`) of function pointers that are used to perform operations such as reading and writing from the wrapped `BIO` object (in this case, the network socket). By overwriting the previously allocated `BIO` with controlled data, it is possible to gain remote code execution when OpenSSL attempts to call one of these function pointers. - Matthew Daley

References:

https://www.veritas.com/product/backup-and-recovery/backup-exec
https://www.veritas.com/content/support/en_US/security/VTS17-006.html


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top