cbcvebase.
CVE-2005-0773
published 2005-06-18

CVE-2005-0773: Stack-based buffer overflow in VERITAS Backup Exec Remote Agent 9.0 through 10.0 for Windows, and 9.0.4019 through 9.1.307 for Netware allows remote attackers…

PriorityP181high7.5CVSS 2.0
AVNACLAuNCPIPAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
86.37%
99.7th percentile
Stack-based buffer overflow in VERITAS Backup Exec Remote Agent 9.0 through 10.0 for Windows, and 9.0.4019 through 9.1.307 for Netware allows remote attackers to execute arbitrary code via a CONNECT_CLIENT_AUTH request with authentication method type 3 (Windows credentials) and a long password argument.

Affected

22 ranges
VendorProductVersion rangeFixed in
symantec_veritasbackup_exec
symantec_veritasbackup_exec
symantec_veritasbackup_exec
symantec_veritasbackup_exec
symantec_veritasbackup_exec
symantec_veritasbackup_exec
symantec_veritasbackup_exec
symantec_veritasbackup_exec
symantec_veritasbackup_exec
symantec_veritasbackup_exec
symantec_veritasbackup_exec
symantec_veritasbackup_exec
symantec_veritasbackup_exec
symantec_veritasbackup_exec
symantec_veritasbackup_exec
symantec_veritasbackup_exec
symantec_veritasbackup_exec
symantec_veritasbackup_exec
symantec_veritasbackup_exec
symantec_veritasbackup_exec
symantec_veritasbackup_exec
symantec_veritasbackup_exec

Detection & IOCsextracted from sources · hover to see the quote

port10000
commandCONNECT_CLIENT_AUTH request with authentication method type 3 (Windows credentials) and a long password argument
bytes
Message name 0x901 (connect_client_auth), auth type 3, username 512 bytes of 'X', password >= 8192 bytes
bytes
SEH overwrite offsets: \xeb\x06 at password[3536], ret at password[3540]; \xeb\x06 at password[4524], ret at password[4528]
  • Monitor TCP port 10000 (NDMP/Veritas Backup Exec Remote Agent) for oversized CONNECT_CLIENT_AUTH requests with authentication type 3 and password fields exceeding normal bounds (>512 bytes is anomalous; exploit uses ~8192 bytes).
  • Detect NDMP message 0x901 (connect_client_auth) packets on port 10000 where the authentication type field equals 3 and the password length field encodes a value significantly larger than expected (exploit sets 8192 bytes).
  • Look for SEH-smash shellcode patterns in the password field: short jump bytes \xeb\x06 followed by a 4-byte return address at offsets ~3536 and ~4524 within the password buffer, and a long backward jump \xe9 at offsets ~3544 and ~4532.
  • The exploit username field is a fixed 512-byte string of 'X' characters; a username of exactly 512 'X' bytes in a CONNECT_CLIENT_AUTH request is a strong indicator of exploitation.
  • Reliable exploitation abuses a SEH pointer overwrite; detection of structured exception handler chain corruption in beremote.exe or related Veritas agent processes following a large inbound NDMP request is indicative.
  • ·The Metasploit module targets Veritas BE 9.0/9.1/10.0 on all Windows platforms using hardcoded return addresses; the two known RET gadget addresses differ between the 'All Windows' and 'Windows 2000' targets.
  • ·The payload space is limited to 1024 bytes with null bytes as bad characters; payloads must avoid \x00 and fit within 1024 bytes, placed starting at offset 3536 minus payload length within the password buffer.

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck7.5HIGH
vendor_redhat2.1LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.