CVE-2005-0773
published 2005-06-18CVE-2005-0773: Stack-based buffer overflow in VERITAS Backup Exec Remote Agent 9.0 through 10.0 for Windows, and 9.0.4019 through 9.1.307 for Netware allows remote attackers…
PriorityP181high7.5CVSS 2.0
AVNACLAuNCPIPAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
86.37%
99.7th percentile
Stack-based buffer overflow in VERITAS Backup Exec Remote Agent 9.0 through 10.0 for Windows, and 9.0.4019 through 9.1.307 for Netware allows remote attackers to execute arbitrary code via a CONNECT_CLIENT_AUTH request with authentication method type 3 (Windows credentials) and a long password argument.
Affected
22 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| symantec_veritas | backup_exec | — | — |
| symantec_veritas | backup_exec | — | — |
| symantec_veritas | backup_exec | — | — |
| symantec_veritas | backup_exec | — | — |
| symantec_veritas | backup_exec | — | — |
| symantec_veritas | backup_exec | — | — |
| symantec_veritas | backup_exec | — | — |
| symantec_veritas | backup_exec | — | — |
| symantec_veritas | backup_exec | — | — |
| symantec_veritas | backup_exec | — | — |
| symantec_veritas | backup_exec | — | — |
| symantec_veritas | backup_exec | — | — |
| symantec_veritas | backup_exec | — | — |
| symantec_veritas | backup_exec | — | — |
| symantec_veritas | backup_exec | — | — |
| symantec_veritas | backup_exec | — | — |
| symantec_veritas | backup_exec | — | — |
| symantec_veritas | backup_exec | — | — |
| symantec_veritas | backup_exec | — | — |
| symantec_veritas | backup_exec | — | — |
| symantec_veritas | backup_exec | — | — |
| symantec_veritas | backup_exec | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandCONNECT_CLIENT_AUTH request with authentication method type 3 (Windows credentials) and a long password argument↗
bytes↗
Message name 0x901 (connect_client_auth), auth type 3, username 512 bytes of 'X', password >= 8192 bytes
bytes↗
SEH overwrite offsets: \xeb\x06 at password[3536], ret at password[3540]; \xeb\x06 at password[4524], ret at password[4528]
- →Monitor TCP port 10000 (NDMP/Veritas Backup Exec Remote Agent) for oversized CONNECT_CLIENT_AUTH requests with authentication type 3 and password fields exceeding normal bounds (>512 bytes is anomalous; exploit uses ~8192 bytes). ↗
- →Detect NDMP message 0x901 (connect_client_auth) packets on port 10000 where the authentication type field equals 3 and the password length field encodes a value significantly larger than expected (exploit sets 8192 bytes). ↗
- →Look for SEH-smash shellcode patterns in the password field: short jump bytes \xeb\x06 followed by a 4-byte return address at offsets ~3536 and ~4524 within the password buffer, and a long backward jump \xe9 at offsets ~3544 and ~4532. ↗
- →The exploit username field is a fixed 512-byte string of 'X' characters; a username of exactly 512 'X' bytes in a CONNECT_CLIENT_AUTH request is a strong indicator of exploitation. ↗
- →Reliable exploitation abuses a SEH pointer overwrite; detection of structured exception handler chain corruption in beremote.exe or related Veritas agent processes following a large inbound NDMP request is indicative. ↗
- ·The Metasploit module targets Veritas BE 9.0/9.1/10.0 on all Windows platforms using hardcoded return addresses; the two known RET gadget addresses differ between the 'All Windows' and 'Windows 2000' targets. ↗
- ·The payload space is limited to 1024 bytes with null bytes as bad characters; payloads must avoid \x00 and fit within 1024 bytes, placed starting at offset 3536 minus payload length within the password buffer. ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck7.5HIGH
vendor_redhat2.1LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-6cc3-qfmx-w8fp: Stack-based buffer overflow in VERITAS Backup Exec Remote Agent 9
ghsa_unreviewed·2022-05-01
CVE-2005-0773 [HIGH] GHSA-6cc3-qfmx-w8fp: Stack-based buffer overflow in VERITAS Backup Exec Remote Agent 9
Stack-based buffer overflow in VERITAS Backup Exec Remote Agent 9.0 through 10.0 for Windows, and 9.0.4019 through 9.1.307 for Netware allows remote attackers to execute arbitrary code via a CONNECT_CLIENT_AUTH request with authentication method type 3 (Windows credentials) and a long password argument.
VulnCheck
Veritas Backup Exec Agent Out-of-bounds Write
vulncheck·2005·CVSS 7.5
CVE-2005-0773 [HIGH] Veritas Backup Exec Agent Out-of-bounds Write
Veritas Backup Exec Agent Out-of-bounds Write
Stack-based buffer overflow in VERITAS Backup Exec Remote Agent 9.0 through 10.0 for Windows, and 9.0.4019 through 9.1.307 for Netware allows remote attackers to execute arbitrary code via a CONNECT_CLIENT_AUTH request with authentication method type 3 (Windows credentials) and a long password argument.
Affected: Veritas Backup Exec Agent
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.kb.cert.org/vuls/id/492105
Red Hat
lost fput in a 32-bit ioctl on 64-bit x86 systems
vendor_redhat·2007-06-22·CVSS 2.1
CVE-2007-0773 [LOW] lost fput in a 32-bit ioctl on 64-bit x86 systems
lost fput in a 32-bit ioctl on 64-bit x86 systems
The Linux kernel before 2.6.9-42.0.8 in Red Hat 4.4 allows local users to cause a denial of service (kernel OOPS from null dereference) via fput in a 32-bit ioctl on 64-bit x86 systems, an incomplete fix of CVE-2005-3044.1.
No detection rules found.
Exploit-DB
Veritas Backup Exec Windows - Remote Agent Overflow (Metasploit)
exploitdb·2010-07-03
CVE-2005-0773 Veritas Backup Exec Windows - Remote Agent Overflow (Metasploit)
Veritas Backup Exec Windows - Remote Agent Overflow (Metasploit)
---
##
# $Id: remote_agent.rb 9669 2010-07-03 03:13:45Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Veritas Backup Exec Windows Remote Agent Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the Veritas
BackupExec Windows Agent software. This vulnerability occurs
when a client authentication request is received with type
'3' and a long password argument. Reliable execution is
obtained by abusing the stack buffer overflow to smash a SEH
Metasploit
Veritas Backup Exec Windows Remote Agent Overflow
metasploit
Veritas Backup Exec Windows Remote Agent Overflow
Veritas Backup Exec Windows Remote Agent Overflow
This module exploits a stack buffer overflow in the Veritas BackupExec Windows Agent software. This vulnerability occurs when a client authentication request is received with type '3' and a long password argument. Reliable execution is obtained by abusing the stack buffer overflow to smash a SEH pointer.
No writeups or analysis indexed.
http://secunia.com/advisories/15789http://securitytracker.com/id?1014273http://seer.support.veritas.com/docs/276604.htmhttp://seer.support.veritas.com/docs/277429.htmhttp://www.idefense.com/application/poi/display?id=272&type=vulnerabilities&flashstatus=truehttp://www.kb.cert.org/vuls/id/492105http://www.osvdb.org/17624http://www.securityfocus.com/bid/14022http://www.us-cert.gov/cas/techalerts/TA05-180A.htmlhttp://secunia.com/advisories/15789http://securitytracker.com/id?1014273http://seer.support.veritas.com/docs/276604.htmhttp://seer.support.veritas.com/docs/277429.htmhttp://www.idefense.com/application/poi/display?id=272&type=vulnerabilities&flashstatus=truehttp://www.kb.cert.org/vuls/id/492105http://www.osvdb.org/17624http://www.securityfocus.com/bid/14022http://www.us-cert.gov/cas/techalerts/TA05-180A.html
2005-06-18
Published
Exploited in the wild