cbcvebase.
CVE-2005-1009
published 2005-05-02

CVE-2005-1009: Multiple buffer overflows in BakBone NetVault 6.x and 7.x allow (1) remote attackers to execute arbitrary code via a modified computer name and length that…

PriorityP356critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
57.02%
98.9th percentile
Multiple buffer overflows in BakBone NetVault 6.x and 7.x allow (1) remote attackers to execute arbitrary code via a modified computer name and length that leads to a heap-based buffer overflow, or (2) local users to execute arbitrary code via a long Name entry in the configure.cfg file.

Affected

2 ranges
VendorProductVersion rangeFixed in
bakbonenetvault
bakbonenetvault

Detection & IOCsextracted from sources · hover to see the quote

port20031
pathconfigure.cfg
pathC:\Program Files\BakBone Software\NetVault
filenameconfigure.cfg
bytes
\xeb\x0a (JMP short at offset 32790) + \x7e\x6d\x03\x75 (ret Win2k SP4) / \x7c\x36\x9b\xbd (ret WinXP SP0/SP1)
bytes
ret Win2k SP4: \x7e\x6d\x03\x75; UEF Win2k SP4: \x4c\x14\x54\x7c; ret WinXP SP1: \xbd\x9b\x36\x7c; UEF WinXP SP1: \xb4\x73\xed\x77
bytes
\x81\xc4\xff\xef\xff\xff\x44 (PrependEncoder / stack adjustment)
bytes
char vul[]="\x4E\x61\x6D\x65\x3D"; ("Name=" — vulnerable cfg key)
bytes
char esp[]="\xDD\x20\x02\x10"; (local exploit return address)
  • The exploit sends the overflow buffer multiple times (up to 15 reconnections) to trigger the heap corruption; detect repeated large TCP connections to port 20031 from the same source IP within seconds.
  • For the local exploit vector, monitor writes to configure.cfg in the NetVault installation directory for a 'Name=' entry that is abnormally long (stack buffer overflow trigger).
  • The version check response from a vulnerable NetVault server contains the string 'NVBuild'; use this to fingerprint exposed services on port 20031.
  • ·Return addresses and UEF overwrites are OS/SP-specific. The exploit targets Windows 2000 SP4 and Windows XP SP0/SP1 English only; different patch levels or locales require different gadget addresses.
  • ·The payload bad characters are \x00 and \x20 (null byte and space); shellcode or signatures containing these bytes will not be delivered correctly by the exploit.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.