CVE-2005-2611
published 2005-08-17CVE-2005-2611: VERITAS Backup Exec for Windows Servers 8.6 through 10.0, Backup Exec for NetWare Servers 9.0 and 9.1, and NetBackup for NetWare Media Server Option 4.5…
PriorityP179critical10CVSS 2.0
AVNACLAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
87.03%
99.7th percentile
VERITAS Backup Exec for Windows Servers 8.6 through 10.0, Backup Exec for NetWare Servers 9.0 and 9.1, and NetBackup for NetWare Media Server Option 4.5 through 5.1 uses a static password during authentication from the NDMP agent to the server, which allows remote attackers to read and write arbitrary files with the backup server.
Affected
57 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| symantec_veritas | backup_exec | — | — |
| symantec_veritas | backup_exec | — | — |
| symantec_veritas | backup_exec | — | — |
| symantec_veritas | backup_exec | — | — |
| symantec_veritas | backup_exec | — | — |
| symantec_veritas | backup_exec | — | — |
| symantec_veritas | backup_exec | — | — |
| symantec_veritas | backup_exec | — | — |
| symantec_veritas | backup_exec | — | — |
| symantec_veritas | backup_exec | — | — |
| symantec_veritas | backup_exec | — | — |
| symantec_veritas | backup_exec | — | — |
| symantec_veritas | backup_exec | — | — |
| symantec_veritas | backup_exec | — | — |
| symantec_veritas | backup_exec | — | — |
| symantec_veritas | backup_exec | — | — |
| symantec_veritas | backup_exec | — | — |
| symantec_veritas | backup_exec | — | — |
| symantec_veritas | backup_exec | — | — |
| symantec_veritas | backup_exec | — | — |
| symantec_veritas | backup_exec | — | — |
| symantec_veritas | backup_exec | — | — |
| symantec_veritas | backup_exec | — | — |
| symantec_veritas | backup_exec | — | — |
| symantec_veritas | backup_exec | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xb4\xb8\x0f\x26\x20\x5c\x42\x34\x03\xfc\xae\xee\x8f\x91\x3d\x6f
- →Detect NDMP authentication attempts on TCP/10000 using the static hardcoded password bytes (b4 b8 0f 26 20 5c 42 34 03 fc ae ee 8f 91 3d 6f) in the CONNECT_CLIENT_AUTH packet (opcode 0x0901). The username field will contain 'root' (4 bytes, length-prefixed) immediately before the 16-byte static password. ↗
- →Monitor for NDMP DATA_CONNECT requests (opcode 0x040a) directing the Backup Exec agent to initiate an outbound TCP connection to an attacker-controlled host and port, indicating exploitation of the file exfiltration logic flaw. ↗
- →The exploit uses the FILESYSTEM environment variable set to a UNC-style path '\\<RHOST>\<RPATH>' in the DATA_START_BACKUP request. Inspect NDMP backup environment variables for unexpected or attacker-supplied FILESYSTEM values pointing to arbitrary paths. ↗
- →The Backup Exec Windows Agent listens on TCP port 10000 (NDMP). Any unauthenticated or externally-sourced connection to this port should be alerted on, as the static password allows any remote attacker to authenticate. ↗
- →The exploit uses a default listener port of 44444/tcp on the attacker side to receive the exfiltrated MTF-format backup data. Outbound connections from a Backup Exec agent host to ephemeral or unusual ports (especially 44444) may indicate active exploitation. ↗
- ·The static password is hardcoded in the NDMP agent and cannot be changed by configuration — all versions of the Backup Exec Windows Agent are affected regardless of deployment settings. ↗
- ·Exfiltrated files are delivered in MTF (Microsoft Tape Format) and require a dedicated tool (NTKBUp) to extract, which may complicate forensic triage of stolen data. ↗
- ·Entire directories can be exfiltrated by specifying a path with a trailing backslash, not just individual files — scope of data loss may be broader than single-file access. ↗
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-gr69-4gpq-65m9: VERITAS Backup Exec for Windows Servers 8
ghsa_unreviewed·2022-05-01
CVE-2005-2611 [HIGH] GHSA-gr69-4gpq-65m9: VERITAS Backup Exec for Windows Servers 8
VERITAS Backup Exec for Windows Servers 8.6 through 10.0, Backup Exec for NetWare Servers 9.0 and 9.1, and NetBackup for NetWare Media Server Option 4.5 through 5.1 uses a static password during authentication from the NDMP agent to the server, which allows remote attackers to read and write arbitrary files with the backup server.
VulnCheck
Veritas Backup Exec Agent Vulnerability
vulncheck·2005·CVSS 10.0
CVE-2005-2611 [CRITICAL] Veritas Backup Exec Agent Vulnerability
VERITAS Backup Exec for Windows Servers 8.6 through 10.0, Backup Exec for NetWare Servers 9.0 and 9.1, and NetBackup for NetWare Media Server Option 4.5 through 5.1 uses a static password during authentication from the NDMP agent to the server, which allows remote attackers to read and write arbitrary files with the backup server.
Affected: Veritas Backup Exec Agent
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.broadcom.com/support/security-center/attacksignatures/detail?asid=21266
No detection rules found.
Exploit-DB
CGX 20050314 - 'pathCGX' Remote File Inclusion
exploitdb·2007-05-08
CVE-2007-2611 CGX 20050314 - 'pathCGX' Remote File Inclusion
CGX 20050314 - 'pathCGX' Remote File Inclusion
---
# CGX 2005-03-14 (pathCGX) Remote File Include Vulnerablites
# D.Script: http://codigolivre.org.br/frs/?group_id=413&release_id=1978
# Discovered by: GolD_M = [Mahmood_ali]
# Homepage: http://www.Tryag.cc
# Exploit:[Path]/inc/mtdialogo.php?pathCGX=Shell
# Exploit:[Path]/inc/ltdialogo.php?pathCGX=Shell
# Exploit:[Path]/inc/login.php?pathCGX=Shell
# Exploit:[Path]/inc/logingecon.php?pathCGX=Shell
# All Files in : /frm/ & /sql/ & /cns/
# Greetz To: Tryag-Team ...$$
# milw0rm.com [2007-05-08]
Exploit-DB
Veritas Backup Exec (Windows) - Remote File Access (Metasploit)
exploitdb·2005-08-11
CVE-2005-2611 Veritas Backup Exec (Windows) - Remote File Access (Metasploit)
Veritas Backup Exec (Windows) - Remote File Access (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
##
# Original code written by and ported to the Framework by HDM
##
package Msf::Exploit::backupexec_dump;
use base "Msf::Exploit";
use strict;
use Pex::Text;
use IO::Socket;
use IO::Select;
my $advanced = { };
my $info =
{
'Name' => 'Veritas Backup Exec Windows Remote File Access',
'Version' => '$Revision: 1.3 $',
'Authors' => [ 'anonymous' ],
'Arch' => [ ],
'
Metasploit
Veritas Backup Exec Windows Remote File Access
metasploit
Veritas Backup Exec Windows Remote File Access
Veritas Backup Exec Windows Remote File Access
This module abuses a logic flaw in the Backup Exec Windows Agent to download arbitrary files from the system. This flaw was found by someone who wishes to remain anonymous and affects all known versions of the Backup Exec Windows Agent. The output file is in 'MTF' format, which can be extracted by the 'NTKBUp' program listed in the references section. To transfer an entire directory, specify a path that includes a trailing backslash.
No writeups or analysis indexed.
http://secunia.com/advisories/16403http://securityresponse.symantec.com/avcenter/security/Content/2005.08.12b.htmlhttp://securitytracker.com/id?1014662http://www.kb.cert.org/vuls/id/378957http://www.securityfocus.com/bid/14551http://www.us-cert.gov/cas/techalerts/TA05-224A.htmlhttp://www.vupen.com/english/advisories/2005/1387https://exchange.xforce.ibmcloud.com/vulnerabilities/21793http://secunia.com/advisories/16403http://securityresponse.symantec.com/avcenter/security/Content/2005.08.12b.htmlhttp://securitytracker.com/id?1014662http://www.kb.cert.org/vuls/id/378957http://www.securityfocus.com/bid/14551http://www.us-cert.gov/cas/techalerts/TA05-224A.htmlhttp://www.vupen.com/english/advisories/2005/1387https://exchange.xforce.ibmcloud.com/vulnerabilities/21793
2005-08-17
Published
Exploited in the wild