cbcvebase.
CVE-2005-2715
published 2005-10-12

CVE-2005-2715: Format string vulnerability in the Java user interface service (bpjava-msvc) daemon for VERITAS NetBackup Data and Business Center 4.5FP and 4.5MP, and…

PriorityP267critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
60.36%
99.0th percentile
Format string vulnerability in the Java user interface service (bpjava-msvc) daemon for VERITAS NetBackup Data and Business Center 4.5FP and 4.5MP, and NetBackup Enterprise/Server/Client 5.0, 5.1, and 6.0, allows remote attackers to execute arbitrary code via the COMMAND_LOGON_TO_MSERVER command.

Affected

5 ranges
VendorProductVersion rangeFixed in
symantec_veritasnetbackup_data_and_business_center
symantec_veritasnetbackup_data_and_business_center
symantec_veritasnetbackup_enterprise_server_client
symantec_veritasnetbackup_enterprise_server_client
symantec_veritasnetbackup_enterprise_server_client

Detection & IOCsextracted from sources · hover to see the quote

port13722
port5570
port5557
commandCOMMAND_LOGON_TO_MSERVER
command 101 6
processbpjava-msvc
bytes
\x90\x90\x90\x90\xeb\x42\x56\x57\x8b\x45\x3c\x8b\x54\x05\x78\x01\xea
  • The exploit targets TCP port 13722 (bpjava-msvc daemon). Monitor for unexpected or malformed connections to this port, especially those sending protocol command tokens ' 101 6' or ' 118 1' followed by format string payloads containing '%hn', '%x', or '%n' specifiers.
  • After successful Linux exploitation, the attacker connects back to port 5570 for a reverse/bind shell. Monitor for unexpected outbound or inbound TCP connections on port 5570 from the NetBackup server process.
  • After successful OSX/PPC exploitation, the attacker connects to port 5557 for a bind shell. Monitor for unexpected TCP connections on port 5557 originating from or to the NetBackup server.
  • The Windows exploit overwrites PEB FastPebLockRoutine pointer (at 0x7FFDF020) or a static SEH frame (at 0x0012ffb0) with a code stub at 0x7FFDF250. Detection on Windows can look for writes to these fixed PEB addresses or abnormal SEH chain modifications in the bpjava-msvc process.
  • ·The Linux exploit hardcodes a return location (retloc) and return address (retaddr) specific to a particular build of NetBackup 6.0 on Linux/x86. These addresses may differ across patch levels or OS distributions, limiting direct reuse of the exploit without adjustment.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.