CVE-2017-8895
published 2017-05-10CVE-2017-8895: In Veritas Backup Exec 2014 before build 14.1.1187.1126, 15 before build 14.2.1180.3160, and 16 before FP1, there is a use-after-free vulnerability in multiple…
PriorityP279critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
71.00%
99.3th percentile
In Veritas Backup Exec 2014 before build 14.1.1187.1126, 15 before build 14.2.1180.3160, and 16 before FP1, there is a use-after-free vulnerability in multiple agents that can lead to a denial of service or remote code execution. An unauthenticated attacker can use this vulnerability to crash the agent or potentially take control of the agent process and then the system it is running on.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| veritas | backup_exec | < 14.1.1786.1126 | 14.1.1786.1126 |
| veritas | backup_exec | < 14.2.1180.3160 | 14.2.1180.3160 |
| veritas | backup_exec | < 16.0.1142.1327 | 16.0.1142.1327 |
Detection & IOCsextracted from sources · hover to see the quote
commandSSL NDMP re-establishment trigger: re-establish SSL on an existing NDMP connection to reuse freed BIO struct↗
- →Monitor for repeated SSL/TLS negotiation attempts on TCP port 10000 (NDMP) from unauthenticated sources — the exploit re-establishes SSL on an existing NDMP connection to trigger the UAF. ↗
- →Detect heap-spray activity on TCP/10000: the exploit opens a large number of sockets to spray stage 1 and TLS extensions before triggering the vulnerability. ↗
- →Alert on Backup Exec Remote Agent process crashes or unexpected restarts on TCP/10000 — the exploit may crash the agent during failed attempts and retry on other hosts. ↗
- →Flag memory at the non-ASLR becrypto.dll base addresses (0x0be00000 on x64, 0x63100000 on x86) being used as ROP/pivot anchors in process memory of the Backup Exec agent. ↗
- ·Exploit reliability is platform-dependent: ~85% on Windows 8+ and only ~35% on older Windows versions due to a network race condition, which may drop further with poor network conditions. ↗
- ·The Metasploit module targets only specific builds: BE 14 before 14.1.1187.1126, BE 15 before 14.2.1180.3160, and BE 16 before FP1; the check command can help identify the exact revision installed. ↗
- ·NX, ASLR, and Windows 8+ anti-ROP mitigations are bypassed by the exploit using becrypto.dll's non-ASLR base address as a ROP anchor; patching or enabling ASLR for becrypto.dll would break the exploit chain. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Veritas/Symantec Backup Exec - SSL NDMP Connection Use-After-Free (Metasploit)
exploitdb·2017-06-29
CVE-2017-8895 Veritas/Symantec Backup Exec - SSL NDMP Connection Use-After-Free (Metasploit)
Veritas/Symantec Backup Exec - SSL NDMP Connection Use-After-Free (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core/exploit/ndmp_socket'
require 'openssl'
require 'xdr'
class MetasploitModule 'Veritas/Symantec Backup Exec SSL NDMP Connection Use-After-Free',
'Description' => %q{
This module exploits a use-after-free vulnerability in the handling of SSL NDMP
connections in Veritas/Symantec Backup Exec's Remote Agent for Windows. When SSL
is re-established on a NDMP connection that previously has had SSL established,
the BIO struct for the connection's previous SSL session is reused, even though it
has previously been freed.
This module supports 3 specific versions
Metasploit
Veritas/Symantec Backup Exec SSL NDMP Connection Use-After-Free
metasploit
Veritas/Symantec Backup Exec SSL NDMP Connection Use-After-Free
Veritas/Symantec Backup Exec SSL NDMP Connection Use-After-Free
This module exploits a use-after-free vulnerability in the handling of SSL NDMP connections in Veritas/Symantec Backup Exec's Remote Agent for Windows. When SSL is re-established on a NDMP connection that previously has had SSL established, the BIO struct for the connection's previous SSL session is reused, even though it has previously been freed. This module supports 3 specific versions of the Backup Exec agent in the 14, 15 and 16 series on 64-bit and 32-bit versions of Windows and has been tested from Vista to Windows 10. The check command can help narrow down what major and minor revision is installed and the precise of version of Windows, but some other information may be required to make a reliable choice of target. NX
No writeups or analysis indexed.
http://www.securityfocus.com/bid/98386http://www.securitytracker.com/id/1038561https://www.exploit-db.com/exploits/42282/https://www.veritas.com/content/support/en_US/security/VTS17-006.html#Issue1http://www.securityfocus.com/bid/98386http://www.securitytracker.com/id/1038561https://www.exploit-db.com/exploits/42282/https://www.veritas.com/content/support/en_US/security/VTS17-006.html#Issue1
2017-05-10
Published