| VID |
23128 |
| Severity |
40 |
| Port |
20031 |
| Protocol |
TCP |
| Class |
NetVault |
| Detailed Description |
The BakBone NetVault, according to its version number, has two heap buffer overflow vulnerabilities. NetVault is a tape backup system for various operating systems. NetVault versions 7.3 and earlier could allow a local or remote attacker to execute arbitrary code on the affected host.
1) Local Overflow: A vulnerability exists in the processing of the 'configure.cfg' file. A local user with access to the file can create a computername 'Name=' entry that is longer than 111 bytes. Then, when the NetVault Process Manager service starts (or restarts), a buffer overflow will be triggered and arbitrary code executed with System privileges. The default permissions of the file are read only for the Users group.
2) Remote overflow: A remote user can connect to the target system on port 20031 and supply a specially crafted 'clientname' entry in the 'Available NetVault Machines' list to trigger a heap overflow and execute arbitrary code on the target server.
* Note: This check solely relied on the version number of the BakBone NetVault service to assess this vulnerability, so this might be a false positive.
* References:
http://class101.org/netv-remhbof.pdf
http://class101.org/netv-locsbof.pdf
http://www.securitytracker.com/alerts/2005/Apr/1013625.html
http://www.hat-squad.com/en/000164.html
http://www.securityfocus.com/data/vulnerabilities/exploits/netvault_hof.c
* Platforms Affected:
BakBone, NetVault versions 7.3 and earlier
Any operating system Any version |
| Recommendation |
No upgrade or patch available as of May 2005.
Upgrade to the latest version of NetVault (7.3 later), when new version fixed this problem becomes available from the NetVault Download Web page at http://www.bakbone.com/products/downloads/ |
| Related URL |
CVE-2005-1009 (CVE) |
| Related URL |
12967,13618 (SecurityFocus) |
| Related URL |
19932 (ISS) |
|
