Verder naar navigatie Doorgaan naar hoofdinhoud Ga naar de voettekst

Symantec Backup Exec 2012 – Backup Exec Utility Stored XSS when adding Groups, Servers and Computers

Summary

Name: Symantec Backup Exec 2012 – Backup Exec Utility Stored XSS when adding Groups, Servers and Computers
Release Date: 20 August 2012
Reference: NGS00340
Discoverer: Matt Lewis
Vendor: Symantec
CVE Reference: CVE-2013-4676
Systems Affected: Symantec Backup Exec 2012
Risk: High
Status: Released

TimeLine

Discovered: 6 July 2012
Released: 6 July 2012
Approved: 6 July 2012
Reported: 6 July 2012
Fixed: 1 August 2013
Published: 30 September 2013

Description

Symantec Backup Exec 2012 – Backup Exec Utility Stored XSS when adding groups, Servers and Computers

I. VULNERABILITY

The Symantec Backup Exec 2012 Utility program which ships with the product
(BEUtility.exe) is vulnerable to stored XSS. This is exploitable by anyone
with execution privileges on the BEUtility.exe program.
Javascript can be directly inserted into the name fields when adding
groups, servers and computers. The javascript is persistent and the XSS
vectors are re-exploited each time a user opens the utility and clicks on
the affected group, server or computer in the navigation pane.

II. Background

Symantec Backup Exec 2012 is an enterprise-level backup solution. The
affected version of BEUtility.exe is 14.0 Rev. 1798.

III. Description

Stored XSS vulnerabilities have been found and confirmed within the
BEUtility.exe application. The application can ordinarily be found at
C:Program FilesSymantecBackup ExecBEUtility.exe

Technical Details

-The Symantec Backup Exec Utility can typically be found in C:Program FilesSymantecBackup ExecBEUtility.exe.

-When the application is launched, create a new backup exec server group

  • In the text field add in javascript

-This creates a persistent XSS attack vector – each time a user launches the utility and clicks on the group item in the navigation pane, the XSS vulnerability is exploited

-It is also possible to insert script tags when adding new Servers and Computers

Fix Information

http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory pvid=security_advisory year= suid=20130801_00