module

Veritas/Symantec Backup Exec SSL NDMP Connection Use-After-Free

Disclosed
2017-05-10
Created
2018-05-30

Description

This module exploits a use-after-free vulnerability in the handling of SSL NDMP
connections in Veritas/Symantec Backup Exec's Remote Agent for Windows. When SSL
is re-established on a NDMP connection that previously has had SSL established,
the BIO struct for the connection's previous SSL session is reused, even though it
has previously been freed.

This module supports 3 specific versions of the Backup Exec agent in the 14, 15
and 16 series on 64-bit and 32-bit versions of Windows and has been tested from
Vista to Windows 10. The check command can help narrow down what major and minor
revision is installed and the precise of version of Windows, but some other
information may be required to make a reliable choice of target.

NX, ASLR and Windows 8+ anti-ROP mitigations are bypassed. On Windows 8+, it has a
reliability of around 85%. On other versions of Windows, reliability is around 35%
(due to the need to win a race condition across the network in this case; this may
drop further depending on network conditions). The agent is normally installed on
all hosts in a domain that need to be backed up, so if one service crashes, try
again on another :) Successful exploitation will give remote code execution as the
user of the Backup Exec Remote Agent for Windows service, almost always
NT AUTHORITY\SYSTEM.

Author

Matthew Daley

Platform

Windows

Module Options

To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:


msf > use exploit/windows/backupexec/ssl_uaf
msf exploit(ssl_uaf) > show targets
...targets...
msf exploit(ssl_uaf) > set TARGET < target-id >
msf exploit(ssl_uaf) > show options
...show and set options...
msf exploit(ssl_uaf) > exploit

Title
NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.