Veritas Backup Exec Windows Remote File Access

Whilst on a client engagement today, I came across some Windows 2003 application server's using the Veritas Backup Exec client.

The version in use was affected by a vulnerability highlighted in CVE-2005-2611.

"VERITAS Backup Exec for Windows Servers 8.6 through 10.0, Backup Exec for NetWare Servers 9.0 and 9.1, and NetBackup for NetWare Media Server Option 4.5 through 5.1 uses a static password during authentication from the NDMP agent to the server, which allows remote attackers to read and write arbitrary files with the backup server."

Metasploit has a nice little module for downloading files and directories from the box, it located here:

auxiliary/admin/backupexec/dump

Its very straightforward to use.

Set the path of the file you want to download, in my case I went for the C:\Windows\repair folder, to get the SYSTEM and SAM files.

Then you need to set the port that the client is listening on, in my case the default port of 10000 was in use.

Then run.

The module download's the file or directory, but its format is MTF. 

I did a little digging around and MTF is an acronym for Microsoft Tape Format, which is an old school compression format.

The Metasploit module says the following:

"This module abuses a logic flaw in the Backup Exec Windows Agent to download arbitrary files from the system. This flaw was found by someone who wishes to remain anonymous and affects all known versions of the Backup Exec Windows Agent. The output file is in 'MTF' format, which can be extracted by the 'NTKBUp' program listed in the references section. To transfer an entire directory, specify a path that includes a trailing backslash."

and has the following references:

• 
  
• CVE-2005-2611
• OSVDB-18695
• BID-14551
• http://www.fpns.net/willy/msbksrc.lzh

Well, the http://www.fpns.net/willy/msbksrc.lzh link, doesn't do a thing and the others are just vulnerability references.

More Googling found this mirror site:

http://www-afs.secure-endpoints.com/afs/acm/mirrors/i386_nt40/util/

And I download the following files:

        Friday, July 09, 2004  9:33 AM       123909 msbkdos.lzh
        Friday, July 09, 2004  9:33 AM       127385 msbklin.lzh
        Friday, July 09, 2004  9:34 AM       107354 msbksrc.lzh
        Friday, July 09, 2004  9:34 AM       121070 msbkwin.lzh

Now, I don't normally run files from any old site on my host, but this was a last straw for me and the only vulnerability in quite a tidy network. So I uploaded the 4 .lzh files to a windows virtual machine along with the .mtf file, produced by the Metasploit module, and disconnected the network adapter to the VM - just to be on the safe side!

I unpacked the msbkwin.lzh with 7zip and found a few files, the one to use is NTBKUP.exe and you want to use it like this:

c:\msbkwin\NTBKUP.EXE {metasploit_backup_exec_dump_module_file.mtf) -x

This extracted the contents of the C:\Windows\repair\ directory, that was downloaded from the 2003 server I exploited.

This worked for me, I got the local Administrator hash from the SYSTEM file, and used the Metasploit psexec module to login to the box. 

HTH