VERITAS NetBackup bpcd daemon command chaining vulnerability

Added: 02/16/2007
CVE: CVE-2006-4902
BID: 21565
OSVDB: 31334


VERITAS NetBackup is a backup and recovery solution for multiple platforms.


The NetBackup bpcd daemon fails to properly validate chained commands. A remote attacker could execute arbitrary commands by appending the commands to valid commands.


Apply one of the maintenance packs referenced in the Symantec Security Advisory.



Exploit works on VERITAS NetBackup 5.0 and requires the target host to have the ability to connect back to SAINTexploit on ports 990/TCP and 69/UDP.

In order for the exploit to succeed, the address of the host running SAINTexploit must be present in Unicode format in the following registry key on the target:

Key: HKEY_LOCAL_MACHINE\SOFTWARE\VERITAS\NetBackup\CurrentVersion\Config Value: Server Type: MULTI_SZ

This exploit requires the PERL threads module to be installed on the host running SAINTexploit.



Back to exploit index