TippingPoint Digital Vaccine Laboratories
DID YOU KNOW... TippingPoint customers were protected against 0-day exploitation of MS07-017 two years prior to the exploit being discovered in the wild.

Symantec Veritas Storage Foundation Scheduler Service Authentication Bypass Vulnerability

TPTI-07-08: June 4th, 2007

CVE ID

Affected Vendors

Affected Products

Vulnerability Details

This vulnerability allows an attacker to execute arbitrary code on vulnerable installations of Symantec Veritas Storage Foundation. Authentication is not required to exploit this vulnerability.

The specific flaw exists in the functionality exposed by the Storage Foundation for Windows Scheduler Service, VxSchedService.exe, which listens by default on TCP port 4888. During normal use an administrator may add schedules to be run using the management console which requires authentication. However, if an attacker connects directly to the scheduler service and issues the commands, there exists no validation of credentials.

The packet is parsed for requests as shown in the following snippet:

.text:01016720 mov eax, [ebp-80h] ; controlled buffer
.text:01016723 dec eax ;
.text:01016724 mov byte ptr [ebp-4], 1
.text:01016728 jz create_registry
.text:0101672E dec eax
.text:0101672F jz short delete_registry
.text:01016731 dec eax
.text:01016732 dec eax
.text:01016733 jz short modify_registry

A malicious attacker is able to add, modify, or delete registry values from HKEY_LOCAL_MACHINE\Software\Veritas\VxSvc\CurrentVersion\Schedules
which holds the schedules for snapshots. Each schedule has a PreScript and PostScript field which allow for arbitrary commands to be executed when the schedule is run. Modification or either of these fields will allow for remote code execution.

Vendor Response

Symantec has issued an update to correct this vulnerability. More details can be found at:

Disclosure Timeline

    2007-02-08 - Vulnerability reported to vendor
    2007-06-04 - Coordinated public release of advisory

Credit

This vulnerability was discovered by: