The Case of the Backup Software DoS.

Our vulnerability scanner is causing the server backup software’s we use on to crash.
After examining a crash dump, a developer for the backup software replied

“Looking at the logs it we are getting some corrupted packets and that is causing the to try to allocate huge memory and that is the reason for the failure.
Does this security scanner corrupt our packets to test some of its features? If yes then they will have to stop it.”

While not sending corrupt packets would stop the crashing, I’m not sure a bad guy would be so kind as to respect at request. I also wonder if there is a remote exploit in this defect.
To take it out of the realm of the vulnerability scanner, I used nmap’s service fingerprint option to crash the service. Reviewing the packets with wireshark shows that nmap with the -sV option set is also throwing a corrupt packet. The hardest part in reproducing this is the backup software not staying on a predictable port.
Vulnerabilities in backup software are frequently targeted. Backup software often runs with full admin or system rights. Exploiting vulnerabilities in backup software can lead to information disclosure or an attacker fully compromising import servers. SANS has backup software vulerabilities in the SANS Top 20 list.

One Comment

  1. “The hardest part in reproducing this is the backup software not staying on a predictable port”
    This is obviously a _good_ thing as it makes it more difficult for black hats to exploit this vulnerability. Since they would have to probe systems, it seems reasonable that network monitoring software could deny the IP before a corrupt packet could be sent.

Leave a Reply

Your email address will not be published. Required fields are marked *