We have received a submission from a contributor, Vlad A., of files taken from a compromised system that has a log detailing extensive scanning for Port 13722, exclusively. That's right, the log showed Internet scanning configured exclusively for Port 13722 and it had quite a surprising (maybe not too surpising) number of results. The logs were generated by a relatively newer "hack tool". DShield results for Port 13722 show a small number of systems scanning for this port. Recently. Since the vulnerability announcement. Thanks for the files Vlad!.
NetBackup clients and servers use Port 13722 and TippingPoint's Zero Day Initiative (ZDI) says the discovered "vulnerability allows remote attackers to execute arbitrary code on vulnerable NetBackup installations. Authentication is not required to exploit this vulnerability." And "This specific flaw exists within the bpjava-msvc daemon due to incorrect handling of format string data passed through the 'COMMAND_LOGON_TO_MSERVER' command. The vulnerable daemon listens on TCP port 13722 and affects both NetBackup clients and servers." They acknowledge "Credit: This vulnerability was discovered by Kevin Finisterre with exploitation assistance from JohnH.".
Patch and workaround information is at Veritas
Nov 11th 2005
1 decade ago