RE: Backup Agents

Run any popular backup agent binary through IDA and you'll see extensive potential for buffer overflow and format string attacks. This would provide the ability to gain full control of the localhost, and offer a straight shot to the server process running as root remotely. Not many people have studied the security implications of poorly coded, networked backup software; most discussions I've seen focus on firewall configurations for securing network communications, and not an application level attack.

-----Original Message-----
From: Philip Storry [mailto:phil@philipstorry.net] Sent: Monday, March 24, 2003 9:45 AM
To: vuln-dev@securityfocus.com
Subject: Re: Backup Agents

Hello Geo,

Thursday, March 20, 2003, 11:54:00 PM, you wrote:

G> Has anyone ever studied how secure backup agents are in the context G> of using them on web servers?

Or any other kind of server, for that matter.

G> Seems to me a backup agent is designed to get information (all
G> information) out of a system, so I was wondering if anyone had ever
G> researched how secure the connection between a backup server and a
G> machine running a backup agent is.

A good question. Most of the ones that I've seen have at least the facility for password authentication, if not username/password. But how string the implementations are is not something I could comment on.

G> How hard it would be to exploit the backup agent and that sort of G> thing.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

>From outside an organisation? The answer should be "very". To be
absolutely honest, access to this sort of thing should be blocked by the firewall. Most firewalls start by blocking everything, and then allow you to say what you will accept - that is to say that they effectively "whitelist" incoming traffic.

So webservers should only be allowing traffic that was established by a connection to port 80. Therefore, they should not be vulnerable to such attacks.

However, you have an interesting premise there. If you can get onto the network, I can certainly see how knowledge of a flaw in a backup agent could allow you to copy any file from any server you can contact that runs that backup agent. Which could be a huge disaster. But even more of a disaster is that such backup agents also offer restore facilities - so you could also overwrite any file you liked on the server.

A very interesting premise. ;-)

--
Best regards,
 Philip                            mailto:phil@philipstorry.net