Presentation Material
Abstract
Backup software is a valuable asset for any organization. These softwares runs on a large number of systems in an enterprise. The main functionality for these softwares is to provide back up and recovery options for the critical data that belongs to the enterprise. The hosts requiring these back up services communicates with a back up server over the network. The different modes of operations between the server and client would be a pull model where the server connects to the client or a push model where the client connects to the server. If the communication between the server and client is not validated properly, there can be different vectors of attack that can be conducted on these softwares. This paper would explain an attack on Symantec Back-up softwares (CVE-201 1-0546, BID:47824) where it was possible to do a man in the middle attack to steal information from host machines. The bug was very critical and complex as it affected a major architectural flaw of the application on how it validated the host machines before a back up operation was initiated.
- removed video https://www.youtube.com/watch?v=ncQHpgZNYt8
AI Generated Summary
This research examines security vulnerabilities in enterprise backup software, focusing on the Network Data Management Protocol (NDMP) used by major vendors. The core finding is a critical design flaw in the NDMP authentication mechanism (CVE-2011-0546) that enables a man-in-the-middle (MITM) attack to steal backed-up data.
The vulnerability stems from NDMP’s reliance on a simple MD5 challenge-response authentication that does not cryptographically bind the authentication exchange to the server’s identity. An attacker positioned between a backup client and server can intercept and replay messages to impersonate the client to the server. A second, related weakness was discovered in the software’s “agent browser” component, which broadcasts a TCP packet containing the client’s hostname and IP address. This packet is accepted without source validation, allowing an attacker to spoof a legitimate client’s identity by broadcasting a packet with the victim’s hostname but the attacker’s IP address.
By combining these two flaws, an attacker can silently hijack a scheduled backup session. First, the attacker spoofs a valid client’s presence on the network. When the backup server initiates a connection to that client, the attacker intercepts it. The attacker then separately authenticates to the real backup server using the MITM technique, establishing a legitimate session. Finally, the attacker relays traffic between the server and the spoofed client, causing the server to transfer the victim’s data to the attacker’s machine under the guise of a normal backup operation.
The practical implication is that backup infrastructures, which hold critical organizational data and are typically highly trusted, can be compromised without traditional network attacks like ARP poisoning. The attack requires only the ability to monitor network traffic and spoof a single broadcast packet. The vulnerability was privately disclosed and patched by the vendor over a year after discovery, highlighting the systemic risk in protocol design and the lengthy remediation cycle for architectural flaws in enterprise software. The proof-of-concept tool demonstrates that data exfiltration is possible without code execution on the target systems.